[Samba] gpupdate /force not applied

Elias Pereira empbilly at gmail.com
Mon Jul 30 14:17:24 UTC 2018 

The principle was not made any changes to occur this problem.

We infra have dc3 and dc4 ADDC.

root at dc3:/etc/samba# samba -V
Version 4.7.7-Debian (van-blle apt)

Result of gpupdate /force in a joined computer client:

C:\>gpupdate /force
> Updating Policy...
> User policy could not be updated successfully. The following errors were
> encountered:
> The processing of Group Policy failed. Windows could not determine if the
> user and computer accounts are in the same forest. Ensure the user domain
> name matches the name of a trusted domain that resides in the same forest
> as the computer account.
> Computer Policy update has completed successfully.
> To diagnose the failure, review the event log or run GPRESULT /H
> GPReport.html from the command line to access information about Group
> Policy results.


root at dc3:/etc/samba/scripts# cat /etc/hosts
127.0.0.1 localhost
200.xxx.xxx.160 dc3.campus.sertao.ifrs.edu.br dc3
200.xxx.xxx.151     puppet.sertao.ifrs.edu.br    puppet

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

root at dc3:/etc/samba/scripts# cat /etc/resolv.conf
domain campus.sertao.ifrs.edu.br
search campus.sertao.ifrs.edu.br
nameserver 200.xxx.xxx.160

smb.conf
# Global parameters
[global]
        netbios name = DC3
        realm = CAMPUS.SERTAO.IFRS.EDU.BR
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = CAMPUS
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no
        #log file = /var/log/samba/log.%m
        #log level = 10
        ntlm auth = yes
        #ntlm auth = mschapv2-and-ntlmv2-only

[netlogon]
        path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

krb5.conf
[libdefaults]
        default_realm = CAMPUS.SERTAO.IFRS.EDU.BR
        dns_lookup_realm = false
        dns_lookup_kdc = true

root at dc3:/etc/samba/scripts# ls -lah /etc/krb5.conf
-rw-r--r-- 1 root bind 106 nov 16  2017 /etc/krb5.conf

sysvol permissions:
root at dc3:/var/lib/samba# ls -lah
total 1,4M
drwxr-xr-x   8 root root          4,0K jul 30 10:03 .
drwxr-xr-x  32 root root          4,0K jul  3 09:27 ..
-rw-------   1 root root          412K nov  8  2017 account_policy.tdb
-rw-------   1 root root           696 nov  8  2017 group_mapping.tdb
drwxr-x---   2 root ntp           4,0K jul 30 10:03 ntp_signd
drwxr-xr-x  10 root root          4,0K nov  8  2017 printers
drwxr-xr-x   8 root root          4,0K jul 30 10:12 private
-rw-------   1 root root          516K nov 23  2017 registry.tdb
-rw-------   1 root root          412K jul 30 09:29 share_info.tdb
drwxrwx---+  3 root       3000000 4,0K jul 30 09:37 sysvol
drwxrwx--T   2 root sambashare    4,0K nov  8  2017 usershares
-rw-------   1 root root           32K jul 30 10:11 winbindd_cache.tdb
drwxr-x---   2 root winbindd_priv 4,0K jul 30 10:03 winbindd_privileged

samba-tool ntacl sysvolreset (sysvolcheck appears an error, but I believe
that is normal)
root at dc3:/var/lib/samba# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
campus.sertao.ifrs.edu.br/Policies/{BE145C6B-F6FA-4772-8EE3-9C2816FF29E6}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270,
in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1723, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

samba-tool ntacl sysvolreset OK

samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes  OK

samba_dnsupdate --verbose --all-names OK

Louis script (samba-check-set-sysvol.sh) for sysvol check return this
output:

root at dc3:/etc/samba/scripts# ./samba-check-set-sysvol.sh

The sysvol ACLS info.....

Please check your share rights for sysvol from within windows.
If these are incorrect, correct them and run this script again.
Set your sysvol SHARE permissions as followed.
EVERYONE: READ
Authenticated Users: FULL CONTROL
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
User/Group system is added compaired to a win2008R2 sysvol, you need this
for some GPO settings.

Set your sysvol FOLDER permissions as followed.
Authenticated Users: Read & Exec, Show folder content, Read
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL

https://wiki.samba.org/index.php/Sysvolreset

I also checked the link above and made the suggested changes, but even then
the initial gpoupdate error still occurs.

Any idea?

-- 
Elias Pereira

More information about the samba mailing list