Web lists-archives.com

Re: [Samba] Can't create/update Group Policy in Samba 4.6.5




On Thu, 6 Jul 2017 02:14:42 -0300
Marcio Demetrio Bacci via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> My DC doesn't know domains users and groups by name, only by uid/gid.

Sounds like you haven't set up the libnss_winbind.so links
or /etc/nsswitch.conf

> 
> Ex: chmod mike:'EMPRESA\unix_admins' test
> chown: invalid group mike:EMPRESA\\unix_admins
> 
> if run with GID work properly
> chmod mike:30059 test
> drwxr-xr-x 2 root 30059 4096 Jul  6 00:17 test

Where is 30059 coming from ?
As standard I would expect numbers in the '3000000' range.

> 
> There is unix_admins group
> wbinfo --gid-info 30059
> EMPRESA\unix_admins:x:30059:
> 
> In File Server Domain Member "chown" command by users and groups
> names is OK chmod mike:'EMPRESA\unix_admins' test
> drwxr-xr-x 2 root unix_admins 4096 Jul  6 00:19 test
> 
> I have performed the following steps:
> 
> 1) cd /usr/local/samba/var/locks/sysvol
> 2) mv empresa.com.br /root
> 3) mkdir empresa.com.br
> 4) samba-tool ntacl sysvolreset
> 5) getfacl -R /usr/local/samba/var/locks/sysvol >
> sysvol.permissions.acl 6) rmdir empresa.com.br
> 7) mv /root/empresa.com.br .
> 8) setfacl --restore=sysvol.permissions.acl
> 9) samba-tool ntacl sysvolcheck
> 
> 10) I went the GPO editor and fix incorrect rights.
> 
> 11) I have opened computer manager, connected to the DC, went to the
> security tab.
> I have set up Sysvol security rights:
> DOMAIN\Server Operators
> Creator Owner
> Authenticated Users
> SYSTEM
> DOMAIN\Administrators
> 
> Note 1: I have changed sysvol folder owner to "unix_admins" too by MS
> Windows properties but, when I checked in DC terminal, didn't change
> (to be continued the same user and group).
> 
> Note 2: I have already removed "Unix Attributes" of the
> BUILTIN\Administrators, Group Policy creator Owner and others by
> Windows RSAT Tools - Active Directory Users and Computers (changed
> Domain NIS  to None), but UID/GID remain (keep).
> 
> For Example: the GID 3000275 still is of the BUILTIN\Administrators.
> 
> Other notes:
> 
> output of "samba-tool ntacl sysvolreset" command:
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
> error') File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 239, in run
>     lp, use_ntvfs=use_ntvfs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1609, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs, passdb=s4_passdb)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1502, in set_gpos_acl
>     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> service=SYSVOL_SERVICE)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
> 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> 
> 
> The command above (despite the mistakes) reset owner and group to
> root and 3000275 (BUILTIN\Administrators) respectively.
> ls -l
> drwxr-xr-x 2 root 3000275 4096 Jul  6 00:50 empresa.com.br
> 
> 
> output of "samba-tool ntacl sysvolcheck" command:
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No
> such file or directory')
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
>     lp)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1714, in checksysvolacl
>     fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
> service=SYSVOL_SERVICE)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
> 81, in getntacl xattr.XATTR_NTACL_NAME)
> 
> I'm already getting create and edit my GPOs, but I have many doubts:
> 
> 1) Is there another way to remove UID / GID from the users and
> groups ?

Have you run 'net cache flush' on the DC ?

> 
> 2) Why GID number of the BUILT\Administrators and other users and
> groups still continue ?

See above

> 
> 3) Is normal DC does not identify user and group by name, but only by
> UID / GID number ?

Yes

> 
> 4) What are the problems with "samba-tool ntacl sysvolreset" and
> "samba-tool ntacl sysvolcheck" ?

From my tests, to many to mention, but the main one is that sysvolreset
does not set the correct ACEs.

> 
> 5) When I change the users and groups from the sysvol folder by MS
> Windows should I not reflect on the DC terminal?
> 
> I would really like to solve these problems!

So would I ;-)

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba