[Samba] GPO for Computer/Machine not working
Martin Tessun
martin.tessun at gmx.de
Mon Nov 4 21:03:48 UTC 2019
On 31.10.19 18:14, Robert Marcano wrote:
> On 10/20/19 11:52 AM, Martin Tessun via samba wrote:
>> Hi all,
>>
>> I am having the same issue that is described in an older thread here:
>> https://lists.samba.org/archive/samba/2018-February/213656.html
>
>
> The description of that link, says it is running Samba AD with MIT
> Kerberos. the MIT backend is experimental and this is one of the
> problems it has, machine GPOs don't work. The NULL SID group
> membership for machines is the same symptom of a machine joined to a
> Samba AD with MIT Kerberos backend.
>
> From where are you getting the Samba packages?
The packages are the ones shipped with openSUSE:
- samba-4.9.5+git.187.71edee57d5a-lp151.2.6.1.x86_64 (just listing this
one for reference).
Kerberos packages are the ones that are pulled in by dependency:
libndr-krb5pac0-4.9.5+git.187.71edee57d5a-lp151.2.6.1.x86_64
krb5-1.16.3-lp151.2.6.1.x86_64
krb5-server-1.16.3-lp151.2.6.1.x86_64
sssd-krb5-common-1.16.1-lp151.7.6.1.x86_64
sssd-krb5-1.16.1-lp151.7.6.1.x86_64
krb5-client-1.16.3-lp151.2.6.1.x86_64
So this looks very much like MIT Kerberos implementation - also when
checking the rpm-dependencies on the samba packages:
[snip]
libkrb5.so.3(krb5_3_MIT)(64bit)
[snip]
Thanks!
Martin
>
>>
>> The problem I am facing is that the machine accounts are not trusted
>> in the domain (this is true for all Win 10 Systems). The issue with
>> the computer is from my pov:
>>
>>
>> Folgende herausgefilterte Gruppenrichtlinien werden nicht
>> angewendet.
>> ----------------------------------------------------------------------
>> Local Admins Policy
>> Filterung: Verweigert (Sicherheit)
>>
>> Default Domain Policy
>> Filterung: Verweigert (Sicherheit)
>>
>> Richtlinien der lokalen Gruppe
>> Filterung: Nicht angewendet (Leer)
>>
>> Der Computer ist Mitglied der folgenden Sicherheitsgruppen
>> ----------------------------------------------------------
>> NULL SID
>> NETZWERK
>> Diese Organisation
>> Nicht vertrauenswürdige Verbindlichkeitsstufe
>>
>> Sorry, the Windows is German unfortunately, but what is happening is
>> mainly that the PC doesn not have access to the SYSVOL share, as the
>> Computer Account is not part of the correct security groups´(see
>> above), but instead is part of:
>> - NULL SID
>> - NETWORK
>> - THIS ORGANISATION
>> - Untrusted Mandatory Level
>>
>> From my PoV the Computer should be part of:
>> - Authenticated Users
>> - Domain Computers
>> - High Mandatory Level
>>
>> This is not the case and the reason the machine does not get access
>> to the sysvol. This can also be seen within the details, as the
>> gpt.ini can't be accessed (Policy Version 65535):
>>
>> Verknüpfungsort ad.die-tessuns.de
>> Konfigurierte Erweiterungen {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
>> Erzwungen Nein
>> Deaktiviert Keine
>> Sicherheitsfilter NT-AUTORITÄT\Authentifizierte Benutzer
>> Revision AD (2), SYSVOL (65535)
>> WMI-Filter
>> Grund: abgelehnt Zugriff verweigert (Sicherheitsfilterung)
>>
>>
>> Whereas the User has the correct security Groups:
>>
>> Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen
>> ----------------------------------------------------------
>> Domain Users
>> Jeder
>> Benutzer
>> INTERAKTIV
>> KONSOLENANMELDUNG
>> Authentifizierte Benutzer
>> Diese Organisation
>> LOKAL
>> Local Admins
>> Hohe Verbindlichkeitsstufe
>>
>> So in English:
>> - Domain Users
>> - Everyone
>> - Users
>> - INTERACTIVE
>> - Console Logon
>> - Authenticated User
>> - This Organization
>> - Local
>> - Local Admins
>> - High Mandatory Level
>>
>> Rejoining the Computer does not make any difference as well as
>> adjusting the SYSVOL permissions as described in several threads. So
>> from my pov the right thing to solve this issue is to get the
>> computer account to the correct trustlevel/security group membership.
>>
>> Unfortunately I found no way doing so.
>>
>> So if anyone has an idea on what to do here would be greatly
>> appreciated (BTW. Looking at effective user rights for the SYSVOL
>> shares the machine account <COMPUTERNAME>$ as well as SYSTEM should
>> have access rights. Unfortunately the GPO thinks otherwise.
>>
>> Also note that Computer GPO is the only thing that is not working.
>> And I also tried all the solution proposals listed in the
>> aforementioned thread already - as expected with no success.
>>
>> Thanks!
>> Martin
>>
>
>
>
More information about the samba
mailing list