[Samba] Migrate GPO policies does not work properly.
Denis Cardon
dcardon at tranquil.it
Wed Jul 22 09:19:11 UTC 2020
Hi Robert,
>
> Sorry my late answer. I did run the sysvolcheck/reset commands and
> everything seems fine.
>
> On my server I use the following rpm packages, installed from the
> tranquil.it repository.
>
> ldb-tools.x86_64 2.0.10-1.el7 @samba_custom
> libldb.x86_64 2.0.10-1.el7 @samba_custom
> libldb-devel.x86_64 2.0.10-1.el7 @samba_custom
> libsmbclient.x86_64 4.11.9-3.el7 @samba_custom
> libtalloc.x86_64 2.2.0-1.el7 @samba_custom
> libtalloc-devel.x86_64 2.2.0-1.el7 @samba_custom
> libtdb.x86_64 1.4.2-2.el7 @samba_custom
> libtdb-devel.x86_64 1.4.2-2.el7 @samba_custom
> libtevent.x86_64 0.10.0-1.el7 @samba_custom
> libtevent-devel.x86_64 0.10.0-1.el7 @samba_custom
> libwbclient.x86_64 4.11.9-3.el7 @samba_custom
> python3-ldb.x86_64 2.0.10-1.el7 @samba_custom
> python3-samba.x86_64 4.11.9-3.el7 @samba_custom
> python3-samba-dc.x86_64 4.11.9-3.el7 @samba_custom
> python3-talloc.x86_64 2.2.0-1.el7 @samba_custom
> python3-tdb.x86_64 1.4.2-2.el7 @samba_custom
> python3-tevent.x86_64 0.10.0-1.el7 @samba_custom
> samba.x86_64 4.11.9-3.el7 @samba_custom
> samba-client.x86_64 4.11.9-3.el7 @samba_custom
> samba-client-libs.x86_64 4.11.9-3.el7 @samba_custom
> samba-common.noarch 4.11.9-3.el7 @samba_custom
> samba-common-libs.x86_64 4.11.9-3.el7 @samba_custom
> samba-common-tools.x86_64 4.11.9-3.el7 @samba_custom
> samba-dc.x86_64 4.11.9-3.el7 @samba_custom
> samba-dc-libs.x86_64 4.11.9-3.el7 @samba_custom
> samba-libs.x86_64 4.11.9-3.el7 @samba_custom
> samba-winbind.x86_64 4.11.9-3.el7 @samba_custom
> samba-winbind-clients.x86_64 4.11.9-3.el7 @samba_custom
> samba-winbind-modules.x86_64 4.11.9-3.el7 @samba_custom
> tdb-tools.x86_64 1.4.2-2.el7 @samba_custom
>
> I use the following comand to migrate my GPO policies.
>
> samba-tool gpo restore /BACKUP_PATH -U Administrator --password
> PASSWORD --tmpdir=/TMP_DIR -d 4
>
> A got some warnings in a few policies.
>
> Traceback (most recent call last):
> File "/usr/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line
> 1362, in restore_from_backup_to_local_dir
> parser.load_xml(ET.fromstring(dtd_header + data))
> File "/usr/lib64/python3.6/site-packages/samba/gp_parse/gp_pol.py",
> line 80, in load_xml
> entry.data = (u'\x00'.join(values) + u'\x00\x00').encode('utf-16le')
> TypeError: sequence item 0: expected str instance, NoneType found
> WARNING: Error during parsing for
> /var/tmp/samba_gpo_backup/policy/Windows8-10_Global_Policy/Machine/Registry.pol.xml
> WARNING: Falling back to simple copy-restore.
> WARNING: No such parser for comment.cmtx
> WARNING: Falling back to simple copy-restore.
> WARNING: No such parser for Services.xml
> WARNING: Falling back to simple copy-restore.
> WARNING: No such parser for Registry.xml
> WARNING: Falling back to simple copy-restore.
GPO are a hard subject. There are many different type of GPO depending
on the GPO extension and each one has its own quirks. I have seen some
cases where there are inconsistencies between Microsoft doc about the
encoding of GPO files (between utf-8 and uft-16) and the reality.
Unfortunately for English speaking people they don't see the problem, so
it is hard to get it fixed...
About GPLink you have to see that there are 3 parts in GPO:
* the GPO name and GUID and filter that you can find in the LDAP tree in
CN=Policies,CN=System,DC=,DC=
* the GPO definition (what it will do) that you can find in SYSVOL folder
* GPlink attribute that says where you apply the GPO.
When you import / export GPO you'll have to recreate the GPLink (ie
apply the gpo) to the OU where it has to be applied. You may have a look
here :
https://dev.tranquil.it/samba/fr/samba_fundamentals/about_gpo.html with
google translate help.
Cheers,
Denis
>
> Traceback (most recent call last):
> File "/usr/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line
> 1362, in restore_from_backup_to_local_dir
> parser.load_xml(ET.fromstring(dtd_header + data))
> File "/usr/lib64/python3.6/xml/etree/ElementTree.py", line 1314, in XML
> parser.feed(text)
> File "<string>", line None
> xml.etree.ElementTree.ParseError: undefined entity: line 16, column 21
> WARNING: Error during parsing for
> /var/tmp/samba_gpo_backup/policy/msgReceiverDefault_Policy/Machine/Microsoft/Windows
> NT/SecEdit/GptTmpl.inf.xml
> WARNING: Falling back to simple copy-restore.
>
> But most of them, are successfully imported.
>
> How can I add gplink?
>
> Best,
>
> Robert
>
> 2020. 07. 20. 15:16 keltezéssel, Denis Cardon írta:
>> Hi Robert,
>>
>> Le 20/07/2020 à 13:28, Csorba Róbert via samba a écrit :
>>> Hi,
>>>
>>> I migrated from my the main domain controller.I use Centos 7 server
>>> with tranquilrepository.
>>>
>>> The destination server is a test enviorement with different domain
>>> name but the same system specifications.
>>>
>>> I can browse the sysvol network share without any problem.
>>>
>>> If i want to check the sam.ldb file on the test server I got these
>>> errors.
>>>
>>> WARNING:Module [samba_dsdb] not found - do you need to set
>>> LDB_MODULES_PATH?
>>> Unable to load modules for /var/lib/samba/private/sam.ldb:(null)
>>> Failed to connect to /var/lib/samba/private/sam.ldb - (null)
>>
>> you can add this export to your .bashrc file:
>>
>> export LDB_MODULES_PATH=/usr/lib64/samba/ldb
>>
>> What are you trying to check?
>>
>> Did you add the gplink after migration? Did you run a ntacl
>> sysvolcheck/reset?
>>
>> Denis
>>
>>
>>>
>>> Best,
>>>
>>> Robert
>>>
>>> 2020. 07. 17. 15:11 keltezéssel, Rowland penny via samba írta:
>>>> On 17/07/2020 14:00, Csorba Róbert via samba wrote:
>>>>> Hi,
>>>>>
>>>>> I successfully migrated my GPO policies in a new installation of
>>>>> domain controller.
>>>> Where did you migrate them from and to where ?
>>>>>
>>>>> After I joined a Windows 10 machine to the domain the gpupdate
>>>>> /force command printed this errors all of my policies.
>>>>>
>>>>> filtering not applied (empty)
>>>> Sounds like a permission problem
>>>>>
>>>>> On the server side everything looks fine. I checked the tdb files
>>>>> under the /var/lib/samba/private/sam.ldb.d/ folder.
>>>>
>>>> Please do not do that, if you want to check the database, only
>>>> check /var/lib/samba/private/sam.ldb
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>>
>>>>
More information about the samba
mailing list