[Samba] Sysvol GPO ACLs problem
Pablo Sanz Fernández
psanz at empre.es
Tue May 12 14:29:11 UTC 2020
Hi,
Hello, I have been investigating and I am afraid that our case is the same as this one:
https://lists.samba.org/archive/samba/2017-September/210724.html
As you said, we have a problem with the gidNumber inherited from a migration from samba 3.x NT4 to samba 4.x AD. I have followed your prompts, removing the gidNumber from all AD 'BUILTIN' groups, in addition to the 'Administrators' group, with the sole exception of the 'Domain Users' group. Doing so already works the wbinfo command for those groups:
[root at mercurio2]# wbinfo --sid-to-uid=S-1-5-32-549
3001417
And also the sysvol permission correction script (samba-check-set-sysvol.sh), but we still can't create or edit GPOs. And if we open the SYSVOL shared folder properties from a windows computer, with the 'Computer Management' MMC, in the Security tab we see, while it keeps open cause it crash:
Everyone
S-1-22-2-544
S-1-22-2-549
CREATOR OWNER
.
.
.
What can we do to solve this?
Pablo Sanz Fernández
-----Mensaje original-----
On 11/05/2020 12:33, Pablo Sanz Fernández wrote:
> Sorry Rowland, didn't read that part.
>
> Yes, the 'Domain Admins' group has the gidNumber attribute the value "512", and 'BUILTIN\Server Operators' value "549".
I can sort of understand why 'Domain Admins' has a gidNumber, but why
'Server operators' ?
The only group from the Windows 'Well Known SIDs' that requires a
gidNumber attribute is 'Domain Users'. You can give 'Domain Admins' a
gidNumber, but there is a problem with doing that, it turns the Windows
group into a Unix group ;-)
That might sound like it isn't a problem, except that a Windows group
can own files and directories and a Unix group cannot, which is where we
came in, Domain Admins needs to own things in Sysvol ;-)
I create a group (I use the imaginative name of 'Unix Admins'), give
this group a gidNumber and make it a member of Domain Admins. Then I use
the group wherever I would normally use Domain Admins, except for Sysvol.
Rowland
-----Mensaje original-----
On 11/05/2020 11:09, Pablo Sanz Fernández wrote:
> Hi Rowland.
>
> It's CentOS 6.10 with Python 2.6.6.
>
> I guess then we must update to CentOS 8 and use Python 3?
That is what I would do. As I said, your problem may have been fixed in a later version.
What you haven't answered, have you given any of the Windows groups (apart from Domain Users) a gidNumber attribute ?
> We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?
It was deprecated from 4.8.0 , but luckily it hasn't been removed yet.
Rowland
On 11/05/2020 11:09, Pablo Sanz Fernández wrote:
> Hi Rowland.
>
> It's CentOS 6.10 with Python 2.6.6.
>
> I guess then we must update to CentOS 8 and use Python 3?
That is what I would do. As I said, your problem may have been fixed in a later version.
What you haven't answered, have you given any of the Windows groups (apart from Domain Users) a gidNumber attribute ?
> We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?
It was deprecated from 4.8.0 , but luckily it hasn't been removed yet.
Rowland
De: Pablo Sanz Fernández
Enviado el: lunes, 11 de mayo de 2020 12:09
Para: 'samba at lists.samba.org' <samba at lists.samba.org>
CC: 'rpenny at samba.org' <rpenny at samba.org>
Asunto: RE: Sysvol GPO ACLs problem
Hi Rowland.
It's CentOS 6.10 with Python 2.6.6.
I guess then we must update to CentOS 8 and use Python 3?
We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?
Regards,
Pablo Sanz Fernández
On 11/05/2020 08:31, Pablo Sanz Fernández via samba wrote:
> Hi,
>
> We are having problems with sysvol AD shared folder in a Samba 4.9.13 AD.
>
> Has been running smoothly until recently, and we don't know how to fix it. We detected the problem trying to create a new AD GPO, it fails with the message (sorry, we have windows in Spanish, it's not literal translation): "this security identifier cannot be assigned as object owner".
>
> If we execute in the linux DC a sysvol check (samba-tool ntacl sysvolcheck), we get this error:
>
> [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl
> sysvolcheck O:LAG:DAD:P does not match expected value O:DAG:DAD:P
I have stripped that down to the difference, have you given the Domain Admins group a gidNumber attribute ?
>
>
> And, if we execute a sysvol acl reset, we get this:
>
> [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl
> sysvolreset
> WARNING: The "server schannel" option is deprecated
> WARNING: The "server schannel" option is deprecated
> ===============================================================
> INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13) Please read the
> Trouble-Shooting section of the Samba HOWTO
> ===============================================================
> PANIC (pid 22555): internal error
It shouldn't panic
> We also tried to use the sysvol repair permissions script (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh):
>
> [https://lists.samba.org/mailman/listinfo/samba ~]#
> /usr/oper/samba-check-set-sysvol.sh
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert
> sid S-1-5-32-549 to uid
Hmm, have you also given 'BUILTIN\Server Operators' a gidNumber ?
> Please, do you know how to fix this, or at least were to begin?
What OS is this ?
4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ?
your problem may already have been fixed.
Rowland
More information about the samba
mailing list