[Samba] Sysvol GPO ACLs problem

Pablo Sanz Fernández psanz at empre.es
Tue May 12 15:01:13 UTC 2020


Samba 4.9.13 on CentOS 6.10.

Pablo Sanz Fernández


-----Mensaje original-----

Hai, 

Which samba version is this exactly because there is a bug on this.


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Pablo Sanz Fernández via samba
> Verzonden: dinsdag 12 mei 2020 16:29
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Sysvol GPO ACLs problem
> 
> Hi,
> 
> Hello, I have been investigating and I am afraid that our 
> case is the same as this one:
> 
> 	https://lists.samba.org/archive/samba/2017-September/210724.html
> 
> As you said, we have a problem with the gidNumber inherited 
> from a migration from samba 3.x NT4 to samba 4.x AD. I have 
> followed your prompts, removing the gidNumber from all AD 
> 'BUILTIN' groups, in addition to the 'Administrators' group, 
> with the sole exception of the 'Domain Users' group. Doing so 
> already works the wbinfo command for those groups:
> 
> 	[root at mercurio2]# wbinfo --sid-to-uid=S-1-5-32-549
> 	3001417	
> 
> And also the sysvol permission correction script 
> (samba-check-set-sysvol.sh), but we still can't create or 
> edit GPOs. And if we open the SYSVOL shared folder properties 
> from a windows computer, with the 'Computer Management' MMC, 
> in the Security tab we see, while it keeps open cause it crash:
> 
> Everyone
> S-1-22-2-544
> S-1-22-2-549
> CREATOR OWNER
> .
> .
> .
> 
> What can we do to solve this?
> 
> 
> 
> Pablo Sanz Fernández
> 
> -----Mensaje original-----
> On 11/05/2020 12:33, Pablo Sanz Fernández wrote:
> > Sorry Rowland, didn't read that part.
> >
> > Yes, the 'Domain Admins' group has the gidNumber attribute 
> the value "512", and 'BUILTIN\Server Operators' value "549".
> 
> I can sort of understand why 'Domain Admins' has a gidNumber, but why 
> 'Server operators' ?
> 
> The only group from the Windows 'Well Known SIDs' that requires a 
> gidNumber attribute is 'Domain Users'. You can give 'Domain Admins' a 
> gidNumber, but there is a problem with doing that, it turns 
> the Windows 
> group into a Unix group ;-)
> 
> That might sound like it isn't a problem, except that a Windows group 
> can own files and directories and a Unix group cannot, which 
> is where we 
> came in, Domain Admins needs to own things in Sysvol ;-)
> 
> I create a group (I use the imaginative name of 'Unix Admins'), give 
> this group a gidNumber and make it a member of Domain Admins. 
> Then I use 
> the group wherever I would normally use Domain Admins, except 
> for Sysvol.
> 
> Rowland
> -----Mensaje original-----
> On 11/05/2020 11:09, Pablo Sanz Fernández wrote:
> > Hi Rowland.
> >
> > It's CentOS 6.10 with Python 2.6.6.
> >
> > I guess then we must update to CentOS 8 and use Python 3?
> 
> That is what I would do. As I said, your problem may have 
> been fixed in a later version.
> 
> What you haven't answered, have you given any of the Windows 
> groups (apart from Domain Users) a gidNumber attribute ?
> 
> > We are worried with the compability of lastest versions of 
> Samba and our Dell EMC Unity storage. We did have to put the 
> smb.conf option "server schannel" to keep it working with the 
> samba AD. Does this smb.conf option still valid, despite the 
> deprecated warning, in the lastest samba versions?
> It was deprecated from 4.8.0 , but luckily it hasn't been removed yet.
> 
> Rowland
> 
> On 11/05/2020 11:09, Pablo Sanz Fernández wrote:
> > Hi Rowland.
> >
> > It's CentOS 6.10 with Python 2.6.6.
> >
> > I guess then we must update to CentOS 8 and use Python 3?
> 
> That is what I would do. As I said, your problem may have 
> been fixed in a later version.
> 
> What you haven't answered, have you given any of the Windows 
> groups (apart from Domain Users) a gidNumber attribute ?
> 
> > We are worried with the compability of lastest versions of 
> Samba and our Dell EMC Unity storage. We did have to put the 
> smb.conf option "server schannel" to keep it working with the 
> samba AD. Does this smb.conf option still valid, despite the 
> deprecated warning, in the lastest samba versions?
> It was deprecated from 4.8.0 , but luckily it hasn't been removed yet.
> 
> Rowland
> 
> De: Pablo Sanz Fernández
> Enviado el: lunes, 11 de mayo de 2020 12:09
> Para: 'samba at lists.samba.org' <samba at lists.samba.org>
> CC: 'rpenny at samba.org' <rpenny at samba.org>
> Asunto: RE: Sysvol GPO ACLs problem
> 
> Hi Rowland.
> 
> It's CentOS 6.10 with Python 2.6.6.
> 
> I guess then we must update to CentOS 8 and use Python 3?
> 
> We are worried with the compability of lastest versions of 
> Samba and our Dell EMC Unity storage. We did have to put the 
> smb.conf option "server schannel" to keep it working with the 
> samba AD. Does this smb.conf option still valid, despite the 
> deprecated warning, in the lastest samba versions?
> 
> Regards,
> 
> Pablo Sanz Fernández
> 
> On 11/05/2020 08:31, Pablo Sanz Fernández via samba wrote:
> > Hi,
> >
> > We are having problems with sysvol AD shared folder in a 
> Samba 4.9.13 AD.
> >
> > Has been running smoothly until recently, and we don't know 
> how to fix it. We detected the problem trying to create a new 
> AD GPO, it fails with the message (sorry, we have windows in 
> Spanish, it's not literal translation): "this security 
> identifier cannot be assigned as object owner".
> >
> > If we execute in the linux DC a sysvol check (samba-tool 
> ntacl sysvolcheck), we get this error:
> >
> > [https://lists.samba.org/mailman/listinfo/samba ~]# 
> samba-tool ntacl 
> > sysvolcheck O:LAG:DAD:P does not match expected value O:DAG:DAD:P
> I have stripped that down to the difference, have you given 
> the Domain Admins group a gidNumber attribute ?
> >
> >
> > And, if we execute a sysvol acl reset, we get this:
> >
> > [https://lists.samba.org/mailman/listinfo/samba ~]# 
> samba-tool ntacl 
> > sysvolreset
> > WARNING: The "server schannel" option is deprecated
> > WARNING: The "server schannel" option is deprecated 
> > ===============================================================
> > INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13) Please read the 
> > Trouble-Shooting section of the Samba HOWTO 
> > ===============================================================
> > PANIC (pid 22555): internal error
> It shouldn't panic
> > We also tried to use the sysvol repair permissions script 
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-
> sysvol.sh):
> >
> > [https://lists.samba.org/mailman/listinfo/samba ~]# 
> > /usr/oper/samba-check-set-sysvol.sh
> > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could 
> not convert 
> > sid S-1-5-32-549 to uid
> Hmm, have you also given 'BUILTIN\Server Operators' a gidNumber ?
> > Please, do you know how to fix this, or at least were to begin?
> 
> What OS is this ?
> 
> 4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ? 
> your problem may already have been fixed.
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 



More information about the samba mailing list