Web lists-archives.com

[Samba] Proper sysvol permissions




(I am not getting emails from the samba list (I do not know why), this is copy from web archive, sorry :-( )<br><br>On Fri, 22 Jun 2018 16:07:39 +0200
Michal via samba <<a href='https://lists.samba.org/mailman/listinfo/samba'>samba at lists.samba.org</a>> wrote:

>><i> Samba 4.8.2 as AD controller, installed from scratch (no upgrade).
</i>>><i> 
</i>>><i> I am getting "access denied" for GPO objects and netlogon or sysvol
</i>>><i> shares both on Win7 and W10 clients.
</i>>><i> 
</i>>><i> [<a href='https://lists.samba.org/mailman/listinfo/samba'>root at ad1</a> etc]# ll /usr/local/samba.ad/var/locks/
</i>>><i> total 1384
</i>>><i> -rw-------  1 root root 421888 May 17 08:30 account_policy.tdb
</i>>><i> -rw-------  1 root root 528384 May 17 08:30 registry.tdb
</i>>><i> -rw-------  1 root root 421888 May 17 08:29 share_info.tdb
</i>>><i> drwxrwx---+ 6 root  544   4096 Jun  1 16:38 sysvol
</i>>><i> -rw-------  1 root root  32768 Jun 22 15:40 winbindd_cache.tdb
</i>>><i> drwxr-x---  2 root root   4096 Jun 22 15:40 winbindd_privileged
</i>>><i> 
</i>>><i> [<a href='https://lists.samba.org/mailman/listinfo/samba'>root at ad1</a> etc]# ll /usr/local/samba.ad/var/locks/sysvol/
</i>>><i> total 32
</i>>><i> drwxrwx---+ 3 root 544 4096 May 17 08:21 ad.nemuh.cz
</i>>><i> drwxrwx---+ 4 root 544 4096 Jun  1 16:22 nemuh.cz
</i>>><i> drwxrwx---+ 4 root 544 4096 May 17 08:27 nspuh.cz
</i>>><i> drwxrwx---+ 4 root 544 4096 Jun  1 16:33 uhn.cz
</i>
> Two questions, why do you have 4 directories under sysvol, when all
> that should be there (according to your smb.conf) is 'nemuh.cz'<br><br>  I suppose these other directories was created during my first attempts to install Samba AD some time ago. <br>I run (repeatedly) samba-tool with some install parameters, then deleted smb.conf and run samba-tool again<br> (I have had no knowledge about existence of the var/locks/ structures before).<br><br>>  The second question is, where did '544' come from ?<br>  No idea, sorry. <br><br>>  How did you install and provision Samba, did you follow the Samba wiki
or some other web page ?<br>  <br>  The server is Centos and I did not find AD ready Centos samba package. So I compiled samba from sources<br>and install it myself (configure --prefix /usr/local/samba.ad ..., make, make install).  <br>  Then I run samba-tool (repeatedly, this is my 1st samba ad installation) in "interactive" mode. <br>I've read a lot of web pages, I can not say exactly what was the last used "install" parameters for samba-tool.<br><br><br>>><i> [global]
</i>>><i>         netbios name = AD1
</i>>><i>         realm = NEMUH.CZ
</i>>><i>         server role = active directory domain controller
</i>>><i>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
</i>>><i> drepl, winbindd, ntp_signd, k
</i>>><i>        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
</i>>><i> drepl, winbindd, ntp_signd, k
</i>>><i>        workgroup = UHN
</i>>><i>        idmap_ldb:use rfc2307 = yes
</i>
> Why are there two 'server services' lines ?<br>  No idea. No edit "by hand" of this file, as far as I remember. <br><br>>  And why do they both end with a 'k' ?<br> My fault, clipped long lines - they end with  "... ntp_signd, kcc, dnsupdate" <br>  <br>> I also take it you are running Bind9 as the dns server, is this running on the DC and is it set up correctly ?<br><br>  Yes, bind as DNS, yes, running on the DC. Installed just for this samba instance. I have been using bind on <br>my other servers for years and I was hoping I have better control over DNS (no luck; I love bind9 text zones<br>files, but samba AD DNS is a f..ing blackbox, as black as Samba's internal ldap server. Very annoying for me <br>after years with openldap, used for Samba v3).<br><br>  Thanks, Michal<br>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba