[Samba] GPO Editor says "Access denied" for Group Policy Objects
Jakob Curdes
jc at info-systems.de
Thu Apr 25 17:32:26 UTC 2024
Hello Rowland, Luis, all,
Am 25.04.2024 um 18:56 schrieb Rowland Penny via samba:
>> The group ID of the sysvol entry is "3000000", while on the domain
>> member, the Domain Admin group has the group ID "300512".
> Hmm, If you are using rfc2307 attributes, how can the group have the ID
> 3000000 on a DC (which I would expect), but 300512 on a Unix domain
> member ?
> Can we see the smb.conf from the Unix domain member ?
>
> The thing with AD and sysvol is that Domain Admins must own things in
> sysvol and normally a Unix group cannot own anything, only Unix users
> can do this. So, by default on a Samba AD DC, Domain Admins is both a
> group and a user (this is set in idmap.ldb on the DC, where Domain
> Admins is classified as ID_TYPE_BOTH). If you give Domain Admins a
> gidNumber attribute, it breaks this and it just becomes a Unix group
> and cannot own anything.
Yes, I know this, but as we can see this is not the case.
>
>> The relevant portion of the DC config is:
>>
>> [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active
>> directory domain controller dns forwarder = X,Y workgroup = ZZ
>> idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use
>> default domain = true winbind offline logon = false winbind nss info
>> = rfc2307 winbind enum users = yes winbind enum groups = yes winbind
>> nested groups = Yes server schannel = yes [sysvol] path =
>> /var/lib/samba/sysvol read only = No
>>
>> So what do I need to change?
> Your email client LOL
Ah yes I will format the lines better next time :-(
>
> [global]
> netbios name = XXX
> realm = XXXX.yyyy.ZZ
> server role = active directory domain controller
> dns forwarder = X,Y
> workgroup = ZZ
> idmap_ldb:use rfc2307 = yes
> template shell = /bin/bash
> winbind use default domain = true
>
> The line above does nothing an a DC
>
> winbind offline logon = false
>
> The line above is the default
>
> winbind nss info = rfc2307
>
> The line above does nothing an a DC
>
> winbind enum users = yes
> winbind enum groups = yes
>
> You should only set the two lines above for testing purposes, Samba
> will work perfectly well without them.
>
> winbind nested groups = Yes
> server schannel = yes
>
> The two lines above are defaults
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> What happened to the 'netlogon' share ? If you removed it, I suggest
> you put it back.
>
No , I just omitted that part. The enum lines are only there for
testing, I know that it reduces performance.
So I understand I can simplify the dc config, but it is not "wrong"
(before looking at below member server config).
Here is the domain member server config:
workgroup = XXXX
security = ADS
realm = XXXX.yyyy.ZZ
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes
winbind expand groups = 4
server schannel = yes
access based share enum = true
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config XXXX : backend = rid
idmap config XXXX : range = 300000-400000
The "XXXX" stands for our our AD domain, there might be other coming so
this is why we set an idmap range for that domain.
I suspect that I forgot to set the idmap config on the DC(s) accordingly?
Regards, Jakob Curdes
More information about the samba
mailing list