Web lists-archives.com

Re: [Samba] Can't create/update Group Policy in Samba 4.6.5




On Sun, 2 Jul 2017 11:30:32 -0300
Marcio Demetrio Bacci via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> I'm using Samba 4.6.5 and I have installed as follows:
> 
> wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz
> 
> tar -xzvf samba-4.6.5.tar.gz
> 
> cd samba-4.6.5
> 
> ./configure --enable-debug --enable-selftest

Why ? you only need './configure' , unless you are going to run the
tests.

> 
> make
> 
> make install
> 
> It seems that is working properly, however I can't create or update
> GPO with Windows Group Policy Management tool.
> 
> When I try, "Denied Access" message appear.
> 
> I'm using an user that is member of "Domain Admins", "Domain
> Computers", "Domain Controllers", "Group Policy Creators Owners" and
> "Domain Users".
> 
> When I run "samba-tool ntacl sysvolreset" command, appear the
> following errors:
> 
> root@dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset

Why are you running samba-tool like that, haven't you set up your PATH
correctly, if you run (in a terminal):

echo $PATH

it should return your path and that should start like this:

/usr/local/samba/bin:/usr/local/samba/sbin:

If your PATH is set correctly, you should be able to run samba-tool
from anywhere, from /root for instance.

> I have verified that permissions on my files in
> "/usr/local/samba/var/locks/" are like this:
> 
> ls -l /usr/local/samba/var/locks/
> total 1384
> -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
> -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
> -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
> drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
> -rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
> drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged

Who is '30056' ? 
Have you given 'Administrator' a uidNumber ?
Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ?

> /usr/local/samba/etc/smb.conf
> 
> [sysvol]
>  path = /usr/local/samba/var/locks/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes

You should remove the above line, it isn't required.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba