[Samba] GPO Editor says "Access denied" for Group Policy Objects
Rowland Penny
rpenny at samba.org
Thu Apr 25 17:59:49 UTC 2024
On Thu, 25 Apr 2024 19:32:26 +0200
Jakob Curdes via samba <samba at lists.samba.org> wrote:
> Hello Rowland, Luis, all,
>
> Am 25.04.2024 um 18:56 schrieb Rowland Penny via samba:
>
> >
> > [global]
> > netbios name = XXX
> > realm = XXXX.yyyy.ZZ
> > server role = active directory domain controller
> > dns forwarder = X,Y
> > workgroup = ZZ
> > idmap_ldb:use rfc2307 = yes
> > template shell = /bin/bash
> > winbind use default domain = true
> >
> > The line above does nothing an a DC
> >
> > winbind offline logon = false
> >
> > The line above is the default
> >
> > winbind nss info = rfc2307
> >
> > The line above does nothing an a DC
> >
> > winbind enum users = yes
> > winbind enum groups = yes
> >
> > You should only set the two lines above for testing purposes, Samba
> > will work perfectly well without them.
> >
> > winbind nested groups = Yes
> > server schannel = yes
> >
> > The two lines above are defaults
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> > What happened to the 'netlogon' share ? If you removed it, I suggest
> > you put it back.
> >
> No , I just omitted that part. The enum lines are only there for
> testing, I know that it reduces performance.
>
> So I understand I can simplify the dc config, but it is not "wrong"
Yes, there is nothing really 'wrong'.
> (before looking at below member server config).
>
> Here is the domain member server config:
>
> workgroup = XXXX
> security = ADS
> realm = XXXX.yyyy.ZZ
> winbind refresh tickets = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind use default domain = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = Yes
> winbind expand groups = 4
> server schannel = yes
> access based share enum = true
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config XXXX : backend = rid
Are there any other Unix domain members ?
Because this one isn't using any rfc2307 attributes, so, if there are
no other Unix domain members and there are rfc2307 attributes in AD,
then you might as well remove them.
> idmap config XXXX : range = 300000-400000
>
> The "XXXX" stands for our our AD domain, there might be other coming
> so this is why we set an idmap range for that domain.
If you add another AD domain, you will also have to use trusts.
>
> I suspect that I forgot to set the idmap config on the DC(s)
> accordingly?
Do not set idmap config lines on a Samba DC, they do not work, you must
use the 3000000 numbers or use rfc2307 attributes (uidNumber,
gidNumber, etc)
Have you read this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
Rowland
More information about the samba
mailing list