[Samba] Sysvol GPO ACLs problem
L.P.H. van Belle
belle at bazuin.nl
Tue May 12 14:47:55 UTC 2020
Hai,
Which samba version is this exactly because there is a bug on this.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Pablo Sanz Fernández via samba
> Verzonden: dinsdag 12 mei 2020 16:29
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Sysvol GPO ACLs problem
>
> Hi,
>
> Hello, I have been investigating and I am afraid that our
> case is the same as this one:
>
> https://lists.samba.org/archive/samba/2017-September/210724.html
>
> As you said, we have a problem with the gidNumber inherited
> from a migration from samba 3.x NT4 to samba 4.x AD. I have
> followed your prompts, removing the gidNumber from all AD
> 'BUILTIN' groups, in addition to the 'Administrators' group,
> with the sole exception of the 'Domain Users' group. Doing so
> already works the wbinfo command for those groups:
>
> [root at mercurio2]# wbinfo --sid-to-uid=S-1-5-32-549
> 3001417
>
> And also the sysvol permission correction script
> (samba-check-set-sysvol.sh), but we still can't create or
> edit GPOs. And if we open the SYSVOL shared folder properties
> from a windows computer, with the 'Computer Management' MMC,
> in the Security tab we see, while it keeps open cause it crash:
>
> Everyone
> S-1-22-2-544
> S-1-22-2-549
> CREATOR OWNER
> .
> .
> .
>
> What can we do to solve this?
>
>
>
> Pablo Sanz Fernández
>
> -----Mensaje original-----
> On 11/05/2020 12:33, Pablo Sanz Fernández wrote:
> > Sorry Rowland, didn't read that part.
> >
> > Yes, the 'Domain Admins' group has the gidNumber attribute
> the value "512", and 'BUILTIN\Server Operators' value "549".
>
> I can sort of understand why 'Domain Admins' has a gidNumber, but why
> 'Server operators' ?
>
> The only group from the Windows 'Well Known SIDs' that requires a
> gidNumber attribute is 'Domain Users'. You can give 'Domain Admins' a
> gidNumber, but there is a problem with doing that, it turns
> the Windows
> group into a Unix group ;-)
>
> That might sound like it isn't a problem, except that a Windows group
> can own files and directories and a Unix group cannot, which
> is where we
> came in, Domain Admins needs to own things in Sysvol ;-)
>
> I create a group (I use the imaginative name of 'Unix Admins'), give
> this group a gidNumber and make it a member of Domain Admins.
> Then I use
> the group wherever I would normally use Domain Admins, except
> for Sysvol.
>
> Rowland
> -----Mensaje original-----
> On 11/05/2020 11:09, Pablo Sanz Fernández wrote:
> > Hi Rowland.
> >
> > It's CentOS 6.10 with Python 2.6.6.
> >
> > I guess then we must update to CentOS 8 and use Python 3?
>
> That is what I would do. As I said, your problem may have
> been fixed in a later version.
>
> What you haven't answered, have you given any of the Windows
> groups (apart from Domain Users) a gidNumber attribute ?
>
> > We are worried with the compability of lastest versions of
> Samba and our Dell EMC Unity storage. We did have to put the
> smb.conf option "server schannel" to keep it working with the
> samba AD. Does this smb.conf option still valid, despite the
> deprecated warning, in the lastest samba versions?
> It was deprecated from 4.8.0 , but luckily it hasn't been removed yet.
>
> Rowland
>
> On 11/05/2020 11:09, Pablo Sanz Fernández wrote:
> > Hi Rowland.
> >
> > It's CentOS 6.10 with Python 2.6.6.
> >
> > I guess then we must update to CentOS 8 and use Python 3?
>
> That is what I would do. As I said, your problem may have
> been fixed in a later version.
>
> What you haven't answered, have you given any of the Windows
> groups (apart from Domain Users) a gidNumber attribute ?
>
> > We are worried with the compability of lastest versions of
> Samba and our Dell EMC Unity storage. We did have to put the
> smb.conf option "server schannel" to keep it working with the
> samba AD. Does this smb.conf option still valid, despite the
> deprecated warning, in the lastest samba versions?
> It was deprecated from 4.8.0 , but luckily it hasn't been removed yet.
>
> Rowland
>
> De: Pablo Sanz Fernández
> Enviado el: lunes, 11 de mayo de 2020 12:09
> Para: 'samba at lists.samba.org' <samba at lists.samba.org>
> CC: 'rpenny at samba.org' <rpenny at samba.org>
> Asunto: RE: Sysvol GPO ACLs problem
>
> Hi Rowland.
>
> It's CentOS 6.10 with Python 2.6.6.
>
> I guess then we must update to CentOS 8 and use Python 3?
>
> We are worried with the compability of lastest versions of
> Samba and our Dell EMC Unity storage. We did have to put the
> smb.conf option "server schannel" to keep it working with the
> samba AD. Does this smb.conf option still valid, despite the
> deprecated warning, in the lastest samba versions?
>
> Regards,
>
> Pablo Sanz Fernández
>
> On 11/05/2020 08:31, Pablo Sanz Fernández via samba wrote:
> > Hi,
> >
> > We are having problems with sysvol AD shared folder in a
> Samba 4.9.13 AD.
> >
> > Has been running smoothly until recently, and we don't know
> how to fix it. We detected the problem trying to create a new
> AD GPO, it fails with the message (sorry, we have windows in
> Spanish, it's not literal translation): "this security
> identifier cannot be assigned as object owner".
> >
> > If we execute in the linux DC a sysvol check (samba-tool
> ntacl sysvolcheck), we get this error:
> >
> > [https://lists.samba.org/mailman/listinfo/samba ~]#
> samba-tool ntacl
> > sysvolcheck O:LAG:DAD:P does not match expected value O:DAG:DAD:P
> I have stripped that down to the difference, have you given
> the Domain Admins group a gidNumber attribute ?
> >
> >
> > And, if we execute a sysvol acl reset, we get this:
> >
> > [https://lists.samba.org/mailman/listinfo/samba ~]#
> samba-tool ntacl
> > sysvolreset
> > WARNING: The "server schannel" option is deprecated
> > WARNING: The "server schannel" option is deprecated
> > ===============================================================
> > INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13) Please read the
> > Trouble-Shooting section of the Samba HOWTO
> > ===============================================================
> > PANIC (pid 22555): internal error
> It shouldn't panic
> > We also tried to use the sysvol repair permissions script
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-
> sysvol.sh):
> >
> > [https://lists.samba.org/mailman/listinfo/samba ~]#
> > /usr/oper/samba-check-set-sysvol.sh
> > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
> not convert
> > sid S-1-5-32-549 to uid
> Hmm, have you also given 'BUILTIN\Server Operators' a gidNumber ?
> > Please, do you know how to fix this, or at least were to begin?
>
> What OS is this ?
>
> 4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ?
> your problem may already have been fixed.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list