[Samba] GPOs not Working!
L.P.H. van Belle
belle at bazuin.nl
Wed Feb 7 13:42:48 UTC 2018
Hai,
I also found some extra guidance for you to review.
http://techgenix.com/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part1/
http://techgenix.com/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part2/
http://techgenix.com/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part3
For you, look at Part 2, point 7.
Authenticated users should work, if not, try the same with "domain computers"
! Keep authenticated users, give domain computers read.
Authenticated user should have read/apply
Reboot the pc and try again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Micha Ballmann [mailto:ballmann at uni-landau.de]
> Verzonden: woensdag 7 februari 2018 13:42
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] GPOs not Working!
>
> Thy for your help.
>
> I followed all steps you describe. But im not able to set a gpo with
> "computer configurations".I don't know what happened.
>
> Maybe you have a last idea :).
>
> Best regards
>
> Micha
>
>
> Am 07.02.2018 um 12:06 schrieb L.P.H. van Belle via samba:
> > hai Micha,
> >
> > The why is explained here.
> > https://wiki.samba.org/index.php/The_SYSTEM_Account
> > Which in the end has todo with SID_BOTH, one sid for a user
> and group, linux does not understand that correctly.
> >
> >
> > with : acl_xattr:ignore system acls = [yes|no]
> > When set to yes, a best effort mapping from/to the POSIX
> ACL layer will not be done by this module. The default is no,
> which means that Samba keeps setting and evaluating both the
> system ACLs and the NT ACLs.
> > This is better if you need your system ACLs be set for
> local or NFS file access, too.
> > If you only access the data via Samba you might set this to
> yes to achieve better NT ACL compatibility.
> >
> > And also see.
> >
> https://blogs.technet.microsoft.com/askds/2016/06/22/deploying
> -group-policy-security-update-ms16-072-kb3163622/
> >
> > And if i missed something guys, please add it ;-)
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> > Van: Micha Ballmann [mailto:ballmann at uni-landau.de]
> > Verzonden: woensdag 7 februari 2018 11:45
> > Aan: L.P.H. van Belle; samba at lists.samba.org
> > Onderwerp: Re: [Samba] GPOs not Working!
> >
> >
> >
> >
> > Before i do that,
> >
> > i dont understand why i have to do this!
> >
> > I m just testing straight forward.
> >
> > Now i have 3 GPOs
> > * Default Domain Policy
> > * (no configurations)
> > * test1
> > * User Configuration: Mount Share and Create
> Desktop Icon; Security Filter: Authenticated Users ---> THIS
> GPO IS WORKING!
> > * test2
> > * Computer Configuration: Interactive logon: Do
> not require CTRL + ALT + DEL and Interactive login: Do not
> display last user name; Security Filter: Authenticated Users,
> Domain Computers ---> THIS GPO IS NOT WORKING! (Also tried
> Security Filter: Authenticated Users ONLY) The ACLs of my policies:
> >
> > Default Domain Policy (test1 and test2 are the same)
> >
> > # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
> > # owner: 3000004
> > # group: 3000004
> > user::rwx
> > user:3000002:rwx
> > user:3000003:r-x
> > user:3000007:rwx
> > user:3000010:r-x
> > group::rwx
> > group:3000002:rwx
> > group:3000003:r-x
> > group:3000004:rwx
> > group:3000007:rwx
> > group:3000010:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:3000002:rwx
> > default:user:3000003:r-x
> > default:user:3000004:rwx
> > default:user:3000007:rwx
> > default:user:3000010:r-x
> > default:group::---
> > default:group:3000002:rwx
> > default:group:3000003:r-x
> > default:group:3000004:rwx
> > default:group:3000007:rwx
> > default:group:3000010:r-x
> > default:mask::rwx
> > default:other::---
> >
> > It looks like, User Configurations are working and Computer
> Configurations won't do!
> >
> > Thy very much for help.
> >
> > PS: I do not know if it helps. On a Windows Server 2016 and
> 2012 I configured the same GPOs above described. On WS all works fine.
> >
> > Am 07.02.2018 um 10:01 schrieb L.P.H. van Belle via samba:
> >
> >
> > Hai, Ok, for the sysvol. I'll put all steps here again. I
> suggest start with this one. wget
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> heck-set-sysvol.sh This checks and set the rights to be known
> to be right. ( aka works great for me ) ;-) Then follow these
> steps. - login as dom\administrator. - start computer
> manager, connect to dc. - klik Shared Folders, Shares,
> sysvol. Option 1, this is the default. Everyone with Full
> control, Change and Read. Option 2, Everyone: Read. Verified
> users: Full, Change, Read. SYSTEM Full, Change, Read.
> DOMAIN\Adminstrators ( or DOMAIN\Domain Admins ) Full, change
> read. The result of both settings are ( share wize) the same.
> Except in option2, you must be verified before you can write
> anywere. - Tab Security. Verified users: Read+exec, Show
> folder content, Read. SYSTEM: full ( everything on )
> DOMAIN\Adminstrators: ( or DOMAIN\Domain Admins ) full (
> everything on DOMAIN\Serer operators: Read+exec, Show folder
> content, Read. Once this
> > is set, klik advanced, klik change below. Check, replace
> all underlying and replace.. ! Note, always this order, first
> share security then folder security. That helps preventing
> making error or resetting rights. - Do the same for Netlogon.
> Same settings as sysvol, since its a sub folder of sysvol. -
> These steps are imo only done once, ( ! Or if you get errors
> again due to a reset or change in windows clients ) Now first
> goto the GroupPolicyObjects, ( not the linked once's ) Klik
> on every GPO object there, if you get any message, press ok,
> then its reset. Now, you need to check the GPO Objects that
> are assigned/linked to OU and/or groups. Just start in the
> top, and klik every object. All my "normal" GPO Objects only
> have Authenticated Users. My "special" GPO Object have
> different settings. For example, i've disabled all
> USB/Mobile/CD access on the pc's by GPO's A user policy set
> in the Standard User. I've created 2 groups, per type. For
> example. USB-Read, if i look here you see only
> > USB-Allow-Read group. Now klik the Delegation Tab. That
> shows me: Authenticated User Ready (by security filter)
> DOM\Domain Admins DOM\Enterprise Admins Server logon SYSTEM
> What you dont see is the underlying ACL, klik Advanced. Here
> you see, ... The "Reset to default" button. Reset it. Now
> remember here, after doing this, no samba-tool sysvolreset..
> If you do, repeat the above again. Everything! User GPO's,
> only a group with the user is fine, and needs "apply GPO" A
> computer GPO, needs Domain computers with apply GPO AND the
> users group. I've setup all "problem" shares, due to user NT
> Authority\SYSTEM problems. Google for it, you see lots of it
> in the samba list. My shares layout that used it. ( on mulple
> servers ) DC: Sysvol and Netlogon Members: users and profiles
> Print server: print$ and printers So in short, all shares
> were the "computer$" my access as user system or things like
> that. If you see errors on a computer in the eventlogs with:
> Computer$ can access .... Bla bla.... On
> > GPO.ini.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This if
> often a forgoten "DOM\Domain Computers" in the GPO object
> with read and/or writes rights missing. People test this and
> the computer$ can access the GPO.ini without problems, so why
> the event log. Because of "SYSTEM" or an other user that is
> haveing user/group/SID problems with linux acls. I hope i
> explained good enough why i use and set ignore systemacl.
> Greetz, Louis
> >
> > -----Oorspronkelijk bericht----- Van: samba
> [mailto:samba-bounces at lists.samba.org] Namens Robert Marcano
> via samba Verzonden: woensdag 7 februari 2018 3:19 Aan:
> samba at lists.samba.org Onderwerp: Re: [Samba] GPOs not
> Working! On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote:
> >
> > ok, do the following. set ignore systemacl to yes on sysvol
> and netlogon.
> >
> > Added "acl_xattr:ignore system acls = yes" to both shares,
> restarted the server
> >
> > login as dom\administrator computer manager, connect to dc.
> share sysvol, goto share security, reset to defalts. same for folder.
> >
> > I don't get the "Reset to defaults" option. There are two
> security related tabs, "Permission of shared resources" (or
> something like that, Windows is not in English) with only
> permissions for Everyone with Full control, Change and Read.
> The other tab is the standard "Security" tab, those tabs
> don't show any reset to default option
> >
> > goto gpo manager, klik on every gpo object, if one has
> wrong acl, you get a
> >
> > message to reset it, thats ok.
> >
> > now never samba-tool sysvol reset if you do, you might need
> to set share/file security again. Greetz Louis p.s rowland,
> now you can change the default gpo’s also.
> >
> > Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba
> >
> > <samba at lists.samba.org> het volgende geschreven:
> >
> > On Tue, 6 Feb 2018 15:03:16 -0400 Robert Marcano via samba
> <samba at lists.samba.org> wrote:
> >
> > Thanks for the information, to use a default GPO was a
> >
> > simple way to
> >
> > try to encourage someone to reproduce the problem. I
> already created new GPOs (this is a test domain) Using
> >
> > the default
> >
> > filter for a new GPO, "Authenticated users", creating a
> >
> > new group for
> >
> > the test clients and using that as the filter, checking
> >
> > it have the
> >
> > right permissions (apply), checking every guide about
> >
> > applying GPO to
> >
> > computers. Using OUs and using domain level GPOs. What I
> find weird is that gpresult doesn't list the computer as a
> member of groups I create, only a few predefined ones: NULL
> SID NT AUTHORITY\NETWORK, This company, and something like
> "mandatory level of no trust"
> >
> > (Windows is not in
> >
> > english)
> >
> > Do not alter the two default GPOs, it doesn't work ;-)
> Creating new GPOs should work, just do not run sysvolreset
> after creating them. Rowland -- To unsubscribe from this list
> go to the following URL and read the instructions:
> https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > -- To unsubscribe from this list go to the following URL
> and read the instructions:
> https://lists.samba.org/mailman/options/samba
> >
> >
> >
>
>
>
More information about the samba
mailing list