[Samba] Sysvol

L.P.H. van Belle belle at bazuin.nl
Fri May 10 10:15:48 UTC 2019 

Hai Praveen, 


Set these to no.
>         winbind enum users = yes
>         winbind enum groups = yes
Its only slowing down your server. 
Use :getent passwd username and you see the users info


> Also, how do we setup a common login script for all users. 
For sysvol/netlogon, It is important todo this in this order! 

First, set this in both shares. 
        acl_xattr:ignore system acls = yes
Restart samba-ad 
.. Why add : acl_xattr:ignore system acls because better ACL rights, less windows problems with GPO's. 
And these are shared only used by windows, so why not. 


Now, set your sysvol SHARE permissions as followed and do this from within windows. 

EVERYONE: READ
Authenticated Users: FULL CONTROL
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
User/Group system is added compaired to a win2008R2 sysvol, you need this for some GPO settings.

Set your sysvol FOLDER permissions as followed.
Authenticated Users: Read & Exec, Show folder content, Read
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL

Then run this script. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh 
By default it does not change anything, it creates a file you can use to set the rights for sysvol. 
setfacl -R -b --modify-file default-rights-sysvol.acl /var/lib/samba/sysvol/

Now re-check the rights again from a windows pc, if nothing has change then its ok.
If it did, re-apply the right on share/folder again. 

Test a computer, clear its eventlog, reboot and check, clear its eventlog again and reboot again. 
Check again. 


And yes, correct is you run in manualy its fine, thats because then YOU run it, not the computer..
Your Kix script, make sure you are using FQDN names and not only \\servername\..  
But why Kix, yes, can be usefull, i know Kix... but you can do almost anything with Group Policies also. 

And read these, that should give you and idea what todo next. 
https://mizitechinfo.wordpress.com/2013/08/06/simple-guide-implementing-group-policy-in-windows-server-2012-r2/ 
https://mizitechinfo.wordpress.com/2013/08/18/simple-guide-creating-configure-gpo-in-windows-server-2012-r2-part-2/ 

If you have multiple DC's, read : 
https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)

Well, good luck. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Praveen Ghimire via samba
> Verzonden: vrijdag 10 mei 2019 11:47
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Sysvol
> 
> Hi ,
> 
> We ran the classicupgrade today and have come across an issue 
> with sysvol. The users are getting access denied message when 
> accessing sysvol/netlogn. Other shares are ok. The 
> administrator can access the sysvol and netlogin
> 
> root at dozer5-ad:/var/lib/samba# ls -al
> total 67
> drwxr-xr-x   6 root root                       11 May 10 17:33 .
> drwxr-xr-x  32 root root                       32 May 10 16:29 ..
> -rw-------   1 root root                   421888 May 10 
> 16:30 account_policy.tdb
> -rw-r--r--   1 root root                        0 May 10 16:32 dbdir
> drwxr-x---   2 root root                        3 May 10 
> 17:33 ntp_signd
> drwxr-xr-x   8 root root                       27 May 10 19:45 private
> -rw-------   1 root root                   528384 May 10 
> 16:30 registry.tdb
> -rw-------   1 root root                   421888 May 10 
> 16:30 share_info.tdb
> drwxrwx---+  3 root BUILTIN\administrators      3 May 10 16:29 sysvol
> -rw-------   1 root root                    32768 May 10 
> 19:45 winbindd_cache.tdb
> drwxr-x---   2 root root                        3 May 10 
> 17:33 winbindd_privileged
> 
> The smb.conf is
> 
> [global]
>         workgroup = LIN
>         realm = LIN.GROUP
>         netbios name = linserver01
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/log.%m
>         log level = 4
>         winbind nss info = rfc2307
>         winbind enum users = yes
>         winbind enum groups = yes
>         acl allow execute always = True
>         server services = -dns
>         allow dns updates = nonsecure
> 
> 
>         full_audit:priority = notice
>         full_audit:facility = local5
>         full_audit:success = mkdir rmdir read pread write 
> pwrite rename unlink
>         full_audit:failure = none
>         full_audit:prefix = %u|%I|%S
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/LIN.group/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> Also, how do we setup a common login script for all users. We 
> are using KIX and if we run it manually it seems to work.
> 
> Regards,
> Praveen Ghimire
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list