[Samba] GPO problem ACL permission

Epsilon Minus theepsilonminus at gmail.com
Sun May 26 18:24:19 UTC 2019 

i don't know if the problem with the command samba-tool gpo aclcheck
is connect with the original problem, but is necesary resolv all
warinings.

I put de log level = 5 to check the report.

this is the output:


root at DC04:~# samba-tool gpo aclcheck
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain EXAMPLE.COM
finddcs: looking for SRV records for _ldap._tcp.EXAMPLE.COM
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.EXAMPLE.COM<0x0>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
ads_dns_lookup_srv: 5 records returned in the answer section.
finddcs: DNS SRV response 0 at '192.168.50.58'
finddcs: DNS SRV response 1 at '192.168.50.55'
finddcs: DNS SRV response 2 at '192.168.50.56'
finddcs: DNS SRV response 3 at '192.168.50.204'
finddcs: DNS SRV response 4 at '192.168.50.57'
finddcs: performing CLDAP query on 192.168.50.58
finddcs: Found matching DC 192.168.50.58 with server_type=0x000013fd
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain EXAMPLE.COM
finddcs: looking for SRV records for _ldap._tcp.EXAMPLE.COM
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.EXAMPLE.COM<0x0>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
ads_dns_lookup_srv: 5 records returned in the answer section.
finddcs: DNS SRV response 0 at '192.168.50.58'
finddcs: DNS SRV response 1 at '192.168.50.55'
finddcs: DNS SRV response 2 at '192.168.50.56'
finddcs: DNS SRV response 3 at '192.168.50.204'
finddcs: DNS SRV response 4 at '192.168.50.57'
finddcs: performing CLDAP query on 192.168.50.58
finddcs: Found matching DC 192.168.50.58 with server_type=0x000013fd
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
dc04.clinicaguemes.com.ar<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 325
Received smb_krb5 packet of length 1370
Received smb_krb5 packet of length 1348
Received smb_krb5 packet of length 1341
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
added interface eth0 ip=192.168.50.58 bcast=192.168.50.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
dc04.clinicaguemes.com.ar<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061808
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for DC04$@EXAMPLE.COM will expire in 35999 secs
Received smb_krb5 packet of length 1348
Received smb_krb5 packet of length 1341
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, in run
    ds_sd_ndr = m['nTSecurityDescriptor'][0]

El dom., 26 may. 2019 a las 14:50, Epsilon Minus
(<theepsilonminus at gmail.com>) escribió:
>
> Hello.  I have a problem with GPO manage. Sorry for my english is not the best.
>
> On the windows, GPO manage, the system send me this error:
>
>
>  "The permissions for this GPO in the SYSVOL folder are inconsistent
>  with those in Active Directory. It is recommended that these permissions
>  be consistent. To change the SYSVOL permissions to those in Active
>  Directory, click OK.
>  For more information, see the Microsoft Knowledge Base article:
>  http://go.microsoft.com/fwlink/?LinkId=20066"
>
> Ask me if i want to resolve, if i press "yes" the sistem print "access denied"
>
>
>
> my smb.conf
>
> root at DC04:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = DC04
> realm = EXAMPLE.COM
> server role = active directory domain controller
> workgroup = EXAMPLE
> idmap_ldb:use rfc2307 = yes
> ldap server require strong auth = No
> dns forwarder = 8.8.8.8
> log level = 2
>
> [netlogon]
> path = /var/lib/samba/sysvol/example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> root at DC04:~# samba-tool ntacl sysvolreset | head -f10
> head: invalid option -- 'f'
> Try 'head --help' for more information.
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service Unknown Service (snum
> == -1)
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service Unknown Service (snum
> == -1)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service sysvol
>
> continuis...
>
> I put de log level = 3
>
> root at DC04:~# samba-tool gpo aclcheck
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.EXAMPLE.COM<0x0>
> resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.EXAMPLE.COM<0x0>
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc04.clinicaguemes.com.ar<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc04.clinicaguemes.com.ar<0x20>
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, in run
>     ds_sd_ndr = m['nTSecurityDescriptor'][0]
>
>
> I don't know how to diagnostic this problem.
>
> Thanks !
>
> Epsilon

More information about the samba mailing list