Web lists-archives.com

Re: [Samba] Fixing sysvol permissions (SOLVED)




On Wed, 20 Jun 2018 12:05:13 +0200 L.P.H. van Belle wrote:
>
> As said very busy, but i  can spare a few minutes now.
>
> -rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18 17:33:55 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/User/Documents & Settings/fdeploy1.ini
> -rwxrwx---+ 1 3000000 users 64 2018-06-18 17:34:22 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/GPT.INI
> -rwxrwx--- 1 3000000 users 59 2015-05-15 14:22:44 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/GPT.INI
> -rwxrwxrwx 1 root root 199 2015-05-21 14:42:59 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat
> -rwxrwx--- 1 3000000 users 104 2015-05-15 14:22:16 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/scripts.ini
> -rwxrwx--- 1 3000000 domusers 142 2016-01-19 17:04:23 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
> -rwxrwx---+ 1 3000008 HPRS\domain admins 23 2016-01-23 16:03:46 /var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
>
>
> Now this is .. Not correct... 
>  
> There is only one i think is correct. base on what you show. 
> -rwxrwx---+ 1 3000008 HPRS\domain admins  but for that you need to show the getfacl output. 
>  
> Ok, do the following.
> 1) reset the sysvol rights with my script and reapply to all folders recursive. 
> start here:  /var/lib/samba/sysvol

A bit unclear on this. You say to "reset the sysvol rights with my script." I assume that to
actually do the update you have to set APPLY_CHANGES_DIRECT="yes" in your script. I did that. I
also changed to directory /var/lib/samba/sysvol and ran the script from that working directory.
I assume that's what you meant. Did this reset the sysvol rights? I don't know what you mean by
"reapply to all folders recursive." Does your script do that or do I have to do something
additionally myself?

Here is the current facl list for sysvol:

# file: sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:mask::rwx
default:other::---

There is one directory under sysvol: hprs.local. Here is the facl list for that directory:

# file: hprs.local
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:mask::rwx
default:other::---

> Now, add to you sysvol :  acl_xattr:ignore system acls = yes
> restart samba. 

Per Rowland's caution, I'm saving this for last if all else fails.

> Goto the share rights and check/reapply them. 

Did that. Although I did that BEFORE running your samba-check-set-sysvol.sh script. Was that bad?

> Goto Folder rights and reapply them Recursively 

Did that. Again, I did that BEFORE running your samba-check-set-sysvol.sh script. Was that bad?
> Goto you GPO tools, and klik on every GPO one, you might see a warning about incorrect rights, that is correct. 
>
> Let windows this is, that ok.

I did that. Every GPO said the permissions were inconsistent. I clicked OK on every one to update.

> Review the linked policies and if needed correct GPO's if you use groups to apply specific settings. 

I reviewed linked policies, but if there was something for me to do it wasn't obvious.  There
was a message saying these policies were linked elsewhere, but nothing for me to do. 

> Whenever you change settings in the sysvol share, you might need to repied above steps. 
> This will fix it, if not, then there is another problem i have not seen yet. 
>  
> but the currect rights layout from above is not ok and use getfacl of setfacl NOT chmod/chown.
> using chmod/chown in sysvol, after settting ignore system acls = yes might open an problem again, 
> then repeat above steps again. 

Well, per my previous message in this thread, I did change group ownership from 100 (users) to
10000 (Domain Users) for all files and directories under sysvol that had group 'users'.  But I
did apply all of your above steps again after that. 

OK, I'm going to restart samba, reboot one of the workstations and see what happens ...

... OMG! It worked!!!!!!!!! Louis, you're a genius!!!! This has been a problem for months and
months. Not only did the redirected folders work, I went to the Windows event log and the only
event for Group Policy says, "The Group Policy settings for the user were processed
successfully". Yeah! I'm going to put all these instruction into my documentation for future
reference. I think the main trick was reviewing each GPO and making the permissions consistent.

If you want to go ahead and comment on any of the steps I may have done incorrectly or out of
order, please feel free. Meanwhile, enjoy your vacation (holiday!).

THX --Mark

[deleted]

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba