[Samba] Failure gpupdate
Ricardo Pardim Claus via samba
I come to seek help to solve this problem. I use Samba 4.4.5.
I'm getting errors when running gpupdate / force on local desktops.
I get the following error:
User policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
The following warnings were encountered during user policy processing:
Windows failed to apply the Scripts settings. Scripts settings might have its own log file. Please click on the "More information" link.
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
In the Samba log I see this error:
Oct 5 08:32:53 srv14 smbd_audit: DOMAIN\VMWIN10_|172.16.16.158|sysvol|3000019|stat|fail (File or directory not found)|domain.local/Policies/{0F5704BA-11D0-4D46-A138-34A085A4E44D}/gpt.ini
Oct 5 08:32:54 srv14 smbd_audit: DOMAIN\iuser|172.16.16.158|sysvol|users|stat|fail (File or directory not found)|domain.local/Policies/{7E0FAD97-3DFB-4C01-B35F-5EB3FD63E371}/gpt.ini
I checked the directory and confirmed that the file exists.
Already I tried to reset the Sysvol, but I get this error:
# samba-tool ntacl sysvolreset -d3
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
lp_load_ex: refreshing parameters
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [full_audit]
Module 'full_audit' loaded
Segmentation fault (core of the recorded image)
Could someone help me?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
lingpanda101--- via samba
> Segmentation fault (core of the recorded image)
Did GPO's ever work?
Can you run 'samba-tool ntacl sysvolcheck' and report the status?
Even though the file exists physically, the permissions may not be correct.
--
-James
mathias dufresne via samba
A - I believe I read several times it is not advised to use ".local" as top
level domain.
B - samba-tool should not segfault during sysvolreset
C - most generally GPO update issue are linked to access rights of user or
computer accessing the share or the file(s).
I wouldn't bother for now about the A.
I would solve the segfault first (B).
Finally once Samba is working fully again (including sysvolreset I mean) I
would have a look on rights (issue on rights when accessing GPO folder
seems to happen mainly when several DC are involved).
2016-10-05 14:05 GMT+02:00 Ricardo Pardim Claus via samba <
sa...@lists.samba.org>:
Ricardo Pardim Claus via samba
Here I have 2 DC's running. Everything was running perfectly.
The problem started after I started to rsync to synchronize the Sysvol folder between DC's.
I believe it is a permission problem in the GPO's or Sysvol folder.
Another detail. Even accessing the gpedit Group Polic Manager via RSAT using the Administrator User, I can no longer edit any GPO. I get access denied error.
When I browse through the folders of GPO's, I do not get access denied error.
Anyone know tell me how I Corrigo this problem?
How to fix the permissions?
Follow the error return in the commands:
# samba-tool ntacl sysvolcheck
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory /usr/local/samba/var/locks/sysvol/domain.local O:BAG:SYD:(A;ID;0x001200a9;;;AU)(A;OICIIOID;0x001200a9;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;0x001200a9;;;SO)(A;ID;0x001e01bf;;;BA)(A;OICIIOID;0x001e01bf;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;0x001f01ff;;;SY)(A;OICIIOID;0x001e01bf;;;CO)S:AI(AU;OICIIDSA;SD;;;WD) does not match expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from provision
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run
lp)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1728, in checksysvolacl
raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))
# getfacl /usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/GPT.INI
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/domain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
# owner: 3000000
# group: 3000025
user::rwx
user:3000012:r-x
user:3000025:rwx
user:3000026:r-x
group::rwx
group:users:r-x
group:3000000:rwx
group:3000012:r-x
group:3000025:rwx
group:3000026:r-x
mask::rwx
other::---
# getfacl /usr/local/samba/var/locks/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:3000010:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000010:rwx
default:mask::rwx
default:other::---
>> Segmentation fault (core of the recorded image)
>Did GPO's ever work?
>Can you run 'samba-tool ntacl sysvolcheck' and report the status?
>Even though the file exists physically, the permissions may not be correct.
>--
>-James
>Just waking from my nap but several things:
>A - I believe I read several times it is not advised to use ".local" as top level domain.
>B - samba-tool should not segfault during sysvolreset
>C - most generally GPO update issue are linked to access rights of user or computer accessing the share or the file(s).
>I wouldn't bother for now about the A.
>I would solve the segfault first (B).
>Finally once Samba is working fully again (including sysvolreset I mean) I would have a look on rights (issue on rights when accessing GPO folder seems to happen mainly when several DC are >involved).
--
L.P.H. van Belle via samba
After latest ms security fixes, user group policies are retrieved by using the computer’s security context.
now read :
https://bugzilla.samba.org/show_bug.cgi?id=11997
and due to that you have a problem. You can work around it.
Try the following.
[sysvol]
path = /path_to/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
Now restart samba, and do the sysvol reset.
If you have multiple DC's, i suggest you sync sysvol and the idmap.tdb also.
* idmap.tdb, samba must be stopped to copy it, only needed once per new DC.
And do read the link below, explains a lot.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Ricardo Pardim
> Claus via samba
> Verzonden: woensdag 5 oktober 2016 14:05
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] Failure gpupdate
Ricardo Pardim Claus via samba
I disabled Full_audit module in smb.conf, and again ran the sysvolreset.
Now all functioning normally.
Is there a bug when full_audit enabled?
I'm using Samba 4.4.5.
I use these lines:
vfs objects = full_audit
full_audit:prefix = %u|%I|%S|%g
full_audit:facility = local1
full_audit:priority = notice
full_audit:success = all
full_audit:failure = all !open
L.P.H. van Belle via samba
If not, set preffered server in GPO and test agains all DC's
If it keeps working you found a bug.
> -----Oorspronkelijk bericht-----
> Van: Ricardo Pardim Claus [mailto:ricard...@yahoo.com.br]
> Verzonden: woensdag 5 oktober 2016 16:57
> Aan: sa...@lists.samba.org
> CC: lingpa...@gmail.com; be...@bazuin.nl; infra...@gmail.com
> Onderwerp: Re: [Samba] Failure gpupdate
Ricardo Pardim Claus via samba
And also through the RSAT, I do not get more permission error when I edit any GPO.
If this is a bug, who can inform / report?
What I find strange in DC's, is when I view the sysvol permissions. The DC2 appears the name of the domain / group or User. But DC1 appears only the UID of the object:
DC2:
# getfacl /usr/local/samba/var/locks/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:DOMAIN\134domain\040admins:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:DOMAIN\134domain\040admins:rwx
default:mask::rwx
default:other::---
DC1:
# getfacl /usr/local/samba/var/locks/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:3000010:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000010:rwx
default:mask::rwx
default:other::---
> And you did test agains both DC's sysvol's ?
> If not, set preffered server in GPO and test agains all DC's
> If it keeps working you found a bug.
--
lingpanda101--- via samba
Did you specify winbind in /etc/nsswitch.conf on DC2?
passwd: files winbind
group: files winbind
--
-James
Ricardo Pardim Claus via samba
The settings of the /etc/nsswitch.conf file:
DC1:
passwd: files sss
group: files sss
DC2:
passwd: files winbind
group: files winbind
Which of DC's are on the correct setting?
>Did you specify winbind in /etc/nsswitch.conf on DC2?
>passwd: files winbind
>group: files winbind
>--
>-James
--
lingpanda101--- via samba
> Dear James,
>
> The settings of the /etc/nsswitch.conf file:
>
>
> DC1:
>
> passwd: files sss
> group: files sss
>
>
> DC2:
>
> passwd: files winbind
> group: files winbind
>
>
>
> Which of DC's are on the correct setting?
>
>
>> Did you specify winbind in /etc/nsswitch.conf on DC2?
>> passwd: files winbind
>> group: files winbind
>> --
>> -James
There isn't necessarily a right or wrong setting. It looks as if DC1 is
using SSSD and DC2 is using winbind. Did you setup both of these DC's or
did you inherit them?
Ricardo Pardim Claus via samba
The DC1 was a secondary DC a Windows 2012. After I disabled the Windows 2012 and I chose Samba as primary DC.
Then the DC secondary was created from the DC Samba.
Regarding the /etc/nsswitch.conf file, I found another difference:
DC 1:
netgroup: files sss
DC2:
netgroup: files winbind