[Samba] gpupdate /force not applied
Elias Pereira
empbilly at gmail.com
Mon Jul 30 14:17:24 UTC 2018
The principle was not made any changes to occur this problem.
We infra have dc3 and dc4 ADDC.
root at dc3:/etc/samba# samba -V
Version 4.7.7-Debian (van-blle apt)
Result of gpupdate /force in a joined computer client:
C:\>gpupdate /force
> Updating Policy...
> User policy could not be updated successfully. The following errors were
> encountered:
> The processing of Group Policy failed. Windows could not determine if the
> user and computer accounts are in the same forest. Ensure the user domain
> name matches the name of a trusted domain that resides in the same forest
> as the computer account.
> Computer Policy update has completed successfully.
> To diagnose the failure, review the event log or run GPRESULT /H
> GPReport.html from the command line to access information about Group
> Policy results.
root at dc3:/etc/samba/scripts# cat /etc/hosts
127.0.0.1 localhost
200.xxx.xxx.160 dc3.campus.sertao.ifrs.edu.br dc3
200.xxx.xxx.151 puppet.sertao.ifrs.edu.br puppet
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
root at dc3:/etc/samba/scripts# cat /etc/resolv.conf
domain campus.sertao.ifrs.edu.br
search campus.sertao.ifrs.edu.br
nameserver 200.xxx.xxx.160
smb.conf
# Global parameters
[global]
netbios name = DC3
realm = CAMPUS.SERTAO.IFRS.EDU.BR
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = CAMPUS
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = no
#log file = /var/log/samba/log.%m
#log level = 10
ntlm auth = yes
#ntlm auth = mschapv2-and-ntlmv2-only
[netlogon]
path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
krb5.conf
[libdefaults]
default_realm = CAMPUS.SERTAO.IFRS.EDU.BR
dns_lookup_realm = false
dns_lookup_kdc = true
root at dc3:/etc/samba/scripts# ls -lah /etc/krb5.conf
-rw-r--r-- 1 root bind 106 nov 16 2017 /etc/krb5.conf
sysvol permissions:
root at dc3:/var/lib/samba# ls -lah
total 1,4M
drwxr-xr-x 8 root root 4,0K jul 30 10:03 .
drwxr-xr-x 32 root root 4,0K jul 3 09:27 ..
-rw------- 1 root root 412K nov 8 2017 account_policy.tdb
-rw------- 1 root root 696 nov 8 2017 group_mapping.tdb
drwxr-x--- 2 root ntp 4,0K jul 30 10:03 ntp_signd
drwxr-xr-x 10 root root 4,0K nov 8 2017 printers
drwxr-xr-x 8 root root 4,0K jul 30 10:12 private
-rw------- 1 root root 516K nov 23 2017 registry.tdb
-rw------- 1 root root 412K jul 30 09:29 share_info.tdb
drwxrwx---+ 3 root 3000000 4,0K jul 30 09:37 sysvol
drwxrwx--T 2 root sambashare 4,0K nov 8 2017 usershares
-rw------- 1 root root 32K jul 30 10:11 winbindd_cache.tdb
drwxr-x--- 2 root winbindd_priv 4,0K jul 30 10:03 winbindd_privileged
samba-tool ntacl sysvolreset (sysvolcheck appears an error, but I believe
that is normal)
root at dc3:/var/lib/samba# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
campus.sertao.ifrs.edu.br/Policies/{BE145C6B-F6FA-4772-8EE3-9C2816FF29E6}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270,
in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1723, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1674, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1621, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))
samba-tool ntacl sysvolreset OK
samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes OK
samba_dnsupdate --verbose --all-names OK
Louis script (samba-check-set-sysvol.sh) for sysvol check return this
output:
root at dc3:/etc/samba/scripts# ./samba-check-set-sysvol.sh
The sysvol ACLS info.....
Please check your share rights for sysvol from within windows.
If these are incorrect, correct them and run this script again.
Set your sysvol SHARE permissions as followed.
EVERYONE: READ
Authenticated Users: FULL CONTROL
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
User/Group system is added compaired to a win2008R2 sysvol, you need this
for some GPO settings.
Set your sysvol FOLDER permissions as followed.
Authenticated Users: Read & Exec, Show folder content, Read
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
https://wiki.samba.org/index.php/Sysvolreset
I also checked the link above and made the suggested changes, but even then
the initial gpoupdate error still occurs.
Any idea?
--
Elias Pereira
More information about the samba
mailing list