[Samba] gpupdate /force not applied
Elias Pereira
empbilly at gmail.com
Mon Jul 30 15:33:10 UTC 2018
hello Louis, thanks for the quick reply!! :)
I had set up a trust relationship between our domain and another configured
domain on our network, and at first it seems that this is what caused the
GPO problem. I removed the trust and it all worked again.
In internal tests that I had done, everything worked normal. Of course this
is different when we put it into production. :)
I know the trust is not 100%, but would you have any way to analyze these
issues and have a troubleshooting of it?
On Mon, Jul 30, 2018 at 12:19 PM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> Hai Elias,
>
> Lucky you, im in a good mood and im "still" at work ;-) ..
>
> # Add
> [sysvol]
> acl_xattr:ignore system acls = yes
> path = /var/lib/samba/sysvol
> read only = No
>
> Did you set the parameter: APPLY_CHANGES_DIRECT="no"
> To yes, if not do it.
>
> Restart samba-ad-dc.
>
> Then, goto you GPO editor in windows, and klik every GPO object once.
> Some might complain about rights, that ok, windows will fix that.
>
> Should fix it.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Elias Pereira via samba
> > Verzonden: maandag 30 juli 2018 16:17
> > Aan: samba
> > Onderwerp: [Samba] gpupdate /force not applied
> >
> > The principle was not made any changes to occur this problem.
> >
> > We infra have dc3 and dc4 ADDC.
> >
> > root at dc3:/etc/samba# samba -V
> > Version 4.7.7-Debian (van-blle apt)
> >
> > Result of gpupdate /force in a joined computer client:
> >
> > C:\>gpupdate /force
> > > Updating Policy...
> > > User policy could not be updated successfully. The
> > following errors were
> > > encountered:
> > > The processing of Group Policy failed. Windows could not
> > determine if the
> > > user and computer accounts are in the same forest. Ensure
> > the user domain
> > > name matches the name of a trusted domain that resides in
> > the same forest
> > > as the computer account.
> > > Computer Policy update has completed successfully.
> > > To diagnose the failure, review the event log or run GPRESULT /H
> > > GPReport.html from the command line to access information
> > about Group
> > > Policy results.
> >
> >
> > root at dc3:/etc/samba/scripts# cat /etc/hosts
> > 127.0.0.1 localhost
> > 200.xxx.xxx.160 dc3.campus.sertao.ifrs.edu.br dc3
> > 200.xxx.xxx.151 puppet.sertao.ifrs.edu.br puppet
> >
> > # The following lines are desirable for IPv6 capable hosts
> > ::1 localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
> > root at dc3:/etc/samba/scripts# cat /etc/resolv.conf
> > domain campus.sertao.ifrs.edu.br
> > search campus.sertao.ifrs.edu.br
> > nameserver 200.xxx.xxx.160
> >
> > smb.conf
> > # Global parameters
> > [global]
> > netbios name = DC3
> > realm = CAMPUS.SERTAO.IFRS.EDU.BR
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> > kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate
> > workgroup = CAMPUS
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> > ldap server require strong auth = no
> > #log file = /var/log/samba/log.%m
> > #log level = 10
> > ntlm auth = yes
> > #ntlm auth = mschapv2-and-ntlmv2-only
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> > krb5.conf
> > [libdefaults]
> > default_realm = CAMPUS.SERTAO.IFRS.EDU.BR
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > root at dc3:/etc/samba/scripts# ls -lah /etc/krb5.conf
> > -rw-r--r-- 1 root bind 106 nov 16 2017 /etc/krb5.conf
> >
> > sysvol permissions:
> > root at dc3:/var/lib/samba# ls -lah
> > total 1,4M
> > drwxr-xr-x 8 root root 4,0K jul 30 10:03 .
> > drwxr-xr-x 32 root root 4,0K jul 3 09:27 ..
> > -rw------- 1 root root 412K nov 8 2017 account_policy.tdb
> > -rw------- 1 root root 696 nov 8 2017 group_mapping.tdb
> > drwxr-x--- 2 root ntp 4,0K jul 30 10:03 ntp_signd
> > drwxr-xr-x 10 root root 4,0K nov 8 2017 printers
> > drwxr-xr-x 8 root root 4,0K jul 30 10:12 private
> > -rw------- 1 root root 516K nov 23 2017 registry.tdb
> > -rw------- 1 root root 412K jul 30 09:29 share_info.tdb
> > drwxrwx---+ 3 root 3000000 4,0K jul 30 09:37 sysvol
> > drwxrwx--T 2 root sambashare 4,0K nov 8 2017 usershares
> > -rw------- 1 root root 32K jul 30 10:11 winbindd_cache.tdb
> > drwxr-x--- 2 root winbindd_priv 4,0K jul 30 10:03
> > winbindd_privileged
> >
> > samba-tool ntacl sysvolreset (sysvolcheck appears an error,
> > but I believe
> > that is normal)
> > root at dc3:/var/lib/samba# samba-tool ntacl sysvolcheck
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> > exception -
> > ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
> > campus.sertao.ifrs.edu.br/Policies/{BE145C6B-F6FA-4772-8EE3-9C
> <http://campus.sertao.ifrs.edu.br/Policies/%7BBE145C6B-F6FA-4772-8EE3-9C>
> > 2816FF29E6}
> > O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> > OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> > 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > does not match expected value
> > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> > OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> > 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > from GPO object
> > File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> > 176, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270,
> > in run
> > lp)
> > File
> > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> > 1723, in checksysvolacl
> > direct_db_access)
> > File
> > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> > 1674, in check_gpos_acl
> > domainsid, direct_db_access)
> > File
> > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> > 1621, in check_dir_acl
> > raise ProvisioningError('%s ACL on GPO directory %s %s
> > does not match
> > expected value %s from GPO object' %
> > (acl_type(direct_db_access), path,
> > fsacl_sddl, acl))
> >
> > samba-tool ntacl sysvolreset OK
> >
> > samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes OK
> >
> > samba_dnsupdate --verbose --all-names OK
> >
> > Louis script (samba-check-set-sysvol.sh) for sysvol check return this
> > output:
> >
> > root at dc3:/etc/samba/scripts# ./samba-check-set-sysvol.sh
> >
> > The sysvol ACLS info.....
> >
> > Please check your share rights for sysvol from within windows.
> > If these are incorrect, correct them and run this script again.
> > Set your sysvol SHARE permissions as followed.
> > EVERYONE: READ
> > Authenticated Users: FULL CONTROL
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> > User/Group system is added compaired to a win2008R2 sysvol,
> > you need this
> > for some GPO settings.
> >
> > Set your sysvol FOLDER permissions as followed.
> > Authenticated Users: Read & Exec, Show folder content, Read
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> >
> > https://wiki.samba.org/index.php/Sysvolreset
> >
> > I also checked the link above and made the suggested changes,
> > but even then
> > the initial gpoupdate error still occurs.
> >
> > Any idea?
> >
> > --
> > Elias Pereira
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Elias Pereira
More information about the samba
mailing list