[Samba] GPO Security Filtering "Access Denied"
Alex Crow via samba
Very strange problem here on Samba 4.5.2 DCs. We have set up some GPOs
and they seem to work fine, however we need to apply some Security
Filtering to a couple of them.
We can add groups and users until we reach 6 groups/users/computers in
the list box in GPO management. As soon as we try to add a 7th entry,
GPO Management throws an "Access Denied" error. Even odder is that
sometimes if we do this, then delete a previous entry from the list, the
most recent one will magically appear.
We are managing AD using RSAT tools on Windows 7.
Has anyone else come across this problem?
Regards
Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.
"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
lingpanda101 via samba
I'm not sure I follow exactly where you are adding users and groups. Is
it within the GPO for item level targeting where you reach a limit?
--
- James
L.P.H. van Belle via samba
Works fine for me with these versions.
( Debian Jessie )
4.4.5-3
4.5.2
4.5.3
And same here, win7 64b, with RSAT tools for management.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Alex Crow via
> samba
> Verzonden: maandag 19 december 2016 15:06
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] GPO Security Filtering "Access Denied"
Alex Crow via samba
On 19/12/16 14:18, L.P.H. van Belle via samba wrote:
> Hello Alex,
>
> Works fine for me with these versions.
>
> ( Debian Jessie )
> 4.4.5-3
> 4.5.2
> 4.5.3
>
> And same here, win7 64b, with RSAT tools for management.
>
> Greetz,
>
> Louis
>
>
>
Can you try with a user policy applied via loopback to an ou containing
machines? This a policy designed to revert a higher level enforcement of
screensaver/locking for an ou containing servers, for a subset of those
servers and for certain user groups.
I'd already added one machine individually and one user group to the
Security Filtering list. I needed to add another user group, one
individual user and 8 machines - the group, user and the first two
machines worked but I couldn't add any more after that. Restarting samba
did not help :-(
Cheers
L.P.H. van Belle via samba
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Alex Crow via
> samba
> Verzonden: maandag 19 december 2016 15:29
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] GPO Security Filtering "Access Denied"
Alex Crow via samba
On 19/12/16 15:15, L.P.H. van Belle via samba wrote:
> Are you replacing or merging the policies?
>
>
>
Replacing.
Cheers,
L.P.H. van Belle via samba
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Alex Crow via
> samba
> Verzonden: maandag 19 december 2016 16:51
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] GPO Security Filtering "Access Denied"
>
>
>
Miguel medalha via samba
A Microsoft security update for Group Policy changed the behavior of clients in regards to GPOs:
MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398
The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622
In sum:
Add the Authenticated Users group with Read Permissions to the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.
Alex Crow via samba
On 19/12/16 15:55, L.P.H. van Belle via samba wrote:
> Did you add "domain computers" to the security filter also with Read/apply?
>
>
>
Hi Louis, Miguel,
I'm applying it to specific computers, so I've created a group with
those machines in it.
It's not that the problem is applying the GPOs to the machines in the OU
and group, the access denied message is a popup in Group Policy
Management at the moment I try to add more that 6 entries in the
Security Filtering box.
Miguel medalha via samba
>> It's not that the problem is applying the GPOs to the machines in the OU and >> group, the access denied message is a popup in Group Policy Management at the >> moment I try to add more that 6 entries in the Security Filtering box.
The same happened to me once but I solved it. I don't quite remember if it was solved at the same time as I applied the correction I posted earlier.
Can you verify that on the "Delegation" tab you have "Authenticated Users" with "Read" privilege?
Miguel medalha via samba
>> No, I don't, because this is a loopback and I only want certain
>> users on these computers to have the screensaver and lock disabled. If I did that it would apply to everyone.
No, it wouldn't apply to everyone. As of April this year, according to Microsoft, all policies must have "Authenticated Users" with "Read" privilege. Note that in order to apply a policy you need to have "Read" AND "Apply" under security filtering.
Miguel medalha via samba
>> No, it wouldn't apply to everyone. As of April this year, according to Microsoft,
>> all policies must have "Authenticated Users" with "Read" privilege. Note that in order
>> to apply a policy you need to have "Read" AND "Apply" under security filtering.
I mean *as of June this year*. Sorry.
Alex Crow via samba
On 19/12/16 17:57, Miguel medalha wrote:
>>> No, I don't, because this is a loopback and I only want certain
>>> users on these computers to have the screensaver and lock disabled. If I did that it would apply to everyone.
> No, it wouldn't apply to everyone. As of April this year, according to Microsoft, all policies must have "Authenticated Users" with "Read" privilege. Note that in order to apply a policy you need to have "Read" AND "Apply" under security filtering.
>
If that is the case, why when "Authenticated users" is in the list, it
applies to *every* user on those machines? Right now it behaves as
expected but I just won't be able to add more that 6 entities to the
list when I finally need to. The 7th one I try to add is *no* different
to any of the other's I added before.
There also is no option to change anything with regard to "read" or
"apply" in security filtering.
When it's a loopback policy, according to MS you have to either add
either "Domain Computers", a particular computer account, or a group of
computer accounts. This works for me, until I will have to add more than
6 groups or accounts!
Cheers
Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.
"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
--
Alex Crow via samba
>
>
> On 19/12/16 17:57, Miguel medalha wrote:
>>>> No, I don't, because this is a loopback and I only want certain
>>>> users on these computers to have the screensaver and lock disabled.
>>>> If I did that it would apply to everyone.
>> No, it wouldn't apply to everyone. As of April this year, according
>> to Microsoft, all policies must have "Authenticated Users" with
>> "Read" privilege. Note that in order to apply a policy you need to
>> have "Read" AND "Apply" under security filtering.
>>
>
> If that is the case, why when "Authenticated users" is in the list, it
> applies to *every* user on those machines? Right now it behaves as
> expected but I just won't be able to add more that 6 entities to the
> list when I finally need to. The 7th one I try to add is *no*
> different to any of the other's I added before.
>
> There also is no option to change anything with regard to "read" or
> "apply" in security filtering.
>
> When it's a loopback policy, according to MS you have to either add
> either "Domain Computers", a particular computer account, or a group
> of computer accounts. This works for me, until I will have to add more
> than 6 groups or accounts!
>
> Cheers
>
> Alex
>
>
FYI I just found where to add a particular permission. I tried to add
"Read" (not apply) to "Authenticated Users", and got a "Unable to save
permission changes on {3729C4F3-A62A-4805-AB02-728CE538BA23}. Access is
denied"
So I can't even add that permission.
Miguel medalha via samba
>> FYI I just found where to add a particular permission.
>> I tried to add "Read" (not apply) to "Authenticated Users",
>> and got a "Unable to save permission changes on {3729C4F3-A62A-4805-AB02-728CE538BA23}.
>> Access is denied"
>> So I can't even add that permission.
This means that you have another problem somewhere (sysvol permissions?). I can add those permissions alright.
Alex Crow via samba
On 19/12/16 18:27, Alex Crow via samba wrote:
>
>
> On 19/12/16 17:57, Miguel medalha wrote:
>>>> No, I don't, because this is a loopback and I only want certain
>>>> users on these computers to have the screensaver and lock disabled.
>>>> If I did that it would apply to everyone.
>> No, it wouldn't apply to everyone. As of April this year, according
>> to Microsoft, all policies must have "Authenticated Users" with
>> "Read" privilege. Note that in order to apply a policy you need to
>> have "Read" AND "Apply" under security filtering.
>>
>
> If that is the case, why when "Authenticated users" is in the list, it
> applies to *every* user on those machines? Right now it behaves as
> expected but I just won't be able to add more that 6 entities to the
> list when I finally need to. The 7th one I try to add is *no*
> different to any of the other's I added before.
>
> There also is no option to change anything with regard to "read" or
> "apply" in security filtering.
>
> When it's a loopback policy, according to MS you have to either add
> either "Domain Computers", a particular computer account, or a group
> of computer accounts. This works for me, until I will have to add more
> than 6 groups or accounts!
>
> Cheers
>
> Alex
>
>
Just thinking out loud, could this be because sysvol is on XFS and I
didn't tune to allow extra space for xattrs? The FS that contains sysvol
was formatted with defaults and is mounted as:
rw,relatime,attr2,inode64,noquota
Alex Crow via samba
can't store the additional ACLs. Hopefully that is it, and even if it
isn't, thanks chaps for letting me think aloud, it often helps to bounce
ideas off others to eliminate other possible issues.
Sadly this probably means a reformat... grrr.
Cheers for your help Miguel and Louis.
Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.
"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
--
L.P.H. van Belle via samba
I logged in as DOMAIN\Adminstrator on a windows pc.
Now backup sysvol, copy the "internal.domain.tld" folder in sysvol to your pc.
2) Delete the "internal.domain.tld" folder in sysvol on the DC.
3) login into linux, run samba-tools ntacl sysvolreset
4) Goto the sysvol folder and run : getfacl sysvol > /tmp/sysvol.acl
5) copy the "internal.domain.tld" from the pc back to sysvol
6) restore the sysvol.acl over the complete setup, run :
setfacl -R -b --modify-file /tmp/sysvol.acl /Path_to/sysvol
7) run samba-tool ntacl sysvolcheck. You should be error free now.
8) Almost there, goto the windows GPO editor, klik once on every GPO object, used or not. You mights get a message about incorrect rights, just klik ok to fix and its done.
This works every time for me if i get GPO errors.
Also all the USER GPO settings are applied by the computer accounts.
you need always one of these: "authenticated users" "Domain Computers"
! always !
Best regards,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Miguel Medalha
> via samba
> Verzonden: dinsdag 20 december 2016 0:36
> Aan: Alex Crow
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] GPO Security Filtering "Access Denied"
>
> >> I think the ACL list on XFS (installed with Centos7) is too large and
> it
> >> can't store the additional ACLs. Hopefully that is it, and even if it
> >> isn't, thanks chaps for letting me think aloud, it often helps to
> bounce
> >> ideas off others to eliminate other possible issues.
>
> >> Sadly this probably means a reformat... grrr.
>
> Isn't that a bit too drastic? I have two DCs here, both working on XFS,
> one with CentOS 6 and the other with CentOS 7. I have lots of GPOs and
> complex ACLs and never found a limit with ACLs.
>
> If I remember correctly, XFS can accommodate 64kB of Extended Attributes.
>
> Did you try "samba-tool ntacl sysvolreset" ?
>
> As I told you before, I once met the same problem you now have and I was
> able to solve it, I don't exactly remember how but I think it was related
> to the issue I referred to in previous posts.