[Samba] GPOs not Working!
Micha Ballmann
ballmann at uni-landau.de
Thu Feb 8 06:53:29 UTC 2018
Thats a good question, i have exactly the same "issue". User
Configurations are working. Computer Configurations, won't. Also tested
on one GPO.
Thy
Micha
Am 07.02.2018 um 23:21 schrieb Robert Marcano via samba:
> On 02/07/2018 05:01 AM, L.P.H. van Belle via samba wrote:
>> Hai,
>>
>> Ok, for the sysvol.
>> I'll put all steps here again.
>>
>> I suggest start with this one.
>> wget
>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
>> This checks and set the rights to be known to be right. ( aka works
>> great for me ) ;-)
>>
>
> Thanks, but before I run that script (I need to analyse what it is
> doing before)
>
> I just one more question, why do you think these problems are ACL
> problems?, when I create a new GPO with default authenticated users
> filtering, liked at domain level, add user and computers
> configurations on the same GPO, and gpresult show the machine part is
> denied. It shouldn't be. I think fs ACL problems are not the problem
> here, we are talking about the same GPO.
>
> Can you help me with one little request, check "gpresult /v" on a
> Samba AD joined domain computer and tell me if in the section where it
> list the groups the machine is member of, do it show more entries than
>
> NULL SID
> NT AUTHORITY\NETWORK,
> This company,
> and something like "mandatory level of no trust" (Windows is not in
> english)
>
> do it show "Authenticated users" and "Domain Computers" for you?
>
>> Then follow these steps.
>>
>> - login as dom\administrator.
>> - start computer manager, connect to dc.
>> - klik Shared Folders, Shares, sysvol.
>> Option 1, this is the default. Everyone with Full control, Change
>> and Read.
>> Option 2, Everyone: Read.
>> Verified users: Full, Change, Read.
>> SYSTEM Full, Change, Read.
>> DOMAIN\Adminstrators ( or DOMAIN\Domain Admins ) Full, change
>> read.
>>
>> The result of both settings are ( share wize) the same.
>> Except in option2, you must be verified before you can write anywere.
>>
>> - Tab Security.
>> Verified users: Read+exec, Show folder content, Read.
>> SYSTEM: full ( everything on )
>> DOMAIN\Adminstrators: ( or DOMAIN\Domain Admins ) full (
>> everything on
>> DOMAIN\Serer operators: Read+exec, Show folder content, Read.
>> Once this is set, klik advanced, klik change below.
>> Check, replace all underlying and replace..
>>
>> ! Note, always this order, first share security then folder security.
>> That helps preventing making error or resetting rights.
>>
>> - Do the same for Netlogon. Same settings as sysvol, since its a sub
>> folder of sysvol.
>>
>>
>> - These steps are imo only done once, ( ! Or if you get errors again
>> due to a reset or change in windows clients )
>> Now first goto the GroupPolicyObjects, ( not the linked once's )
>> Klik on every GPO object there, if you get any message, press ok,
>> then its reset.
>>
>> Now, you need to check the GPO Objects that are assigned/linked to OU
>> and/or groups.
>>
>> Just start in the top, and klik every object.
>> All my "normal" GPO Objects only have Authenticated Users.
>> My "special" GPO Object have different settings.
>>
>> For example, i've disabled all USB/Mobile/CD access on the pc's by GPO's
>> A user policy set in the Standard User. I've created 2 groups, per type.
>> For example.
>> USB-Read, if i look here you see only USB-Allow-Read group. Now klik
>> the Delegation Tab.
>> That shows me:
>> Authenticated User Ready (by security filter)
>> DOM\Domain Admins
>> DOM\Enterprise Admins
>> Server logon
>> SYSTEM
>>
>> What you dont see is the underlying ACL, klik Advanced.
>> Here you see, ... The "Reset to default" button.
>> Reset it.
>>
>> Now remember here, after doing this, no samba-tool sysvolreset..
>> If you do, repeat the above again. Everything!
>>
>> User GPO's, only a group with the user is fine, and needs "apply GPO"
>> A computer GPO, needs Domain computers with apply GPO AND the users
>> group.
>>
>>
>> I've setup all "problem" shares, due to user NT Authority\SYSTEM
>> problems.
>> Google for it, you see lots of it in the samba list.
>> My shares layout that used it. ( on mulple servers )
>> DC: Sysvol and Netlogon
>> Members: users and profiles
>> Print server: print$ and printers
>>
>> So in short, all shares were the "computer$" my access as user system
>> or things like that.
>>
>> If you see errors on a computer in the eventlogs with:
>> Computer$ can access .... Bla bla.... On GPO.ini.
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> This if often a forgoten "DOM\Domain Computers" in the GPO object
>> with read and/or writes rights missing.
>> People test this and the computer$ can access the GPO.ini without
>> problems, so why the event log.
>> Because of "SYSTEM" or an other user that is haveing user/group/SID
>> problems with linux acls.
>>
>> I hope i explained good enough why i use and set ignore systemacl.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Robert Marcano via samba
>>> Verzonden: woensdag 7 februari 2018 3:19
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] GPOs not Working!
>>>
>>> On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote:
>>>> ok,
>>>>
>>>> do the following.
>>>> set ignore systemacl to yes on sysvol and netlogon.
>>>
>>> Added "acl_xattr:ignore system acls = yes" to both shares,
>>> restarted the
>>> server
>>>
>>>>
>>>> login as dom\administrator
>>>> computer manager, connect to dc.
>>>> share sysvol, goto share security, reset to defalts.
>>>> same for folder.
>>>
>>> I don't get the "Reset to defaults" option. There are two security
>>> related tabs, "Permission of shared resources" (or something
>>> like that,
>>> Windows is not in English) with only permissions for Everyone
>>> with Full
>>> control, Change and Read.
>>>
>>> The other tab is the standard "Security" tab, those tabs
>>> don't show any
>>> reset to default option
>>>
>>>>
>>>> goto gpo manager,
>>>> klik on every gpo object, if one has wrong acl, you get a
>>> message to reset it, thats ok.
>>>>
>>>> now never samba-tool sysvol reset
>>>> if you do, you might need to set share/file security again.
>>>>
>>>> Greetz
>>>> Louis
>>>>
>>>> p.s rowland, now you can change the default gpo’s also.
>>>>
>>>>
>>>>
>>>>> Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba
>>> <samba at lists.samba.org> het volgende geschreven:
>>>>>
>>>>> On Tue, 6 Feb 2018 15:03:16 -0400
>>>>> Robert Marcano via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> Thanks for the information, to use a default GPO was a
>>> simple way to
>>>>>> try to encourage someone to reproduce the problem.
>>>>>>
>>>>>> I already created new GPOs (this is a test domain) Using
>>> the default
>>>>>> filter for a new GPO, "Authenticated users", creating a
>>> new group for
>>>>>> the test clients and using that as the filter, checking
>>> it have the
>>>>>> right permissions (apply), checking every guide about
>>> applying GPO to
>>>>>> computers. Using OUs and using domain level GPOs.
>>>>>>
>>>>>> What I find weird is that gpresult doesn't list the computer as a
>>>>>> member of groups I create, only a few predefined ones:
>>>>>>
>>>>>> NULL SID
>>>>>> NT AUTHORITY\NETWORK,
>>>>>> This company,
>>>>>> and something like "mandatory level of no trust"
>>> (Windows is not in
>>>>>> english)
>>>>>>
>>>>>
>>>>> Do not alter the two default GPOs, it doesn't work ;-)
>>>>>
>>>>> Creating new GPOs should work, just do not run sysvolreset after
>>>>> creating them.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>>
>
>
More information about the samba
mailing list