[Samba] classic upgrade, splitting servers

L.P.H. van Belle belle at bazuin.nl
Wed May 24 07:11:02 UTC 2017 

Hai Stefan, 

A heads up and few adviced changes/tips for you. 

smb.conf: 
realm = my.tld
Change to 
realm = MY.TLD

Try to set a REALM always in CAPS. Some programs rely on that. ( for example, MIT Kerberos expects realm in CAPS ) 
So prepair for 4.7 now already to save problems in future. 


These shares. 
> [netlogon]
> path = /var/lib/samba/sysvol/my.tld/scripts
> read only = No
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> acl_xattr:ignore system acls = Yes # just a try ...

Or any "windows only" share, like profiles. 
I have best results if acl_xattr:ignore system acls = Yes  is set.
Only thing is after settting and restarting samba, you must set share and security settings again. 
But now, include user SYSTEM on the shares : sysvol, profiles and optional users_home


About the sysvol 
If i run: samba-tool gpo aclcheck, i get. 

ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in                                                                                                                                _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, in run
    ds_sd_ndr = m['nTSecurityDescriptor'][0]

Or 
samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /home/samba/sysvol/rotterdam.bazuin.nl/Policies/{ABF652FU-CA18-4693-BD18-6B4FC8A0513A} O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))


These are known, just ignore it, not do run the checks again. 

Check if you have on the security tab the following. 
Verified Users , read and exec
System , full control
Serer Operators, read and exec
NTDOM\Administrators, full control

On the share tab, if you have access denied on group policies, add users SYSTEM to the share rights on sysvol. 

On the .. 
>> I can't logon to the PC still with some users - that error with the user login service, maybe related to some serverbased profile setting somewhere (?)
Start with, login as NTDOM\Administrator into the domain with a domain joined pc. 
Go to the domain policy and setup 
https://technet.microsoft.com/en-us/library/gg486839.aspx 
And setup "the Always wait for the network at computer startup and logon" policy setting
Reboot the pc 2 times. Firstime its applied, second time it should be working. 

And before the reboots start with cleanup the windows even logs. 

Start from here, see what happens and post again of you have questions.

Greetz, 

Louis





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: dinsdag 23 mei 2017 20:34
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] classic upgrade, splitting servers
> 
> Am 2017-05-23 um 20:28 schrieb Rowland Penny:
> 
> > That one, what version of windows are you using, 8.8, 8.1 or 10 ?
> > If you have a win 7 machine, try it from that.
> 
> I have a win10 machine here for tests. They only run 10 
> anymore ... I would have to dig for a legacy system at their 
> site next week or so.
> 
> >>> In which case, what happened to 'netbios name =' ?
> >>
> >> good question. maybe obsolete as it is the default?
> >>
> > 
> > It may be the default, but I have never seen a DC smb.conf 
> without it.
> 
> 
> here the file:
> 
> 
> # cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = BUERO
> realm = my.tld
> netbios name = DC
> server role = active directory domain controller 
> idmap_ldb:use rfc2307 = yes load printers = No printcap name 
> = /dev/null
> 
> [netlogon]
> path = /var/lib/samba/sysvol/my.tld/scripts
> read only = No
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> acl_xattr:ignore system acls = Yes # just a try ...
> 
> ---
> 
> I can't logon to the PC still with some users - that error 
> with the user login service, maybe related to some 
> serverbased profile setting somewhere (?)
> 
> --- the GPO error:
> 
> 
> root at dc:/var/lib/samba/sysvol/my.tld/Policies# samba-tool  
> ntacl sysvolcheck
>                                                 ERROR(<class
> 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/my.tld/Policies/{31B2F340-016D-11D2-945F
> -00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>                                                   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>                                                       return 
> self.run(*args, **kwargs)
>                                                         File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", 
> line 249, in run
>                                                             lp)
>                                                               
> File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1730, in checksysvolacl
> 
> direct_db_access)
>                                                               
>       File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1681, in check_gpos_acl
> 
> domainsid, direct_db_access)
> 
>  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1628, in check_dir_acl
> 
>      raise ProvisioningError('%s ACL on GPO directory %s %s 
> does not match expected value %s from GPO object' % 
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> 
> --- thanks so far, I get out of office now for some time .. late here
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list