Web lists-archives.com

Re: [Samba] GPOs not Working!

Thats a good question, i have exactly the same "issue". User Configurations are working. Computer Configurations, won't. Also tested on one GPO.



Am 07.02.2018 um 23:21 schrieb Robert Marcano via samba:
On 02/07/2018 05:01 AM, L.P.H. van Belle via samba wrote:

Ok, for the sysvol.
I'll put all steps here again.

I suggest start with this one.
wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh This checks and set the rights to be known to be right. ( aka works great for me ) ;-)

Thanks, but before I run that script (I need to analyse what it is doing before)

I just one more question, why do you think these problems are ACL problems?, when I create a new GPO with default authenticated users filtering, liked at domain level, add user and computers configurations on the same GPO, and gpresult show the machine part is denied. It shouldn't be. I think fs ACL problems are not the problem here, we are talking about the same GPO.

Can you help me with one little request, check "gpresult /v" on a Samba AD joined domain computer and tell me if in the section where it list the groups the machine is member of, do it show more entries than

  This company,
  and something like "mandatory level of no trust" (Windows is not in

do it show "Authenticated users" and "Domain Computers" for you?

Then follow these steps.

- login as dom\administrator.
- start computer manager, connect to dc.
- klik Shared Folders, Shares, sysvol.
Option 1, this is the default. Everyone with Full control, Change and Read.
   Option 2, Everyone: Read.
        Verified users:  Full, Change, Read.
        SYSTEM Full, Change, Read.
DOMAIN\Adminstrators ( or DOMAIN\Domain Admins ) Full, change read.

The result of both settings are ( share wize)  the same.
Except in option2, you must be verified before you can write anywere.

- Tab Security.
        Verified users:  Read+exec, Show folder content, Read.
        SYSTEM: full ( everything on )
DOMAIN\Adminstrators: ( or DOMAIN\Domain Admins ) full ( everything on
        DOMAIN\Serer operators: Read+exec, Show folder content, Read.
Once this is set, klik advanced, klik change below.
Check, replace all underlying and replace..

! Note, always this order, first share security then folder security.
That helps preventing making error or resetting rights.

- Do the same for Netlogon. Same settings as sysvol, since its a sub folder of sysvol.

- These steps are imo only done once, ( ! Or if you get errors again due to a reset or change in windows clients )
Now first goto the GroupPolicyObjects, ( not the linked once's )
Klik on every GPO object there, if you get any message, press ok, then its reset.

Now, you need to check the GPO Objects that are assigned/linked to OU and/or groups.

Just start in the top, and klik every object.
All my "normal" GPO Objects only have Authenticated Users.
My "special" GPO Object have different settings.

For example, i've disabled all USB/Mobile/CD access on the pc's by GPO's
A user policy set in the Standard User. I've created 2 groups, per type.
For example.
USB-Read, if i look here you see only USB-Allow-Read group. Now klik the Delegation Tab.
That shows me:
Authenticated User Ready (by security filter)
DOM\Domain Admins
DOM\Enterprise Admins
Server logon

What you dont see is the underlying ACL, klik  Advanced.
Here you see, ... The "Reset to default" button.
Reset it.

Now remember here, after doing this, no samba-tool sysvolreset..
If you do, repeat the above again. Everything!

User GPO's, only a group with the user is fine, and needs "apply GPO"
A computer GPO, needs Domain computers with apply GPO AND the users group.

I've setup all "problem" shares, due to user NT Authority\SYSTEM problems.
Google for it, you see lots of it in the samba list.
My shares layout that used it. ( on mulple servers )
DC: Sysvol and Netlogon
Members: users and profiles
Print server: print$ and printers

So in short, all shares were the "computer$" my access as user system or things like that.

If you see errors on a computer in the eventlogs with:
Computer$ can access .... Bla bla....   On GPO.ini.
This if often a forgoten "DOM\Domain Computers" in the GPO object with read and/or writes rights missing. People test this and the computer$ can access the GPO.ini without problems, so why the event log. Because of "SYSTEM" or an other user that is haveing user/group/SID problems with linux acls.

I hope i explained good enough why i use and set ignore systemacl.



-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Robert Marcano via samba
Verzonden: woensdag 7 februari 2018 3:19
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] GPOs not Working!

On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote:

do the following.
set ignore systemacl to yes on sysvol and netlogon.

Added "acl_xattr:ignore system acls = yes" to both shares,
restarted the

login as dom\administrator
computer manager, connect to dc.
share sysvol, goto share security, reset to defalts.
same for folder.

I don't get the "Reset to defaults" option. There are two security
related tabs, "Permission of shared resources" (or something
like that,
Windows is not in English) with only permissions for Everyone
with Full
control, Change and Read.

The other tab is the standard "Security" tab, those tabs
don't show any
reset to default option

goto gpo manager,
klik on every gpo object, if one has wrong acl, you get a
message to reset it, thats ok.

now never samba-tool sysvol reset
if you do, you might need to set share/file security again.


p.s rowland, now you can change the default gpo’s also.

Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba
<samba@xxxxxxxxxxxxxxx> het volgende geschreven:

On Tue, 6 Feb 2018 15:03:16 -0400
Robert Marcano via samba <samba@xxxxxxxxxxxxxxx> wrote:

Thanks for the information, to use a default GPO was a
simple way to
try to encourage someone to reproduce the problem.

I already created new GPOs (this is a test domain) Using
the default
filter for a new GPO, "Authenticated users", creating a
new group for
the test clients and using that as the filter, checking
it have the
right permissions (apply), checking every guide about
applying GPO to
computers. Using OUs and using domain level GPOs.

What I find weird is that gpresult doesn't list the computer as a
member of groups I create, only a few predefined ones:

    This company,
    and something like "mandatory level of no trust"
(Windows is not in

Do not alter the two default GPOs, it doesn't work ;-)

Creating new GPOs should work, just do not run sysvolreset after
creating them.


To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba