[Samba] GPOs not Working!

L.P.H. van Belle belle at bazuin.nl
Wed Feb 7 11:06:09 UTC 2018 

hai Micha, 
 
The why is explained here. 
https://wiki.samba.org/index.php/The_SYSTEM_Account 
Which in the end has todo with SID_BOTH, one sid for a user and group, linux does not understand that correctly. 
 

with : acl_xattr:ignore system acls = [yes|no]
When set to yes, a best effort mapping from/to the POSIX ACL layer will not be done by this module. The default is no, which means that Samba keeps setting and evaluating both the system ACLs and the NT ACLs. 
This is better if you need your system ACLs be set for local or NFS file access, too. 
If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility.
 
And also see. 
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
 
And if i missed something guys, please add it ;-) 
 
Greetz, 
 
Louis
 
 

Van: Micha Ballmann [mailto:ballmann at uni-landau.de] 
Verzonden: woensdag 7 februari 2018 11:45
Aan: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] GPOs not Working!




Before i do that,

i dont understand why i have to do this!

I m just testing straight forward.

Now i have 3 GPOs
*	Default Domain Policy 
	*	(no configurations)
*	test1 
	*	User Configuration: Mount Share and Create Desktop Icon; Security Filter: Authenticated Users ---> THIS GPO IS WORKING!
*	test2 
	*	Computer Configuration: Interactive logon: Do not require CTRL + ALT + DEL and Interactive login: Do not display last user name; Security Filter: Authenticated Users, Domain Computers ---> THIS GPO IS NOT WORKING! (Also tried Security Filter: Authenticated Users ONLY) The ACLs of my policies:

Default Domain Policy (test1 and test2 are the same)

# file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: 3000004
# group: 3000004
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:3000004:rwx
group:3000007:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000004:rwx
default:user:3000007:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000004:rwx
default:group:3000007:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

It looks like, User Configurations are working and Computer Configurations won't do!

Thy very much for help.

PS: I do not know if it helps. On a Windows Server 2016 and 2012 I configured the same GPOs above described. On WS all works fine.

Am 07.02.2018 um 10:01 schrieb L.P.H. van Belle via samba:


Hai, Ok, for the sysvol. I'll put all steps here again. I suggest start with this one. wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh This checks and set the rights to be known to be right. ( aka works great for me ) ;-) Then follow these steps. - login as dom\administrator. - start computer manager, connect to dc. - klik Shared Folders, Shares, sysvol. Option 1, this is the default. Everyone with Full control, Change and Read. Option 2, Everyone: Read. Verified users: Full, Change, Read. SYSTEM Full, Change, Read. DOMAIN\Adminstrators ( or DOMAIN\Domain Admins ) Full, change read. The result of both settings are ( share wize) the same. Except in option2, you must be verified before you can write anywere. - Tab Security. Verified users: Read+exec, Show folder content, Read. SYSTEM: full ( everything on ) DOMAIN\Adminstrators: ( or DOMAIN\Domain Admins ) full ( everything on DOMAIN\Serer operators: Read+exec, Show folder content, Read. Once this is set, klik advanced, klik change below. Check, replace all underlying and replace.. ! Note, always this order, first share security then folder security. That helps preventing making error or resetting rights. - Do the same for Netlogon. Same settings as sysvol, since its a sub folder of sysvol. - These steps are imo only done once, ( ! Or if you get errors again due to a reset or change in windows clients ) Now first goto the GroupPolicyObjects, ( not the linked once's ) Klik on every GPO object there, if you get any message, press ok, then its reset. Now, you need to check the GPO Objects that are assigned/linked to OU and/or groups. Just start in the top, and klik every object. All my "normal" GPO Objects only have Authenticated Users. My "special" GPO Object have different settings. For example, i've disabled all USB/Mobile/CD access on the pc's by GPO's A user policy set in the Standard User. I've created 2 groups, per type. For example. USB-Read, if i look here you see only USB-Allow-Read group. Now klik the Delegation Tab. That shows me: Authenticated User Ready (by security filter) DOM\Domain Admins DOM\Enterprise Admins Server logon SYSTEM What you dont see is the underlying ACL, klik Advanced. Here you see, ... The "Reset to default" button. Reset it. Now remember here, after doing this, no samba-tool sysvolreset.. If you do, repeat the above again. Everything! User GPO's, only a group with the user is fine, and needs "apply GPO" A computer GPO, needs Domain computers with apply GPO AND the users group. I've setup all "problem" shares, due to user NT Authority\SYSTEM problems. Google for it, you see lots of it in the samba list. My shares layout that used it. ( on mulple servers ) DC: Sysvol and Netlogon Members: users and profiles Print server: print$ and printers So in short, all shares were the "computer$" my access as user system or things like that. If you see errors on a computer in the eventlogs with: Computer$ can access .... Bla bla.... On GPO.ini. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This if often a forgoten "DOM\Domain Computers" in the GPO object with read and/or writes rights missing. People test this and the computer$ can access the GPO.ini without problems, so why the event log. Because of "SYSTEM" or an other user that is haveing user/group/SID problems with linux acls. I hope i explained good enough why i use and set ignore systemacl. Greetz, Louis 

-----Oorspronkelijk bericht----- Van: samba [mailto:samba-bounces at lists.samba.org] Namens Robert Marcano via samba Verzonden: woensdag 7 februari 2018 3:19 Aan: samba at lists.samba.org Onderwerp: Re: [Samba] GPOs not Working! On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote: 

ok, do the following. set ignore systemacl to yes on sysvol and netlogon. 

Added "acl_xattr:ignore system acls = yes" to both shares, restarted the server 

login as dom\administrator computer manager, connect to dc. share sysvol, goto share security, reset to defalts. same for folder. 

I don't get the "Reset to defaults" option. There are two security related tabs, "Permission of shared resources" (or something like that, Windows is not in English) with only permissions for Everyone with Full control, Change and Read. The other tab is the standard "Security" tab, those tabs don't show any reset to default option 

goto gpo manager, klik on every gpo object, if one has wrong acl, you get a 

message to reset it, thats ok. 

now never samba-tool sysvol reset if you do, you might need to set share/file security again. Greetz Louis p.s rowland, now you can change the default gpo’s also. 

Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba 

<samba at lists.samba.org> het volgende geschreven: 

On Tue, 6 Feb 2018 15:03:16 -0400 Robert Marcano via samba <samba at lists.samba.org> wrote: 

Thanks for the information, to use a default GPO was a 

simple way to 

try to encourage someone to reproduce the problem. I already created new GPOs (this is a test domain) Using 

the default 

filter for a new GPO, "Authenticated users", creating a 

new group for 

the test clients and using that as the filter, checking 

it have the 

right permissions (apply), checking every guide about 

applying GPO to 

computers. Using OUs and using domain level GPOs. What I find weird is that gpresult doesn't list the computer as a member of groups I create, only a few predefined ones: NULL SID NT AUTHORITY\NETWORK, This company, and something like "mandatory level of no trust" 

(Windows is not in 

english) 

Do not alter the two default GPOs, it doesn't work ;-) Creating new GPOs should work, just do not run sysvolreset after creating them. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba 



-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list