Web lists-archives.com

Re: [Samba] GPO - Computer Policies are not applied




Hai, 

Micha, Sorry for the absence, i had a few days off, now colleges are sick, so bit more absenced atm.
I'll try to help you guys going. 

For you both, can you try this script, review it, it checkd the problem pointd of the GPO settting
On sysvol, user/group mappings can file etc. ( due to SID_BOTH )  
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh 

The output must be error free, if not you keep having GPO problems. 

I've set it to not change anything, by default, its now an option. 
It creates the file :  default-rights-sysvol.acl 
Which in my case results in : 
# file: /var/lib/samba/sysvol
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

If you look in the script, you see the four SID. 

DC_SERVER_OPERATORS="S-1-5-32-549"
DC_ADMINISTRATORS="S-1-5-32-544"	
DC_SYSTEM="S-1-5-18"
DC_AUTHENTICATED_USERS="S-1-5-11"
These must work in resolving with wbinfo to get the correct uid/gid for sysvol.

These wbinfo --... Tests

For "BUILTIN\Administrators" and BUILTIN\Server Operators
--sid-to-uid --uid-to-sid --gid-to-sid --sid-to-name --name-to-sid 

For System and Authenticated users, these must be tested. 
--sid-to-uid --uid-to-sid --gid-to-sid --sid-to-name

If one of these fail, you have a error in the setup, these should al resolv on the dc. 
wbinfo --sid-to-uid="S-1-5-32-544"

wbinfo --uid-to-sid="The result of above (uid)", returns the value of above (S-1-5-32-544)
wbinfo --gid-to-sid="The result of the first, =(uid)=(gid)", returns the value of above (S-1-5-32-544)

wbinfo --sid-to-name="S-1-5-32-544" results in the name.
wbinfo --name-to-sid="The result of above (name)", returns the value of above (S-1-5-32-544)



Greetz, 

Louis 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Anantha Raghava via samba
> Verzonden: maandag 12 februari 2018 5:02
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] GPO - Computer Policies are not applied
> 
> Hi,
> 
> We just upgraded the Samba-AD from version 4.6.5 to 4.7.5. 
> The upgrade 
> threw many challenges and I will write a separate mail explaining the 
> workaround that we adapted to get over them. One of the main 
> challenges 
> is GPO. While the user policy applies properly, the computer policies 
> are not getting applied, rather they are erratic, On some PCs 
> within the 
> same LAN, it works, while on some, it does not. We ran the 
> "samba-tool 
> ntact sysvolcheck". It showed errors in some of the policies 
> but it was 
> fixed with "samba-tool ntacl sysvolreset". Yet, while the 
> user policies 
> works properly, computer policies does not work.
> 
> Thinking that there could be some issues with the GPO, we 
> created a Test 
> OU, created a new policy with same settings and applied them 
> to test OU. 
> Again, the user policies work but not computer policies.
> 
> Can some one guide us to get over this?
> 
> -- 
> 
> Thanks & Regards,
> 
> 
> Anantha Raghava
> 
> 
> Do not print this e-mail unless required. Save Paper & trees.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba