[Samba] Problems with GPO
Marcio Demetrio Bacci via samba
I created a GPO to Block Control Panel and applied in my Domain OU.
In desktop client I typed "gpupdate /force" and appear a success message
that to ask reboot my system. After rebuot the GPO don't work.
Other GPOs as WSUS update, Wallpaper and others, don't work too.
Following is the result of command: GPRESULT /H GPResult.html
GPOs Applied
Name Location Link Revision
Default Domain Policy empresa.com.br AD (1), Sysvol (65535)
GPOs Denied
Name Location Link Denial Reason
Local Group Policies Location EMPTY
{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br
Inacessible
{D65C5B66-A380-48AD-AC8A-DE417173E293} empresa.comb.br/EMPRESA/SecInfor
Inacessible
Wallpaper empresa.comb.br/EMPRESA/SecInfor Inacessible
How can I debug this problem ?
Regards,
Márcio
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
lingpanda101 via samba
> I'm having problems with GPO in Samba 4.2.1
>
> I created a GPO to Block Control Panel and applied in my Domain OU.
>
> In desktop client I typed "gpupdate /force" and appear a success message
> that to ask reboot my system. After rebuot the GPO don't work.
>
> Other GPOs as WSUS update, Wallpaper and others, don't work too.
>
>
> Following is the result of command: GPRESULT /H GPResult.html
>
> GPOs Applied
> Name Location Link Revision
> Default Domain Policy empresa.com.br AD (1), Sysvol (65535)
>
> GPOs Denied
> Name Location Link Denial Reason
> Local Group Policies Location EMPTY
> {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br
> Inacessible
> {D65C5B66-A380-48AD-AC8A-DE417173E293} empresa.comb.br/EMPRESA/SecInfor
> Inacessible
> Wallpaper empresa.comb.br/EMPRESA/SecInfor Inacessible
>
> How can I debug this problem ?
>
> Regards,
>
> Márcio
The denial reason Inaccessible usually refers to a permissions problem.
Verify your user and or computer the GPO applies to has the correct
permissions. Can you run 'getfacl
/Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the results?
--
- James
lingpanda101 via samba
> Thanks Lingpanda101
>
> Following the result of command:
>
> # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}
> # owner: 10060
> # group: 30028
> user::rwx
> user:10060:rwx
> user:3000002:rwx
> user:3000010:r-x
> group::rwx
> group:30028:rwx
> group:30032:r-x
> group:30033:rwx
> group:3000002:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:10060:rwx
> default:user:3000002:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:30028:rwx
> default:group:30032:r-x
> default:group:30033:rwx
> default:group:3000002:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
>
>
> Regards,
>
> Márcio
>
> 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba
> <sa...@lists.samba.org <mailto:sa...@lists.samba.org>>:
>
> On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote:
>
> I'm having problems with GPO in Samba 4.2.1
>
> I created a GPO to Block Control Panel and applied in my
> Domain OU.
>
> In desktop client I typed "gpupdate /force" and appear a
> success message
> that to ask reboot my system. After rebuot the GPO don't work.
>
> Other GPOs as WSUS update, Wallpaper and others, don't work too.
>
>
> Following is the result of command: GPRESULT /H GPResult.html
>
> GPOs Applied
> Name Location Link Revision
>
> GPOs Denied
> Name Location Link Denial Reason
> Local Group Policies Location EMPTY
> {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br
> Inacessible
> {D65C5B66-A380-48AD-AC8A-DE417173E293}
> empresa.comb.br/EMPRESA/SecInfor
> <http://empresa.comb.br/EMPRESA/SecInfor>
> Inacessible
> Wallpaper empresa.comb.br/EMPRESA/SecInfor
> <http://empresa.comb.br/EMPRESA/SecInfor> Inacessible
>
> How can I debug this problem ?
>
> Regards,
>
> Márcio
>
>
> The denial reason Inaccessible usually refers to a permissions
> problem. Verify your user and or computer the GPO applies to has
> the correct permissions. Can you run 'getfacl
> /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the
> results?
>
> --
> - James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
I see you have given some users and groups a UID. Can you tell me the
results of
wbinfo --uid-info=10060
wbinfo --uid-info=30028
wbinfo --uid-info=30032
wbinfo --uid-info=10060
wbinfo --uid-info=30033
I don't see user:3000003 which I believe is Authenticated Users. Did you
give this group a UID?
Rowland Penny via samba
If giving users a uidNumber isn't modifying things, I don't know what
is.
Rowland
Rowland Penny via samba
lingpanda101 via samba <sa...@lists.samba.org> wrote:
Seeing as this is not one of the two std GPOs, you have a problem. When
you create a GPO, the owners are Domain Admins and the group is Domain
Admins, so who is '10060' and what is '30028' ?
Rowland
Miguel Medalha via samba
A Microsoft security update for Group Policy changed the behavior of clients in regards to GPOs:
MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398
The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622
In sum:
Add the Authenticated Users group with Read Permissions to the Group Policy Object (GPO).
Also add the Domain Computers group with read permission.
Did you take this into account?
This did bit me some months ago. All of a sudden, the GPOs were not being applied. When I made the above changes, they immediately started working again.
Marcio Demetrio Bacci via samba
Following the results to:
*USER:*
wbinfo --uid-info=10060:
bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
*GROUP:*
wbinfo --gid-info=30028: Domain Admins
wbinfo --gid-info=30032: Domain Users
wbinfo --gid-info=30033: Enterprise Admins
"I don't see user:3000003"
root@dc1:~# wbinfo -G 3000003
S-1-5-11
root@dc1:~# wbinfo -s S-1-5-11
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-11
I have in my network two DC (Samba 4) and one member File Server (Samba 4).
When I execute wbinfo -r <user>, I have different results:
root@dc1:~# wbinfo -G 3000000
S-1-5-32-544
root@dc1o:~# wbinfo -G 30002
S-1-5-32-544
root@dc1:~# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
The SID to Administrators is 3000000 in DC. In File Server the same group
is 30002.
*Different Groups to the same user*
root@*dc1*:~# wbinfo -r bacci
30011
30025
30029
30030
30035
30049
30052
3000000
root@*server-file*:~# wbinfo -r bacci
30002
30003
30025
30028
30029
30030
30032
30035
30049
30052
30053
Regards,
Márcio
Micha Ballmann via samba
Watch:
Built-in Groups GID Mappings
here:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
Rowland Penny via samba
See inline comments:
On Thu, 3 Nov 2016 19:17:58 -0200
Marcio Demetrio Bacci <marci...@gmail.com> wrote:
> Hi Rowland
>
> Following the results to:
>
> *USER:*
> wbinfo --uid-info=10060:
> bacci:*:10060:30049:bacci:/home/EMPRESA/bacci:/bin/false
>
It looks like 'bacci' is a normal user and the owner of the
Policies GUID dir should be 'Domain Admins'
> *GROUP:*
> wbinfo --gid-info=30028: Domain Admins
This is where one of the problems start, bit of a catch 22 problem, you
need to give 'Domain Admins' a gidNumber to be visible to Unix, but if
you do, it looses the 'ID_TYPE_BOTH' from idmap.ldb that means it can
own dirs & files in sysvol.
>
> wbinfo --gid-info=30032: Domain Users
>
> wbinfo --gid-info=30033: Enterprise Admins
>
>
> "I don't see user:3000003"
>
> root@dc1:~# wbinfo -G 3000003
> S-1-5-11
>
> root@dc1:~# wbinfo -s S-1-5-11
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-11
>
You will need to look inside idmap.ldb to find this.
> I have in my network two DC (Samba 4) and one member File Server
> (Samba 4). When I execute wbinfo -r <user>, I have different results:
>
> root@dc1:~# wbinfo -G 3000000
> S-1-5-32-544
>
> root@dc1o:~# wbinfo -G 30002
> S-1-5-32-544
>
> root@dc1:~# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
>
> The SID to Administrators is 3000000 in DC. In File Server the same
> group is 30002.
Don't give the BUILTIN users & groups uidNumbers & gidNumbers, let
samba do this on the DC and set up smb.conf correctly on the domain
member. You do this by using 'idmap config * : backend = tdb'
>
> *Different Groups to the same user*
> root@*dc1*:~# wbinfo -r bacci
> 30011
> 30025
> 30029
> 30030
> 30035
> 30049
> 30052
> 3000000
>
>
> root@*server-file*:~# wbinfo -r bacci
> 30002
> 30003
> 30025
> 30028
> 30029
> 30030
> 30032
> 30035
> 30049
> 30052
> 30053
>
>
> Regards,
>
> Márcio
>
Rowland
L.P.H. van Belle via samba
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: vrijdag 4 november 2016 9:54
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Problems with GPO
>
> On Fri, 4 Nov 2016 01:32:44 -0200
> Marcio Demetrio Bacci <marci...@gmail.com> wrote:
> ..................
.................
>
> >
> > Have the accounts of the domain computers (joined in domain) must
> > have the Unix attribute ?
>
> No, I have never added them
If you dont add them and the idmap is out of sync somehow, you get GPO errors. So i suggest, untill the BUILDIN\groups are all correct mapped in samba, give domain computers a GID. This can really help with GPO problems.
Greetz,
Louis
Rowland Penny via samba
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
> Looking at you config setup, i noticed a few things.
>
>
>
> DC1.
>
> /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.200.25 (=dc1)
> nameserver 192.168.200.10
>
>
>
> /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.200.4 (dc=2)
> nameserver 192.168.200.10
>
>
>
>
>
> /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.200.25
> nameserver 192.168.200.10
>
>
>
> I suggest you change you DC resolv.conf setup first and change the
> following.
>
>
>
> DC1.
>
> nameserver 192.168.200.4
>
> nameserver 192.168.200.25
>
>
>
> DC2
>
> nameserver 192.168.200.25
>
> nameserver 192.168.200.4
>
>
>
> Fileserver
>
> nameserver 192.168.200.4
>
> nameserver 192.168.200.25
>
>
>
>
>
> and to make sure run this script, to check on database replication
> errors.
>
> http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh
>
> This compaires the samba AD DC databases. ( up to 10 DC.s )
>
> Its no need to configure anything in the script.
>
>
>
> And based on you config below i guessing you AD DC servers are runing
> backend RID and the file server backend AD.
>
No he isn't, there is no such thing as 'rid' backend on a DC.
A DC uses the xidNumbers in 'idmap.ldb' OR uidNumber & gidNumber
attributes in AD. No IDs are calculated on an AD DC
> A mixed setup is, as far as I know not supported.
>
>
>
> Please reread :
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Setting_up_the_AD_DNS_back_end
>
> start and the second blue part after ?Provisioning a Samba Active
> Directory?
>
> .....
>
> However, to enable them in an existing domain requires to manually
> extend the AD schema. For further details about Unix attributes in
> AD, see::
> * Setting up RFC2307 in AD
> * idmap config = ad
>
Never add the above line to the smb.conf on a DC, it will do
NOTHING!
Rowland