[Samba] gpupdate /force not applied

L.P.H. van Belle belle at bazuin.nl
Mon Jul 30 15:18:53 UTC 2018


Hai Elias, 

Lucky you, im in a good mood and im "still" at work ;-) .. 

# Add 
[sysvol]
    acl_xattr:ignore system acls = yes 
    path = /var/lib/samba/sysvol
    read only = No

Did you set the parameter:  APPLY_CHANGES_DIRECT="no"
To yes, if not do it. 

Restart samba-ad-dc. 

Then, goto you GPO editor in windows, and klik every GPO object once. 
Some might complain about rights, that ok, windows will fix that. 

Should fix it. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Elias Pereira via samba
> Verzonden: maandag 30 juli 2018 16:17
> Aan: samba
> Onderwerp: [Samba] gpupdate /force not applied
> 
> The principle was not made any changes to occur this problem.
> 
> We infra have dc3 and dc4 ADDC.
> 
> root at dc3:/etc/samba# samba -V
> Version 4.7.7-Debian (van-blle apt)
> 
> Result of gpupdate /force in a joined computer client:
> 
> C:\>gpupdate /force
> > Updating Policy...
> > User policy could not be updated successfully. The 
> following errors were
> > encountered:
> > The processing of Group Policy failed. Windows could not 
> determine if the
> > user and computer accounts are in the same forest. Ensure 
> the user domain
> > name matches the name of a trusted domain that resides in 
> the same forest
> > as the computer account.
> > Computer Policy update has completed successfully.
> > To diagnose the failure, review the event log or run GPRESULT /H
> > GPReport.html from the command line to access information 
> about Group
> > Policy results.
> 
> 
> root at dc3:/etc/samba/scripts# cat /etc/hosts
> 127.0.0.1 localhost
> 200.xxx.xxx.160 dc3.campus.sertao.ifrs.edu.br dc3
> 200.xxx.xxx.151     puppet.sertao.ifrs.edu.br    puppet
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> root at dc3:/etc/samba/scripts# cat /etc/resolv.conf
> domain campus.sertao.ifrs.edu.br
> search campus.sertao.ifrs.edu.br
> nameserver 200.xxx.xxx.160
> 
> smb.conf
> # Global parameters
> [global]
>         netbios name = DC3
>         realm = CAMPUS.SERTAO.IFRS.EDU.BR
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = CAMPUS
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         ldap server require strong auth = no
>         #log file = /var/log/samba/log.%m
>         #log level = 10
>         ntlm auth = yes
>         #ntlm auth = mschapv2-and-ntlmv2-only
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> krb5.conf
> [libdefaults]
>         default_realm = CAMPUS.SERTAO.IFRS.EDU.BR
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
> root at dc3:/etc/samba/scripts# ls -lah /etc/krb5.conf
> -rw-r--r-- 1 root bind 106 nov 16  2017 /etc/krb5.conf
> 
> sysvol permissions:
> root at dc3:/var/lib/samba# ls -lah
> total 1,4M
> drwxr-xr-x   8 root root          4,0K jul 30 10:03 .
> drwxr-xr-x  32 root root          4,0K jul  3 09:27 ..
> -rw-------   1 root root          412K nov  8  2017 account_policy.tdb
> -rw-------   1 root root           696 nov  8  2017 group_mapping.tdb
> drwxr-x---   2 root ntp           4,0K jul 30 10:03 ntp_signd
> drwxr-xr-x  10 root root          4,0K nov  8  2017 printers
> drwxr-xr-x   8 root root          4,0K jul 30 10:12 private
> -rw-------   1 root root          516K nov 23  2017 registry.tdb
> -rw-------   1 root root          412K jul 30 09:29 share_info.tdb
> drwxrwx---+  3 root       3000000 4,0K jul 30 09:37 sysvol
> drwxrwx--T   2 root sambashare    4,0K nov  8  2017 usershares
> -rw-------   1 root root           32K jul 30 10:11 winbindd_cache.tdb
> drwxr-x---   2 root winbindd_priv 4,0K jul 30 10:03 
> winbindd_privileged
> 
> samba-tool ntacl sysvolreset (sysvolcheck appears an error, 
> but I believe
> that is normal)
> root at dc3:/var/lib/samba# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught 
> exception -
> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
> campus.sertao.ifrs.edu.br/Policies/{BE145C6B-F6FA-4772-8EE3-9C
> 2816FF29E6}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270,
> in run
>     lp)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1723, in checksysvolacl
>     direct_db_access)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1621, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s 
> does not match
> expected value %s from GPO object' % 
> (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
> 
> samba-tool ntacl sysvolreset OK
> 
> samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes  OK
> 
> samba_dnsupdate --verbose --all-names OK
> 
> Louis script (samba-check-set-sysvol.sh) for sysvol check return this
> output:
> 
> root at dc3:/etc/samba/scripts# ./samba-check-set-sysvol.sh
> 
> The sysvol ACLS info.....
> 
> Please check your share rights for sysvol from within windows.
> If these are incorrect, correct them and run this script again.
> Set your sysvol SHARE permissions as followed.
> EVERYONE: READ
> Authenticated Users: FULL CONTROL
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> User/Group system is added compaired to a win2008R2 sysvol, 
> you need this
> for some GPO settings.
> 
> Set your sysvol FOLDER permissions as followed.
> Authenticated Users: Read & Exec, Show folder content, Read
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> 
> https://wiki.samba.org/index.php/Sysvolreset
> 
> I also checked the link above and made the suggested changes, 
> but even then
> the initial gpoupdate error still occurs.
> 
> Any idea?
> 
> -- 
> Elias Pereira
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list