[Samba] Sysvol GPO ACLs problem (SOLVED)

Pablo Sanz psanz at empre.es
Tue May 19 16:12:40 UTC 2020 

Hi,

We have solved the problem and the command 'samba-tool ntacl sysvolreset' is working correctly again. We have been able to reset the SYSVOL permissions and the AD GPOs are working again.

The problem is that if we have the audit options active in the smb.conf, that command stops working. We don't know why. If we temporarily remove them if it works.

I know that we have an old version of CentOS, with Python 2.6.6. As soon as we can we will migrate to CentOS 8 and Samba 4.12.

Regards,
Pablo Sanz

-----Mensaje original-----

>Samba 4.9.13 on CentOS 6.10.
>
>Pablo Sanz Fernández
>
>
>-----Mensaje original-----
>
>Hai, 
>
>Which samba version is this exactly because there is a bug on this.
>
>
>Greetz, 
>
>Louis
>
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Pablo Sanz Fernández via samba
> Verzonden: dinsdag 12 mei 2020 16:29
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Sysvol GPO ACLs problem
> 
> Hi,
> 
> Hello, I have been investigating and I am afraid that our 
> case is the same as this one:
> 
> 	https://lists.samba.org/archive/samba/2017-September/210724.html
> 
> As you said, we have a problem with the gidNumber inherited 
> from a migration from samba 3.x NT4 to samba 4.x AD. I have 
> followed your prompts, removing the gidNumber from all AD 
> 'BUILTIN' groups, in addition to the 'Administrators' group, 
> with the sole exception of the 'Domain Users' group. Doing so 
> already works the wbinfo command for those groups:
> 
> 	[root at mercurio2]# wbinfo --sid-to-uid=S-1-5-32-549
> 	3001417	
> 
> And also the sysvol permission correction script 
> (samba-check-set-sysvol.sh), but we still can't create or 
> edit GPOs. And if we open the SYSVOL shared folder properties 
> from a windows computer, with the 'Computer Management' MMC, 
> in the Security tab we see, while it keeps open cause it crash:
> 
> Everyone
> S-1-22-2-544
> S-1-22-2-549
> CREATOR OWNER
> .
> .
> .
> 
> What can we do to solve this?
> 
> 
> 
> Pablo Sanz Fernández
> 
> -----Mensaje original-----
> On 11/05/2020 12:33, Pablo Sanz Fernández wrote:
> > Sorry Rowland, didn't read that part.
> >
> > Yes, the 'Domain Admins' group has the gidNumber attribute 
> the value "512", and 'BUILTIN\Server Operators' value "549".
> 
> I can sort of understand why 'Domain Admins' has a gidNumber, but why 
> 'Server operators' ?
> 
> The only group from the Windows 'Well Known SIDs' that requires a 
> gidNumber attribute is 'Domain Users'. You can give 'Domain Admins' a 
> gidNumber, but there is a problem with doing that, it turns 
> the Windows 
> group into a Unix group ;-)
> 
> That might sound like it isn't a problem, except that a Windows group 
> can own files and directories and a Unix group cannot, which 
> is where we 
> came in, Domain Admins needs to own things in Sysvol ;-)
> 
> I create a group (I use the imaginative name of 'Unix Admins'), give 
> this group a gidNumber and make it a member of Domain Admins. 
> Then I use 
> the group wherever I would normally use Domain Admins, except 
> for Sysvol.
> 
> Rowland
> -----Mensaje original-----
> On 11/05/2020 11:09, Pablo Sanz Fernández wrote:
> > Hi Rowland.
> >
> > It's CentOS 6.10 with Python 2.6.6.
> >
> > I guess then we must update to CentOS 8 and use Python 3?
> 
> That is what I would do. As I said, your problem may have 
> been fixed in a later version.
> 
> What you haven't answered, have you given any of the Windows 
> groups (apart from Domain Users) a gidNumber attribute ?
> 
> > We are worried with the compability of lastest versions of 
> Samba and our Dell EMC Unity storage. We did have to put the 
> smb.conf option "server schannel" to keep it working with the 
> samba AD. Does this smb.conf option still valid, despite the 
> deprecated warning, in the lastest samba versions?
> It was deprecated from 4.8.0 , but luckily it hasn't been removed yet.
> 
> Rowland
> 
> On 11/05/2020 11:09, Pablo Sanz Fernández wrote:
> > Hi Rowland.
> >
> > It's CentOS 6.10 with Python 2.6.6.
> >
> > I guess then we must update to CentOS 8 and use Python 3?
> 
> That is what I would do. As I said, your problem may have 
> been fixed in a later version.
> 
> What you haven't answered, have you given any of the Windows 
> groups (apart from Domain Users) a gidNumber attribute ?
> 
> > We are worried with the compability of lastest versions of 
> Samba and our Dell EMC Unity storage. We did have to put the 
> smb.conf option "server schannel" to keep it working with the 
> samba AD. Does this smb.conf option still valid, despite the 
> deprecated warning, in the lastest samba versions?
> It was deprecated from 4.8.0 , but luckily it hasn't been removed yet.
> 
> Rowland
> 
> De: Pablo Sanz Fernández
> Enviado el: lunes, 11 de mayo de 2020 12:09
> Para: 'samba at lists.samba.org' <samba at lists.samba.org>
> CC: 'rpenny at samba.org' <rpenny at samba.org>
> Asunto: RE: Sysvol GPO ACLs problem
> 
> Hi Rowland.
> 
> It's CentOS 6.10 with Python 2.6.6.
> 
> I guess then we must update to CentOS 8 and use Python 3?
> 
> We are worried with the compability of lastest versions of 
> Samba and our Dell EMC Unity storage. We did have to put the 
> smb.conf option "server schannel" to keep it working with the 
> samba AD. Does this smb.conf option still valid, despite the 
> deprecated warning, in the lastest samba versions?
> 
> Regards,
> 
> Pablo Sanz Fernández
> 
> On 11/05/2020 08:31, Pablo Sanz Fernández via samba wrote:
> > Hi,
> >
> > We are having problems with sysvol AD shared folder in a 
> Samba 4.9.13 AD.
> >
> > Has been running smoothly until recently, and we don't know 
> how to fix it. We detected the problem trying to create a new 
> AD GPO, it fails with the message (sorry, we have windows in 
> Spanish, it's not literal translation): "this security 
> identifier cannot be assigned as object owner".
> >
> > If we execute in the linux DC a sysvol check (samba-tool 
> ntacl sysvolcheck), we get this error:
> >
> > [https://lists.samba.org/mailman/listinfo/samba ~]# 
> samba-tool ntacl 
> > sysvolcheck O:LAG:DAD:P does not match expected value O:DAG:DAD:P
> I have stripped that down to the difference, have you given 
> the Domain Admins group a gidNumber attribute ?
> >
> >
> > And, if we execute a sysvol acl reset, we get this:
> >
> > [https://lists.samba.org/mailman/listinfo/samba ~]# 
> samba-tool ntacl 
> > sysvolreset
> > WARNING: The "server schannel" option is deprecated
> > WARNING: The "server schannel" option is deprecated 
> > ===============================================================
> > INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13) Please read the 
> > Trouble-Shooting section of the Samba HOWTO 
> > ===============================================================
> > PANIC (pid 22555): internal error
> It shouldn't panic
> > We also tried to use the sysvol repair permissions script 
> (https://github.com/thctlo/samba4/blob/master/samba-check-set-
> sysvol.sh):
> >
> > [https://lists.samba.org/mailman/listinfo/samba ~]# 
> > /usr/oper/samba-check-set-sysvol.sh
> > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could 
> not convert 
> > sid S-1-5-32-549 to uid
> Hmm, have you also given 'BUILTIN\Server Operators' a gidNumber ?
> > Please, do you know how to fix this, or at least were to begin?
> 
> What OS is this ?
> 
> 4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ? 
> your problem may already have been fixed.
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list