Web lists-archives.com

Re: [Samba] Can't create/update Group Policy in Samba 4.6.5




Hi Rowland

Now, I set up my PATH adding /usr/local/samba/bin:/usr/local/samba/sbin:

echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/samba/bin:/usr/local/samba/sbin


 ls -l /usr/local/samba/var/locks/
> total 1384
> -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
> -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
> -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
> drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
> -rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
> drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged

1) Who is '30056' ? 30056 is the Administrator user.
2) Have you given 'Administrator' a uidNumber ? Yes, I set up Unix
Attribute to Administrator and "Domain Admins", "Domain Controllers" and
others groups.
3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ? No. Is
necessary?

Now, I excluded "acl_xattr:ignore system acls = yes" line in the
"/usr/local/samba/etc/smb.conf"

I have executed "chown root:root -R /usr/local/samba/var/locks" command,
and now I can create and update GPOs, but I don't know if is correct? What
is the better way to correct files permissions on sysvol?

The "samba-tool ntacl sysvolreset" command continues display errors:
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
239, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

I have created Wsus GPO and I typed "gpupdate /force" in prompt of the
Winsows Stations a error appears.

"Group Policy was not processed. Windows can not apply the registry-based
policy settings to the Group Policy object
LDAP://CN=User, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=policies,
CN=System,DC=empresa,DC=com,DC=br. The Group Policy settings will not be
resolved until this event is resolved."

How could I solve this problem?

Regards,

Márcio Bacci



2017-07-02 12:26 GMT-03:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:

> On Sun, 2 Jul 2017 11:30:32 -0300
> Marcio Demetrio Bacci via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > Hi,
> >
> > I'm using Samba 4.6.5 and I have installed as follows:
> >
> > wget -c https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz
> >
> > tar -xzvf samba-4.6.5.tar.gz
> >
> > cd samba-4.6.5
> >
> > ./configure --enable-debug --enable-selftest
>
> Why ? you only need './configure' , unless you are going to run the
> tests.
>
> >
> > make
> >
> > make install
> >
> > It seems that is working properly, however I can't create or update
> > GPO with Windows Group Policy Management tool.
> >
> > When I try, "Denied Access" message appear.
> >
> > I'm using an user that is member of "Domain Admins", "Domain
> > Computers", "Domain Controllers", "Group Policy Creators Owners" and
> > "Domain Users".
> >
> > When I run "samba-tool ntacl sysvolreset" command, appear the
> > following errors:
> >
> > root@dc1:/usr/local/samba/bin# ./samba-tool ntacl sysvolreset
>
> Why are you running samba-tool like that, haven't you set up your PATH
> correctly, if you run (in a terminal):
>
> echo $PATH
>
> it should return your path and that should start like this:
>
> /usr/local/samba/bin:/usr/local/samba/sbin:
>
> If your PATH is set correctly, you should be able to run samba-tool
> from anywhere, from /root for instance.
>
> > I have verified that permissions on my files in
> > "/usr/local/samba/var/locks/" are like this:
> >
> > ls -l /usr/local/samba/var/locks/
> > total 1384
> > -rw------- 1 root staff 421888 Mai 15 21:57 account_policy.tdb
> > -rw------- 1 root staff 528384 Mai 15 21:57 registry.tdb
> > -rw------- 1 root staff 421888 Mai 15 21:57 share_info.tdb
> > drwxr-sr-x 3 root 30056   4096 Jul  1 19:40 sysvol
> > -rw------- 1 root staff  32768 Jul  1 19:45 winbindd_cache.tdb
> > drwxr-s--- 2 root staff   4096 Jul  1 19:45 winbindd_privileged
>
> Who is '30056' ?
> Have you given 'Administrator' a uidNumber ?
> Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ?
>
> > /usr/local/samba/etc/smb.conf
> >
> > [sysvol]
> >  path = /usr/local/samba/var/locks/sysvol
> >  read only = No
> >  acl_xattr:ignore system acls = yes
>
> You should remove the above line, it isn't required.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba