[Samba] gpupdate /force not applied

Elias Pereira empbilly at gmail.com
Mon Jul 30 15:17:36 UTC 2018


I had set up a trust relationship between our domain and another configured
domain on our network, and at first it seems that this is what caused the
GPO problem. I removed the trust and it all worked again.

In internal tests that I had done, everything worked normal. Of course this
is different when we put it into production. :)

I know the trust is not 100%, but would you have any way to analyze these
issues and have a troubleshooting of it?

On Mon, Jul 30, 2018 at 11:17 AM Elias Pereira <empbilly at gmail.com> wrote:

> The principle was not made any changes to occur this problem.
>
> We infra have dc3 and dc4 ADDC.
>
> root at dc3:/etc/samba# samba -V
> Version 4.7.7-Debian (van-blle apt)
>
> Result of gpupdate /force in a joined computer client:
>
> C:\>gpupdate /force
>> Updating Policy...
>> User policy could not be updated successfully. The following errors were
>> encountered:
>> The processing of Group Policy failed. Windows could not determine if the
>> user and computer accounts are in the same forest. Ensure the user
>> domain name matches the name of a trusted domain that resides in the
>> same forest as the computer account.
>> Computer Policy update has completed successfully.
>> To diagnose the failure, review the event log or run GPRESULT /H
>> GPReport.html from the command line to access information about Group
>> Policy results.
>
>
> root at dc3:/etc/samba/scripts# cat /etc/hosts
> 127.0.0.1 localhost
> 200.xxx.xxx.160 dc3.campus.sertao.ifrs.edu.br dc3
> 200.xxx.xxx.151     puppet.sertao.ifrs.edu.br    puppet
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> root at dc3:/etc/samba/scripts# cat /etc/resolv.conf
> domain campus.sertao.ifrs.edu.br
> search campus.sertao.ifrs.edu.br
> nameserver 200.xxx.xxx.160
>
> smb.conf
> # Global parameters
> [global]
>         netbios name = DC3
>         realm = CAMPUS.SERTAO.IFRS.EDU.BR
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = CAMPUS
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         ldap server require strong auth = no
>         #log file = /var/log/samba/log.%m
>         #log level = 10
>         ntlm auth = yes
>         #ntlm auth = mschapv2-and-ntlmv2-only
>
> [netlogon]
>         path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> krb5.conf
> [libdefaults]
>         default_realm = CAMPUS.SERTAO.IFRS.EDU.BR
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> root at dc3:/etc/samba/scripts# ls -lah /etc/krb5.conf
> -rw-r--r-- 1 root bind 106 nov 16  2017 /etc/krb5.conf
>
> sysvol permissions:
> root at dc3:/var/lib/samba# ls -lah
> total 1,4M
> drwxr-xr-x   8 root root          4,0K jul 30 10:03 .
> drwxr-xr-x  32 root root          4,0K jul  3 09:27 ..
> -rw-------   1 root root          412K nov  8  2017 account_policy.tdb
> -rw-------   1 root root           696 nov  8  2017 group_mapping.tdb
> drwxr-x---   2 root ntp           4,0K jul 30 10:03 ntp_signd
> drwxr-xr-x  10 root root          4,0K nov  8  2017 printers
> drwxr-xr-x   8 root root          4,0K jul 30 10:12 private
> -rw-------   1 root root          516K nov 23  2017 registry.tdb
> -rw-------   1 root root          412K jul 30 09:29 share_info.tdb
> drwxrwx---+  3 root       3000000 4,0K jul 30 09:37 sysvol
> drwxrwx--T   2 root sambashare    4,0K nov  8  2017 usershares
> -rw-------   1 root root           32K jul 30 10:11 winbindd_cache.tdb
> drwxr-x---   2 root winbindd_priv 4,0K jul 30 10:03 winbindd_privileged
>
> samba-tool ntacl sysvolreset (sysvolcheck appears an error, but I believe
> that is normal)
> root at dc3:/var/lib/samba# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
> campus.sertao.ifrs.edu.br/Policies/{BE145C6B-F6FA-4772-8EE3-9C2816FF29E6}
> <http://campus.sertao.ifrs.edu.br/Policies/%7BBE145C6B-F6FA-4772-8EE3-9C2816FF29E6%7D>
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270,
> in run
>     lp)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1723, in checksysvolacl
>     direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1621, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
>
> samba-tool ntacl sysvolreset OK
>
> samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes  OK
>
> samba_dnsupdate --verbose --all-names OK
>
> Louis script (samba-check-set-sysvol.sh) for sysvol check return this
> output:
>
> root at dc3:/etc/samba/scripts# ./samba-check-set-sysvol.sh
>
> The sysvol ACLS info.....
>
> Please check your share rights for sysvol from within windows.
> If these are incorrect, correct them and run this script again.
> Set your sysvol SHARE permissions as followed.
> EVERYONE: READ
> Authenticated Users: FULL CONTROL
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> User/Group system is added compaired to a win2008R2 sysvol, you need this
> for some GPO settings.
>
> Set your sysvol FOLDER permissions as followed.
> Authenticated Users: Read & Exec, Show folder content, Read
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
>
> https://wiki.samba.org/index.php/Sysvolreset
>
> I also checked the link above and made the suggested changes, but even
> then the initial gpoupdate error still occurs.
>
> Any idea?
>
> --
> Elias Pereira
>


-- 
Elias Pereira


More information about the samba mailing list