[Samba] GPOs not Working!

L.P.H. van Belle belle at bazuin.nl
Wed Feb 7 13:42:48 UTC 2018 

Hai, 

I also found some extra guidance for you to review. 

http://techgenix.com/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part1/
http://techgenix.com/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part2/
http://techgenix.com/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part3

For you, look at Part 2, point 7. 
Authenticated users should work, if not, try the same with "domain computers" 
! Keep authenticated users, give domain computers read. 
Authenticated user should have read/apply 

Reboot the pc and try again. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Micha Ballmann [mailto:ballmann at uni-landau.de] 
> Verzonden: woensdag 7 februari 2018 13:42
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] GPOs not Working!
> 
> Thy for your help.
> 
> I followed all steps you describe. But im not able to set a gpo with 
> "computer configurations".I don't know what happened.
> 
> Maybe you have a last idea :).
> 
> Best regards
> 
> Micha
> 
> 
> Am 07.02.2018 um 12:06 schrieb L.P.H. van Belle via samba:
> > hai Micha,
> >   
> > The why is explained here.
> > https://wiki.samba.org/index.php/The_SYSTEM_Account
> > Which in the end has todo with SID_BOTH, one sid for a user 
> and group, linux does not understand that correctly.
> >   
> >
> > with : acl_xattr:ignore system acls = [yes|no]
> > When set to yes, a best effort mapping from/to the POSIX 
> ACL layer will not be done by this module. The default is no, 
> which means that Samba keeps setting and evaluating both the 
> system ACLs and the NT ACLs.
> > This is better if you need your system ACLs be set for 
> local or NFS file access, too.
> > If you only access the data via Samba you might set this to 
> yes to achieve better NT ACL compatibility.
> >   
> > And also see.
> > 
> https://blogs.technet.microsoft.com/askds/2016/06/22/deploying
> -group-policy-security-update-ms16-072-kb3163622/
> >   
> > And if i missed something guys, please add it ;-)
> >   
> > Greetz,
> >   
> > Louis
> >   
> >   
> >
> > Van: Micha Ballmann [mailto:ballmann at uni-landau.de]
> > Verzonden: woensdag 7 februari 2018 11:45
> > Aan: L.P.H. van Belle; samba at lists.samba.org
> > Onderwerp: Re: [Samba] GPOs not Working!
> >
> >
> >
> >
> > Before i do that,
> >
> > i dont understand why i have to do this!
> >
> > I m just testing straight forward.
> >
> > Now i have 3 GPOs
> > *	Default Domain Policy
> > 	*	(no configurations)
> > *	test1
> > 	*	User Configuration: Mount Share and Create 
> Desktop Icon; Security Filter: Authenticated Users ---> THIS 
> GPO IS WORKING!
> > *	test2
> > 	*	Computer Configuration: Interactive logon: Do 
> not require CTRL + ALT + DEL and Interactive login: Do not 
> display last user name; Security Filter: Authenticated Users, 
> Domain Computers ---> THIS GPO IS NOT WORKING! (Also tried 
> Security Filter: Authenticated Users ONLY) The ACLs of my policies:
> >
> > Default Domain Policy (test1 and test2 are the same)
> >
> > # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
> > # owner: 3000004
> > # group: 3000004
> > user::rwx
> > user:3000002:rwx
> > user:3000003:r-x
> > user:3000007:rwx
> > user:3000010:r-x
> > group::rwx
> > group:3000002:rwx
> > group:3000003:r-x
> > group:3000004:rwx
> > group:3000007:rwx
> > group:3000010:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:3000002:rwx
> > default:user:3000003:r-x
> > default:user:3000004:rwx
> > default:user:3000007:rwx
> > default:user:3000010:r-x
> > default:group::---
> > default:group:3000002:rwx
> > default:group:3000003:r-x
> > default:group:3000004:rwx
> > default:group:3000007:rwx
> > default:group:3000010:r-x
> > default:mask::rwx
> > default:other::---
> >
> > It looks like, User Configurations are working and Computer 
> Configurations won't do!
> >
> > Thy very much for help.
> >
> > PS: I do not know if it helps. On a Windows Server 2016 and 
> 2012 I configured the same GPOs above described. On WS all works fine.
> >
> > Am 07.02.2018 um 10:01 schrieb L.P.H. van Belle via samba:
> >
> >
> > Hai, Ok, for the sysvol. I'll put all steps here again. I 
> suggest start with this one. wget 
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> heck-set-sysvol.sh This checks and set the rights to be known 
> to be right. ( aka works great for me ) ;-) Then follow these 
> steps. - login as dom\administrator. - start computer 
> manager, connect to dc. - klik Shared Folders, Shares, 
> sysvol. Option 1, this is the default. Everyone with Full 
> control, Change and Read. Option 2, Everyone: Read. Verified 
> users: Full, Change, Read. SYSTEM Full, Change, Read. 
> DOMAIN\Adminstrators ( or DOMAIN\Domain Admins ) Full, change 
> read. The result of both settings are ( share wize) the same. 
> Except in option2, you must be verified before you can write 
> anywere. - Tab Security. Verified users: Read+exec, Show 
> folder content, Read. SYSTEM: full ( everything on ) 
> DOMAIN\Adminstrators: ( or DOMAIN\Domain Admins ) full ( 
> everything on DOMAIN\Serer operators: Read+exec, Show folder 
> content, Read. Once this
> >   is set, klik advanced, klik change below. Check, replace 
> all underlying and replace.. ! Note, always this order, first 
> share security then folder security. That helps preventing 
> making error or resetting rights. - Do the same for Netlogon. 
> Same settings as sysvol, since its a sub folder of sysvol. - 
> These steps are imo only done once, ( ! Or if you get errors 
> again due to a reset or change in windows clients ) Now first 
> goto the GroupPolicyObjects, ( not the linked once's ) Klik 
> on every GPO object there, if you get any message, press ok, 
> then its reset. Now, you need to check the GPO Objects that 
> are assigned/linked to OU and/or groups. Just start in the 
> top, and klik every object. All my "normal" GPO Objects only 
> have Authenticated Users. My "special" GPO Object have 
> different settings. For example, i've disabled all 
> USB/Mobile/CD access on the pc's by GPO's A user policy set 
> in the Standard User. I've created 2 groups, per type. For 
> example. USB-Read, if i look here you see only
> >   USB-Allow-Read group. Now klik the Delegation Tab. That 
> shows me: Authenticated User Ready (by security filter) 
> DOM\Domain Admins DOM\Enterprise Admins Server logon SYSTEM 
> What you dont see is the underlying ACL, klik Advanced. Here 
> you see, ... The "Reset to default" button. Reset it. Now 
> remember here, after doing this, no samba-tool sysvolreset.. 
> If you do, repeat the above again. Everything! User GPO's, 
> only a group with the user is fine, and needs "apply GPO" A 
> computer GPO, needs Domain computers with apply GPO AND the 
> users group. I've setup all "problem" shares, due to user NT 
> Authority\SYSTEM problems. Google for it, you see lots of it 
> in the samba list. My shares layout that used it. ( on mulple 
> servers ) DC: Sysvol and Netlogon Members: users and profiles 
> Print server: print$ and printers So in short, all shares 
> were the "computer$" my access as user system or things like 
> that. If you see errors on a computer in the eventlogs with: 
> Computer$ can access .... Bla bla.... On
> >    GPO.ini. 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This if 
> often a forgoten "DOM\Domain Computers" in the GPO object 
> with read and/or writes rights missing. People test this and 
> the computer$ can access the GPO.ini without problems, so why 
> the event log. Because of "SYSTEM" or an other user that is 
> haveing user/group/SID problems with linux acls. I hope i 
> explained good enough why i use and set ignore systemacl. 
> Greetz, Louis
> >
> > -----Oorspronkelijk bericht----- Van: samba 
> [mailto:samba-bounces at lists.samba.org] Namens Robert Marcano 
> via samba Verzonden: woensdag 7 februari 2018 3:19 Aan: 
> samba at lists.samba.org Onderwerp: Re: [Samba] GPOs not 
> Working! On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote:
> >
> > ok, do the following. set ignore systemacl to yes on sysvol 
> and netlogon.
> >
> > Added "acl_xattr:ignore system acls = yes" to both shares, 
> restarted the server
> >
> > login as dom\administrator computer manager, connect to dc. 
> share sysvol, goto share security, reset to defalts. same for folder.
> >
> > I don't get the "Reset to defaults" option. There are two 
> security related tabs, "Permission of shared resources" (or 
> something like that, Windows is not in English) with only 
> permissions for Everyone with Full control, Change and Read. 
> The other tab is the standard "Security" tab, those tabs 
> don't show any reset to default option
> >
> > goto gpo manager, klik on every gpo object, if one has 
> wrong acl, you get a
> >
> > message to reset it, thats ok.
> >
> > now never samba-tool sysvol reset if you do, you might need 
> to set share/file security again. Greetz Louis p.s rowland, 
> now you can change the default gpo’s also.
> >
> > Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba
> >
> > <samba at lists.samba.org> het volgende geschreven:
> >
> > On Tue, 6 Feb 2018 15:03:16 -0400 Robert Marcano via samba 
> <samba at lists.samba.org> wrote:
> >
> > Thanks for the information, to use a default GPO was a
> >
> > simple way to
> >
> > try to encourage someone to reproduce the problem. I 
> already created new GPOs (this is a test domain) Using
> >
> > the default
> >
> > filter for a new GPO, "Authenticated users", creating a
> >
> > new group for
> >
> > the test clients and using that as the filter, checking
> >
> > it have the
> >
> > right permissions (apply), checking every guide about
> >
> > applying GPO to
> >
> > computers. Using OUs and using domain level GPOs. What I 
> find weird is that gpresult doesn't list the computer as a 
> member of groups I create, only a few predefined ones: NULL 
> SID NT AUTHORITY\NETWORK, This company, and something like 
> "mandatory level of no trust"
> >
> > (Windows is not in
> >
> > english)
> >
> > Do not alter the two default GPOs, it doesn't work ;-) 
> Creating new GPOs should work, just do not run sysvolreset 
> after creating them. Rowland -- To unsubscribe from this list 
> go to the following URL and read the instructions: 
> https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > -- To unsubscribe from this list go to the following URL 
> and read the instructions: 
> https://lists.samba.org/mailman/options/samba
> >
> >
> >
> 
> 
>

More information about the samba mailing list