[Samba] GPOs not Working!

Micha Ballmann ballmann at uni-landau.de
Wed Feb 7 10:44:43 UTC 2018 

Before i do that,

i dont understand why i have to do this!

I m just testing straight forward.

Now i have 3 GPOs

  * Default Domain Policy
      o (no configurations)
  * test1
      o User Configuration: Mount Share and Create Desktop Icon;
        /Security Filter/: Authenticated Users ---> THIS GPO IS WORKING!
  * test2
      o Computer Configuration: Interactive logon: Do not require CTRL +
        ALT + DEL and Interactive login: Do not display last user name;
        /Security Filter/: Authenticated Users, Domain Computers --->
        THIS GPO IS *NOT *WORKING! (Also tried Security Filter:
        Authenticated Users ONLY)

The ACLs of my policies:

Default Domain Policy (test1 and test2 are the same)

# file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: 3000004
# group: 3000004
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:3000004:rwx
group:3000007:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000004:rwx
default:user:3000007:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000004:rwx
default:group:3000007:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

It looks like, User Configurations are working and*Computer 
Configurations won't do*!

Thy very much for help.

PS:I do not know if it helps. On a Windows Server 2016 and 2012 I 
configured the same GPOs above described. On WS all works fine.

Am 07.02.2018 um 10:01 schrieb L.P.H. van Belle via samba:
> Hai,
>
> Ok, for the sysvol.
> I'll put all steps here again.
>
> I suggest start with this one.
> wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
> This checks and set the rights to be known to be right. ( aka works great for me ) ;-)
>
> Then follow these steps.
>
> - login as dom\administrator.
> - start computer manager, connect to dc.
> - klik Shared Folders, Shares, sysvol.
>    Option 1, this is the default. Everyone with Full control, Change and Read.
>    Option 2, Everyone: Read.
> 		Verified users:  Full, Change, Read.
> 		SYSTEM Full, Change, Read.
> 		DOMAIN\Adminstrators ( or DOMAIN\Domain Admins ) Full, change read.
>
> The result of both settings are ( share wize)  the same.
> Except in option2, you must be verified before you can write anywere.
>
> - Tab Security.
> 		Verified users:  Read+exec, Show folder content, Read.
> 		SYSTEM: full ( everything on )
> 		DOMAIN\Adminstrators: ( or DOMAIN\Domain Admins ) full ( everything on
> 		DOMAIN\Serer operators: Read+exec, Show folder content, Read.
> Once this is set, klik advanced, klik change below.
> Check, replace all underlying and replace..
>
> ! Note, always this order, first share security then folder security.
> That helps preventing making error or resetting rights.
>
> - Do the same for Netlogon. Same settings as sysvol, since its a sub folder of sysvol.
>
>
> - These steps are imo only done once, ( ! Or if you get errors again due to a reset or change in windows clients )
> Now first goto the GroupPolicyObjects, ( not the linked once's )
> Klik on every GPO object there, if you get any message, press ok, then its reset.
>
> Now, you need to check the GPO Objects that are assigned/linked to OU and/or groups.
>
> Just start in the top, and klik every object.
> All my "normal" GPO Objects only have Authenticated Users.
> My "special" GPO Object have different settings.
>
> For example, i've disabled all USB/Mobile/CD access on the pc's by GPO's
> A user policy set in the Standard User. I've created 2 groups, per type.
> For example.
> USB-Read, if i look here you see only USB-Allow-Read group. Now klik the Delegation Tab.
> That shows me:
> Authenticated User Ready (by security filter)
> DOM\Domain Admins
> DOM\Enterprise Admins
> Server logon
> SYSTEM
>
> What you dont see is the underlying ACL, klik  Advanced.
> Here you see, ... The "Reset to default" button.
> Reset it.
>
> Now remember here, after doing this, no samba-tool sysvolreset..
> If you do, repeat the above again. Everything!
>
> User GPO's, only a group with the user is fine, and needs "apply GPO"
> A computer GPO, needs Domain computers with apply GPO AND the users group.
>
>
> I've setup all "problem" shares, due to user NT Authority\SYSTEM problems.
> Google for it, you see lots of it in the samba list.
> My shares layout that used it. ( on mulple servers )
> DC: Sysvol and Netlogon
> Members: users and profiles
> Print server: print$ and printers
>
> So in short, all shares were the "computer$" my access as user system or things like that.
>
> If you see errors on a computer in the eventlogs with:
> Computer$ can access .... Bla bla....   On GPO.ini.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This if often a forgoten "DOM\Domain Computers" in the GPO object with read and/or writes rights missing.
> People test this and the computer$ can access the GPO.ini without problems, so why the event log.
> Because of "SYSTEM" or an other user that is haveing user/group/SID problems with linux acls.
>
> I hope i explained good enough why i use and set ignore systemacl.
>
>
> Greetz,
>
> Louis
>
>
>
>
>
>
>
>
> 	
>
>
> 	
>
>
>
>
> 	
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Robert Marcano via samba
>> Verzonden: woensdag 7 februari 2018 3:19
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] GPOs not Working!
>>
>> On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote:
>>> ok,
>>>
>>> do the following.
>>> set ignore systemacl to yes on sysvol and netlogon.
>> Added "acl_xattr:ignore system acls = yes" to both shares,
>> restarted the
>> server
>>
>>> login as dom\administrator
>>> computer manager, connect to dc.
>>> share sysvol, goto share security, reset to defalts.
>>> same for folder.
>> I don't get the "Reset to defaults" option. There are two security
>> related tabs, "Permission of shared resources" (or something
>> like that,
>> Windows is not in English) with only permissions for Everyone
>> with Full
>> control, Change and Read.
>>
>> The other tab is the standard "Security" tab, those tabs
>> don't show any
>> reset to default option
>>
>>> goto gpo manager,
>>> klik on every gpo object, if one has wrong acl, you get a
>> message to reset it, thats ok.
>>> now never samba-tool sysvol reset
>>> if you do, you might need to set share/file security again.
>>>
>>> Greetz
>>> Louis
>>>
>>> p.s rowland, now you can change the default gpo’s also.
>>>
>>>
>>>
>>>> Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba
>> <samba at lists.samba.org> het volgende geschreven:
>>>> On Tue, 6 Feb 2018 15:03:16 -0400
>>>> Robert Marcano via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> Thanks for the information, to use a default GPO was a
>> simple way to
>>>>> try to encourage someone to reproduce the problem.
>>>>>
>>>>> I already created new GPOs (this is a test domain) Using
>> the default
>>>>> filter for a new GPO, "Authenticated users", creating a
>> new group for
>>>>> the test clients and using that as the filter, checking
>> it have the
>>>>> right permissions (apply), checking every guide about
>> applying GPO to
>>>>> computers. Using OUs and using domain level GPOs.
>>>>>
>>>>> What I find weird is that gpresult doesn't list the computer as a
>>>>> member of groups I create, only a few predefined ones:
>>>>>
>>>>>     NULL SID
>>>>>     NT AUTHORITY\NETWORK,
>>>>>     This company,
>>>>>     and something like "mandatory level of no trust"
>> (Windows is not in
>>>>> english)
>>>>>
>>>> Do not alter the two default GPOs, it doesn't work ;-)
>>>>
>>>> Creating new GPOs should work, just do not run sysvolreset after
>>>> creating them.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>

More information about the samba mailing list