[Samba] gpupdate /force not applied
L.P.H. van Belle
belle at bazuin.nl
Mon Jul 30 15:18:53 UTC 2018
Hai Elias,
Lucky you, im in a good mood and im "still" at work ;-) ..
# Add
[sysvol]
acl_xattr:ignore system acls = yes
path = /var/lib/samba/sysvol
read only = No
Did you set the parameter: APPLY_CHANGES_DIRECT="no"
To yes, if not do it.
Restart samba-ad-dc.
Then, goto you GPO editor in windows, and klik every GPO object once.
Some might complain about rights, that ok, windows will fix that.
Should fix it.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Elias Pereira via samba
> Verzonden: maandag 30 juli 2018 16:17
> Aan: samba
> Onderwerp: [Samba] gpupdate /force not applied
>
> The principle was not made any changes to occur this problem.
>
> We infra have dc3 and dc4 ADDC.
>
> root at dc3:/etc/samba# samba -V
> Version 4.7.7-Debian (van-blle apt)
>
> Result of gpupdate /force in a joined computer client:
>
> C:\>gpupdate /force
> > Updating Policy...
> > User policy could not be updated successfully. The
> following errors were
> > encountered:
> > The processing of Group Policy failed. Windows could not
> determine if the
> > user and computer accounts are in the same forest. Ensure
> the user domain
> > name matches the name of a trusted domain that resides in
> the same forest
> > as the computer account.
> > Computer Policy update has completed successfully.
> > To diagnose the failure, review the event log or run GPRESULT /H
> > GPReport.html from the command line to access information
> about Group
> > Policy results.
>
>
> root at dc3:/etc/samba/scripts# cat /etc/hosts
> 127.0.0.1 localhost
> 200.xxx.xxx.160 dc3.campus.sertao.ifrs.edu.br dc3
> 200.xxx.xxx.151 puppet.sertao.ifrs.edu.br puppet
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> root at dc3:/etc/samba/scripts# cat /etc/resolv.conf
> domain campus.sertao.ifrs.edu.br
> search campus.sertao.ifrs.edu.br
> nameserver 200.xxx.xxx.160
>
> smb.conf
> # Global parameters
> [global]
> netbios name = DC3
> realm = CAMPUS.SERTAO.IFRS.EDU.BR
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = CAMPUS
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> ldap server require strong auth = no
> #log file = /var/log/samba/log.%m
> #log level = 10
> ntlm auth = yes
> #ntlm auth = mschapv2-and-ntlmv2-only
>
> [netlogon]
> path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> krb5.conf
> [libdefaults]
> default_realm = CAMPUS.SERTAO.IFRS.EDU.BR
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> root at dc3:/etc/samba/scripts# ls -lah /etc/krb5.conf
> -rw-r--r-- 1 root bind 106 nov 16 2017 /etc/krb5.conf
>
> sysvol permissions:
> root at dc3:/var/lib/samba# ls -lah
> total 1,4M
> drwxr-xr-x 8 root root 4,0K jul 30 10:03 .
> drwxr-xr-x 32 root root 4,0K jul 3 09:27 ..
> -rw------- 1 root root 412K nov 8 2017 account_policy.tdb
> -rw------- 1 root root 696 nov 8 2017 group_mapping.tdb
> drwxr-x--- 2 root ntp 4,0K jul 30 10:03 ntp_signd
> drwxr-xr-x 10 root root 4,0K nov 8 2017 printers
> drwxr-xr-x 8 root root 4,0K jul 30 10:12 private
> -rw------- 1 root root 516K nov 23 2017 registry.tdb
> -rw------- 1 root root 412K jul 30 09:29 share_info.tdb
> drwxrwx---+ 3 root 3000000 4,0K jul 30 09:37 sysvol
> drwxrwx--T 2 root sambashare 4,0K nov 8 2017 usershares
> -rw------- 1 root root 32K jul 30 10:11 winbindd_cache.tdb
> drwxr-x--- 2 root winbindd_priv 4,0K jul 30 10:03
> winbindd_privileged
>
> samba-tool ntacl sysvolreset (sysvolcheck appears an error,
> but I believe
> that is normal)
> root at dc3:/var/lib/samba# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception -
> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
> campus.sertao.ifrs.edu.br/Policies/{BE145C6B-F6FA-4772-8EE3-9C
> 2816FF29E6}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270,
> in run
> lp)
> File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1723, in checksysvolacl
> direct_db_access)
> File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1674, in check_gpos_acl
> domainsid, direct_db_access)
> File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1621, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO directory %s %s
> does not match
> expected value %s from GPO object' %
> (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
>
> samba-tool ntacl sysvolreset OK
>
> samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes OK
>
> samba_dnsupdate --verbose --all-names OK
>
> Louis script (samba-check-set-sysvol.sh) for sysvol check return this
> output:
>
> root at dc3:/etc/samba/scripts# ./samba-check-set-sysvol.sh
>
> The sysvol ACLS info.....
>
> Please check your share rights for sysvol from within windows.
> If these are incorrect, correct them and run this script again.
> Set your sysvol SHARE permissions as followed.
> EVERYONE: READ
> Authenticated Users: FULL CONTROL
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> User/Group system is added compaired to a win2008R2 sysvol,
> you need this
> for some GPO settings.
>
> Set your sysvol FOLDER permissions as followed.
> Authenticated Users: Read & Exec, Show folder content, Read
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
>
> https://wiki.samba.org/index.php/Sysvolreset
>
> I also checked the link above and made the suggested changes,
> but even then
> the initial gpoupdate error still occurs.
>
> Any idea?
>
> --
> Elias Pereira
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list