[Samba] Samba4 Disable USB ports
Neil
I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4
Samba4 DC's all joined to the same AD domain myorg.local
My client wants me to disable all USB ports for all the users joined to the
domain.
Is it possible to do this via a group policy so that users logging onto any
of the DC's will not be able to use their USB ports?
I currently admin my AD with a combination of the samba-tool as well as the
AD Users and Groups MMC Windows utility.
Any guidance is greatly appreciated.
Thank you.
Regards.
Neil Wilson
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
In GPO, go to:
(user or computer )Configuration
- Policy
– Administrative template
– System
– Removable storage Access
Play with these settings to get what you want.
for Managing Hardware Restrictions via Group Policy read :
http://technet.microsoft.com/en-us/magazine/cc138012.aspx
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: nwils...@gmail.com
>[mailto:samba-...@lists.samba.org] Namens Neil
>Verzonden: woensdag 20 mei 2015 12:10
>Aan: samba
>Onderwerp: [Samba] Samba4 Disable USB ports
Neil
Thank you very much for your speedy response. I'll definitely go ahead and
investigate further.
Much appreciated.
Regards.
Neil Wilson.
Gabriel Franca
I am following this topic and performed some tests to validate the process and noted the following.
1) when the User is the "Domain Users" GPO is not applied.
2) when the user is the "Domain Admins" the GPO is applied.
Is there any way to apply the GPOS "Domain Users" ???
Sincerely,
Gabriel Franca
Neil
Gabriel: I haven't had a chance to test this yet, but I'm also needing the
same IE: Domain Users to have the GPO applied. Did you come right with this?
Andrey: Thank you for letting me know about the SysVol replication across
DC's, I haven't enabled this yet and will be doing so, is there anything I
should watch out for? I'll just be using the "
https://wiki.samba.org/index.php/SysVol_Replication" because I don't
require Bi-Directional Replication.
Thank you.
Regards.
Neil Wilson.
On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca <gabriel...@gmail.com>
wrote:
Gabriel Franca
I found it strange more and something I have already noticed a while.
No GPO is applied when the User is the "Domain Users", so I wonder if I'm doing something wrong or I have to change something.
I believe the "Domain Users" are not allowed to change the Windows registry so the issue.
Sincerely,
Gabriel Franca
> Em 22/05/2015, à(s) 02:31, Neil <nwils...@gmail.com> escreveu:
>
> Good morning everyone,
>
> Gabriel: I haven't had a chance to test this yet, but I'm also needing the same IE: Domain Users to have the GPO applied. Did you come right with this?
>
> Andrey: Thank you for letting me know about the SysVol replication across DC's, I haven't enabled this yet and will be doing so, is there anything I should watch out for? I'll just be using the "https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication>" because I don't require Bi-Directional Replication.
>
> Thank you.
>
> Regards.
>
> Neil Wilson.
>
>
> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca <gabriel...@gmail.com <mailto:gabriel...@gmail.com>> wrote:
> Good morning friends !!!
>
> I am following this topic and performed some tests to validate the process and noted the following.
>
> 1) when the User is the "Domain Users" GPO is not applied.
>
> 2) when the user is the "Domain Admins" the GPO is applied.
>
> Is there any way to apply the GPOS "Domain Users" ???
>
> Sincerely,
>
> Gabriel Franca
>
>
> > Em 20/05/2015, à(s) 09:37, Neil <nwils...@gmail.com <mailto:nwils...@gmail.com>> escreveu:
> >
> > Hi Louis,
> >
> > Thank you very much for your speedy response. I'll definitely go ahead and
> > investigate further.
> >
> > Much appreciated.
> >
> > Regards.
> >
> > Neil Wilson.
> >
> > On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle <be...@bazuin.nl <mailto:be...@bazuin.nl>> wrote:
> >
> >> yes, this is possible, by GPO.
> >>
> >> In GPO, go to:
> >> (user or computer )Configuration
> >> - Policy
> >> – Administrative template
> >> – System
> >> – Removable storage Access
> >>
> >> Play with these settings to get what you want.
> >>
> >> for Managing Hardware Restrictions via Group Policy read :
> >> http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx>
> >>
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >>
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: nwils...@gmail.com <mailto:nwils...@gmail.com>
> >>> [mailto:samba-...@lists.samba.org <mailto:samba-...@lists.samba.org>] Namens Neil
> >>> Verzonden: woensdag 20 mei 2015 12:10
> >>> Aan: samba
> >>> Onderwerp: [Samba] Samba4 Disable USB ports
> >>>
> >>> Hi guys,
> >>>
> >>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4
> >>> Samba4 DC's all joined to the same AD domain myorg.local
> >>>
> >>> My client wants me to disable all USB ports for all the users
> >>> joined to the
> >>> domain.
> >>>
> >>> Is it possible to do this via a group policy so that users
> >>> logging onto any
> >>> of the DC's will not be able to use their USB ports?
> >>>
> >>> I currently admin my AD with a combination of the samba-tool
> >>> as well as the
> >>> AD Users and Groups MMC Windows utility.
> >>>
> >>> Any guidance is greatly appreciated.
> >>>
> >>> Thank you.
> >>>
> >>> Regards.
> >>>
> >>> Neil Wilson
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
> >>>
> >>>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
> >>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
Daniel Carrasco Marín
>
> I found it strange more and something I have already noticed a while.
>
> No GPO is applied when the User is the "Domain Users", so I wonder if I'm
> doing something wrong or I have to change something.
>
> I believe the "Domain Users" are not allowed to change the Windows
> registry so the issue.
>
> Sincerely,
>
> Gabriel Franca
>
>
I don't know if is a Windows problem, but i've got the same behavior trying
to set Firewall rules. I've fixed the problem changing the "Domain Users"
in GPO "Security Filter" for "Authenticated Users" and now is working fine.
I hope this help.
Greetings!!
Gabriel Franca
The amendment that I spoke have to be done on the server.
All user created in Samba4 receives the "Domain Users" group as primary.
I did several tests on the GPO to no avail.
When I took the User of the "Domain Users" and put in "Domain Admins" the GPO to make any changes now operates.
I believe that because of the "Domain Users" did not have privileges to edit the GPO record in the station can not be applied.
I wonder if the guys who are using Samba 4, is using successfully GPOS the "Domain Users"
Sincerely,
Gabriel Franca
> Em 22/05/2015, à(s) 09:01, Daniel Carrasco Marín <danielm...@gmail.com> escreveu:
>
>
>
> 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel...@gmail.com <mailto:gabriel...@gmail.com>>:
>
> I found it strange more and something I have already noticed a while.
>
> No GPO is applied when the User is the "Domain Users", so I wonder if I'm doing something wrong or I have to change something.
>
> I believe the "Domain Users" are not allowed to change the Windows registry so the issue.
>
> Sincerely,
>
> Gabriel Franca
>
>
> I don't know if is a Windows problem, but i've got the same behavior trying to set Firewall rules. I've fixed the problem changing the "Domain Users" in GPO "Security Filter" for "Authenticated Users" and now is working fine.
>
> I hope this help.
>
> Greetings!!
>
>
> > Em 22/05/2015, à(s) 02:31, Neil <nwils...@gmail.com <mailto:nwils...@gmail.com>> escreveu:
> >
> > Good morning everyone,
> >
> > Gabriel: I haven't had a chance to test this yet, but I'm also needing the same IE: Domain Users to have the GPO applied. Did you come right with this?
> >
> > Andrey: Thank you for letting me know about the SysVol replication across DC's, I haven't enabled this yet and will be doing so, is there anything I should watch out for? I'll just be using the "https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication>>" because I don't require Bi-Directional Replication.
> > >> http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx>>
> > >>
> > >>
> > >> Greetz,
> > >>
> > >> Louis
> > >>
> > >>
> > >>
> > >>
> > >>> -----Oorspronkelijk bericht-----
> > >>> Van: nwils...@gmail.com <mailto:nwils...@gmail.com> <mailto:nwils...@gmail.com <mailto:nwils...@gmail.com>>
> > >>> [mailto:samba-...@lists.samba.org <mailto:samba-...@lists.samba.org> <mailto:samba-...@lists.samba.org <mailto:samba-...@lists.samba.org>>] Namens Neil
> > >>> Verzonden: woensdag 20 mei 2015 12:10
> > >>> Aan: samba
> > >>> Onderwerp: [Samba] Samba4 Disable USB ports
> > >>>
> > >>> Hi guys,
> > >>>
> > >>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4
> > >>> Samba4 DC's all joined to the same AD domain myorg.local
> > >>>
> > >>> My client wants me to disable all USB ports for all the users
> > >>> joined to the
> > >>> domain.
> > >>>
> > >>> Is it possible to do this via a group policy so that users
> > >>> logging onto any
> > >>> of the DC's will not be able to use their USB ports?
> > >>>
> > >>> I currently admin my AD with a combination of the samba-tool
> > >>> as well as the
> > >>> AD Users and Groups MMC Windows utility.
> > >>>
> > >>> Any guidance is greatly appreciated.
> > >>>
> > >>> Thank you.
> > >>>
> > >>> Regards.
> > >>>
> > >>> Neil Wilson
> > >>> --
> > >>> To unsubscribe from this list go to the following URL and read the
> > >>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>
> > >>>
> > >>>
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>
> > >>
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>
Achim Gottinger
I recommend you use
gpupdate /force
on the windows command line after login.
The results of above command can be checked afterwards with the
"gpresults" command.
Can be you have an permission problem on your samba server. Only skimmed
ofver the thread but did you try
samba-tools ntacl sysvolreset
on your samba server?
achim~
L.P.H. van Belle
Hai,
>I don't know if is a Windows problem, but i've got the same behavior trying
>to set Firewall rules. I've fixed the problem changing the "Domain Users"
>in GPO "Security Filter" for "Authenticated Users" and now is working fine.
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part1.html
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part2.html
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part3.html
I bet your missing a right as shown in Part 2, picture 3. ( the Aply group policy right )
and you can try with adding :
acl_xattr:ignore system acl = yes
to netlogon and sysvol share.
Louis
>-----Oorspronkelijk bericht-----
>Van: gabriel...@gmail.com
>[mailto:samba-...@lists.samba.org] Namens Gabriel Franca
>Verzonden: vrijdag 22 mei 2015 14:09
>Aan: Daniel Carrasco Marín
>CC: sa...@lists.samba.org; Neil
>Onderwerp: Re: [Samba] Samba4 Disable USB ports
>> > >> ? System
>> > >> ? Removable storage Access
Daniel Carrasco Marín
> Good morning Daniel,
>
> The amendment that I spoke have to be done on the server.
>
> All user created in Samba4 receives the "Domain Users" group as primary.
>
> I did several tests on the GPO to no avail.
>
> When I took the User of the "Domain Users" and put in "Domain Admins" the
> GPO to make any changes now operates.
>
> I believe that because of the "Domain Users" did not have privileges to
> edit the GPO record in the station can not be applied.
>
> I wonder if the guys who are using Samba 4, is using successfully GPOS the
> "Domain Users"
>
> Sincerely,
>
> Gabriel Franca
>
Yes, I know it, and i'm talking about GPO policies on a Samba 4 AD using
RSAT tools. I don't know why but it happen just as you said, when you try
to set a policy to a "Domain Users" or "Domain Computers" is not applied,
but if you use "Authenticated Users" as "Security Filter" on GPO then it
works.
I attach two images so you see what I mean.
Greetings!!
>> require Bi-Directional Replication.
>> >
>> > Thank you.
>> >
>> > Regards.
>> >
>> > Neil Wilson.
>> >
>> >
>> > On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca <
>> > Good morning friends !!!
>> >
>> > I am following this topic and performed some tests to validate the
>> process and noted the following.
>> >
>> > 1) when the User is the "Domain Users" GPO is not applied.
>> >
>> > 2) when the user is the "Domain Admins" the GPO is applied.
>> >
>> > Is there any way to apply the GPOS "Domain Users" ???
>> >
>> > Sincerely,
>> >
>> > Gabriel Franca
>> >
>> >
>> > > Em 20/05/2015, à(s) 09:37, Neil <nwils...@gmail.com <mailto:
>> > >
>> > > Hi Louis,
>> > >
>> > > Thank you very much for your speedy response. I'll definitely go
>> ahead and
>> > > investigate further.
>> > >
>> > > Much appreciated.
>> > >
>> > > Regards.
>> > >
>> > > Neil Wilson.
>> > >
>> > > On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle <be...@bazuin.nl
>> > >
>> > >> yes, this is possible, by GPO.
>> > >>
>> > >> In GPO, go to:
>> > >> (user or computer )Configuration
>> > >> - Policy
>> > >> – System
>> > >> – Removable storage Access
>> > >> Play with these settings to get what you want.
>> > >>
>> > >> for Managing Hardware Restrictions via Group Policy read :
>> > >> http://technet.microsoft.com/en-us/magazine/cc138012.aspx <
>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx>
>> > >>
>> > >>
>> > >>
>> > >> Louis
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>> -----Oorspronkelijk bericht-----
>> > >>> Van: nwils...@gmail.com <mailto:nwils...@gmail.com>
>> > >> To unsubscribe from this list go to the following URL and read the
>> > >> instructions: https://lists.samba.org/mailman/options/samba <
>> https://lists.samba.org/mailman/options/samba>
>> > >>
>> > > --
>> > > To unsubscribe from this list go to the following URL and read the
>> > > instructions: https://lists.samba.org/mailman/options/samba <
Daniel Carrasco Marín
>
> Hai,
>
> >I don't know if is a Windows problem, but i've got the same behavior
> trying
> >to set Firewall rules. I've fixed the problem changing the "Domain Users"
> >in GPO "Security Filter" for "Authenticated Users" and now is working
> fine.
>
> i suggest you start reading from here.
>
> http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part1.html
>
> http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part2.html
>
> http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part3.html
>
> I bet your missing a right as shown in Part 2, picture 3. ( the Aply group
> policy right )
>
> and you can try with adding :
> acl_xattr:ignore system acl = yes
> to netlogon and sysvol share.
>
> Louis
>
>
Thanks, is very interesting.
Mine is working fine with "Authenticated Users" and is configured like the
image, then i don't have problems with that ;). The problem is when you
delete "Authenticated Users" from that GPO and use "Domain Users" instead.
The permissions are the same as "Authenticated Users" (and the image of the
second link) but the GPO access is denied...
For me isn't a problem because i want to set that GPO to all users, but
maybe Gabriel want to set the USB only to "Domain Users" and allow to
"Domain Admins" to use the usb ports.
Greetings!!
>
> >-----Oorspronkelijk bericht-----
> >Van: gabriel...@gmail.com
> >[mailto:samba-...@lists.samba.org] Namens Gabriel Franca
> >Verzonden: vrijdag 22 mei 2015 14:09
> >Aan: Daniel Carrasco Marín
> >CC: sa...@lists.samba.org; Neil
> >Onderwerp: Re: [Samba] Samba4 Disable USB ports
> >
> >Good morning Daniel,
> >
> >The amendment that I spoke have to be done on the server.
> >
> >All user created in Samba4 receives the "Domain Users" group
> >as primary.
> >
> >I did several tests on the GPO to no avail.
> >
> >When I took the User of the "Domain Users" and put in "Domain
> >Admins" the GPO to make any changes now operates.
> >
> >I believe that because of the "Domain Users" did not have
> >privileges to edit the GPO record in the station can not be applied.
> >
> >I wonder if the guys who are using Samba 4, is using
> >successfully GPOS the "Domain Users"
> >
> >Sincerely,
> >
> >Gabriel Franca
> >
> >
> >
> >> Em 22/05/2015, à(s) 09:01, Daniel Carrasco Marín
> ><danielm...@gmail.com> escreveu:
> >>
> >>
> >>
> >> 2015-05-22 13:32 GMT+02:00 Gabriel Franca
> ><gabriel...@gmail.com <mailto:gabriel...@gmail.com>>:
> >>
> >> I found it strange more and something I have already noticed a while.
> >>
> >> No GPO is applied when the User is the "Domain Users", so I
> >wonder if I'm doing something wrong or I have to change something.
> >>
> >> I believe the "Domain Users" are not allowed to change the
> >Windows registry so the issue.
> >>
> >> Sincerely,
> >>
> >> Gabriel Franca
> >>
> >>
> >> I don't know if is a Windows problem, but i've got the same
> >behavior trying to set Firewall rules. I've fixed the problem
> >changing the "Domain Users" in GPO "Security Filter" for
> >"Authenticated Users" and now is working fine.
> >>
> >> I hope this help.
> >>
> >> Greetings!!
> >>
> >>
> >> > Em 22/05/2015, à(s) 02:31, Neil <nwils...@gmail.com
> ><mailto:nwils...@gmail.com>> escreveu:
> >> >
> >> > Good morning everyone,
> >> >
> >> > Gabriel: I haven't had a chance to test this yet, but I'm
> >also needing the same IE: Domain Users to have the GPO
> >applied. Did you come right with this?
> >> >
> >> > Andrey: Thank you for letting me know about the SysVol
> >replication across DC's, I haven't enabled this yet and will
> >be doing so, is there anything I should watch out for? I'll
> >just be using the
> >"https://wiki.samba.org/index.php/SysVol_Replication
> ><https://wiki.samba.org/index.php/SysVol_Replication>
> ><https://wiki.samba.org/index.php/SysVol_Replication
> ><https://wiki.samba.org/index.php/SysVol_Replication>>"
> >because I don't require Bi-Directional Replication.
> >> >
> >> > Thank you.
> >> >
> >> > Regards.
> >> >
> >> > Neil Wilson.
> >> >
> >> >
> >> > On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca
> ><gabriel...@gmail.com <mailto:gabriel...@gmail.com>
> ><mailto:gabriel...@gmail.com
> ><mailto:gabriel...@gmail.com>>> wrote:
> >> > Good morning friends !!!
> >> >
> >> > I am following this topic and performed some tests to
> >validate the process and noted the following.
> >> >
> >> > 1) when the User is the "Domain Users" GPO is not applied.
> >> >
> >> > 2) when the user is the "Domain Admins" the GPO is applied.
> >> >
> >> > Is there any way to apply the GPOS "Domain Users" ???
> >> >
> >> > Sincerely,
> >> >
> >> > Gabriel Franca
> >> >
> >> >
> >> > > Em 20/05/2015, à(s) 09:37, Neil <nwils...@gmail.com
> ><mailto:nwils...@gmail.com> <mailto:nwils...@gmail.com
> ><mailto:nwils...@gmail.com>>> escreveu:
> >> > >
> >> > > Hi Louis,
> >> > >
> >> > > Thank you very much for your speedy response. I'll
> >definitely go ahead and
> >> > > investigate further.
> >> > >
> >> > > Much appreciated.
> >> > >
> >> > > Regards.
> >> > >
> >> > > Neil Wilson.
> >> > >
> >> > > On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle
> ><be...@bazuin.nl <mailto:be...@bazuin.nl>
> ><mailto:be...@bazuin.nl <mailto:be...@bazuin.nl>>> wrote:
> >> > >
> >> > >> yes, this is possible, by GPO.
> >> > >>
> >> > >> In GPO, go to:
> >> > >> (user or computer )Configuration
> >> > >> - Policy
> >> > >> ? Administrative template
> >> > >> ? System
> >> > >> ? Removable storage Access
> >> > >>
> >> > >> Play with these settings to get what you want.
> >> > >>
> >> > >> for Managing Hardware Restrictions via Group Policy read :
> >> > >>
> >http://technet.microsoft.com/en-us/magazine/cc138012.aspx
> ><http://technet.microsoft.com/en-us/magazine/cc138012.aspx>
> ><http://technet.microsoft.com/en-us/magazine/cc138012.aspx
> ><http://technet.microsoft.com/en-us/magazine/cc138012.aspx>>
> >> > >>
> >> > >>
> >> > >> Greetz,
> >> > >>
> >> > >> Louis
> >> > >>
> >> > >>
> >> > >>
> >> > >>
> >> > >>> -----Oorspronkelijk bericht-----
> >> > >>> Van: nwils...@gmail.com
> ><mailto:nwils...@gmail.com> <mailto:nwils...@gmail.com
Gabriel Franca
I make the case that Achim Gottinger passed.
samba-tool ntacl sysvolreset and received the following information:
Segmentation fault (core of the recorded image)
then sent a samba-tool ntacl sysvolcheck and received the following:
ERROR (<type 'exceptions.TypeError'>): uncaught exception - (61 'No data available')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
self.run return (* args, ** kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 249, in run
lp)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1717, in checksysvolacl
fsacl = getntacl (lp, dir_path, direct_db_access = direct_db_access, service = SYSVOL_SERVICE)
File "/usr/lib64/python2.7/site-packages/samba/ntacls.py", line 73, in getntacl
xattr.XATTR_NTACL_NAME)
Will there this the source of my problem? hehehehe
Remembering that I'm using Centos 7 and Samba version 4.1.17-Sernet-RedHat-11.el7
Sincerely,
Gabriel Franca
> Em 22/05/2015, à(s) 11:22, Achim Gottinger <ac...@ag-web.biz> escreveu:
>
> Hello Gabriel,
>
> I recommend you use
>
> gpupdate /force
>
> on the windows command line after login.
> The results of above command can be checked afterwards with the "gpresults" command.
>
> Can be you have an permission problem on your samba server. Only skimmed ofver the thread but did you try
> samba-tools ntacl sysvolreset
> on your samba server?
>
> achim~
>
> Am 22.05.2015 um 12:08 schrieb Gabriel Franca:
>> Good morning Daniel,
>>
>> The amendment that I spoke have to be done on the server.
>>
>> All user created in Samba4 receives the "Domain Users" group as primary.
>>
>> I did several tests on the GPO to no avail.
>>
>> When I took the User of the "Domain Users" and put in "Domain Admins" the GPO to make any changes now operates.
>>
>> I believe that because of the "Domain Users" did not have privileges to edit the GPO record in the station can not be applied.
>>
>> I wonder if the guys who are using Samba 4, is using successfully GPOS the "Domain Users"
>>
>> Sincerely,
>>
>> Gabriel Franca
>>
>>
>>
>>> Em 22/05/2015, à(s) 09:01, Daniel Carrasco Marín <danielm...@gmail.com> escreveu:
>>>
>>>
>>>
>>> 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel...@gmail.com <mailto:gabriel...@gmail.com> <mailto:gabriel...@gmail.com <mailto:gabriel...@gmail.com>>>:
>>>
>>> I found it strange more and something I have already noticed a while.
>>>
>>> No GPO is applied when the User is the "Domain Users", so I wonder if I'm doing something wrong or I have to change something.
>>>
>>> I believe the "Domain Users" are not allowed to change the Windows registry so the issue.
>>>
>>> Sincerely,
>>>
>>> Gabriel Franca
>>>
>>>
>>> I don't know if is a Windows problem, but i've got the same behavior trying to set Firewall rules. I've fixed the problem changing the "Domain Users" in GPO "Security Filter" for "Authenticated Users" and now is working fine.
>>>
>>> I hope this help.
>>>
>>> Greetings!!
>>>
>>>> Em 22/05/2015, à(s) 02:31, Neil <nwils...@gmail.com <mailto:nwils...@gmail.com> <mailto:nwils...@gmail.com <mailto:nwils...@gmail.com>>> escreveu:
>>>>
>>>> Good morning everyone,
>>>>
>>>> Gabriel: I haven't had a chance to test this yet, but I'm also needing the same IE: Domain Users to have the GPO applied. Did you come right with this?
>>>>
>>>> Andrey: Thank you for letting me know about the SysVol replication across DC's, I haven't enabled this yet and will be doing so, is there anything I should watch out for? I'll just be using the "https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication>> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication>>>" because I don't require Bi-Directional Replication.
>>>>
>>>> Thank you.
>>>>
>>>> Regards.
>>>>
>>>> Neil Wilson.
>>>>
>>>>
>>>> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca <gabriel...@gmail.com <mailto:gabriel...@gmail.com> <mailto:gabriel...@gmail.com <mailto:gabriel...@gmail.com>> <mailto:gabriel...@gmail.com <mailto:gabriel...@gmail.com><mailto:gabriel...@gmail.com <mailto:gabriel...@gmail.com>>>> wrote:
>>>> Good morning friends !!!
>>>>
>>>> I am following this topic and performed some tests to validate the process and noted the following.
>>>>
>>>> 1) when the User is the "Domain Users" GPO is not applied.
>>>>
>>>> 2) when the user is the "Domain Admins" the GPO is applied.
>>>>
>>>> Is there any way to apply the GPOS "Domain Users" ???
>>>>
>>>> Sincerely,
>>>>
>>>> Gabriel Franca
>>>>
>>>>
>>>>> Em 20/05/2015, à(s) 09:37, Neil <nwils...@gmail.com <mailto:nwils...@gmail.com> <mailto:nwils...@gmail.com <mailto:nwils...@gmail.com>> <mailto:nwils...@gmail.com <mailto:nwils...@gmail.com><mailto:nwils...@gmail.com <mailto:nwils...@gmail.com>>>> escreveu:
>>>>>
>>>>> Hi Louis,
>>>>>
>>>>> Thank you very much for your speedy response. I'll definitely go ahead and
>>>>> investigate further.
>>>>>
>>>>> Much appreciated.
>>>>>
>>>>> Regards.
>>>>>
>>>>> Neil Wilson.
>>>>>
>>>>> On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle <be...@bazuin.nl <mailto:be...@bazuin.nl> <mailto:be...@bazuin.nl <mailto:be...@bazuin.nl>> <mailto:be...@bazuin.nl <mailto:be...@bazuin.nl> <mailto:be...@bazuin.nl <mailto:be...@bazuin.nl>>>> wrote:
>>>>>
>>>>>> yes, this is possible, by GPO.
>>>>>>
>>>>>> In GPO, go to:
>>>>>> (user or computer )Configuration
>>>>>> - Policy
>>>>>> – Administrative template
>>>>>> – System
>>>>>> – Removable storage Access
>>>>>>
>>>>>> Play with these settings to get what you want.
>>>>>>
>>>>>> for Managing Hardware Restrictions via Group Policy read :
>>>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx>>>
>>>>>>
>>>>>>
>>>>>> Greetz,
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: nwils...@gmail.com <mailto:nwils...@gmail.com> <mailto:nwils...@gmail.com <mailto:nwils...@gmail.com>> <mailto:nwils...@gmail.com <mailto:nwils...@gmail.com> <mailto:nwils...@gmail.com <mailto:nwils...@gmail.com>>>
>>>>>>> [mailto:samba-...@lists.samba.org <mailto:samba-...@lists.samba.org> <mailto:samba-...@lists.samba.org <mailto:samba-...@lists.samba.org>> <mailto:samba-...@lists.samba.org <mailto:samba-...@lists.samba.org> <mailto:samba-...@lists.samba.org <mailto:samba-...@lists.samba.org>>>] Namens Neil
>>>>>>> Verzonden: woensdag 20 mei 2015 12:10
>>>>>>> Aan: samba
>>>>>>> Onderwerp: [Samba] Samba4 Disable USB ports
>>>>>>>
>>>>>>> Hi guys,
>>>>>>>
>>>>>>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4
>>>>>>> Samba4 DC's all joined to the same AD domain myorg.local
>>>>>>>
>>>>>>> My client wants me to disable all USB ports for all the users
>>>>>>> joined to the
>>>>>>> domain.
>>>>>>>
>>>>>>> Is it possible to do this via a group policy so that users
>>>>>>> logging onto any
>>>>>>> of the DC's will not be able to use their USB ports?
>>>>>>>
>>>>>>> I currently admin my AD with a combination of the samba-tool
>>>>>>> as well as the
>>>>>>> AD Users and Groups MMC Windows utility.
>>>>>>>
>>>>>>> Any guidance is greatly appreciated.
>>>>>>>
>>>>>>> Thank you.
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>> Neil Wilson
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>>
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>>
>>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>>
Achim Gottinger
This error looks like you have not enabled xattrs on the partition
sysvol resides. In case it is an ext3/4 partition do you have acl and
user_xattr in the mount options?
What is the output of
attr -l /var/lib/samba/sysvol
use the localtion of the sysvol folder on your server in above example.
On my server i get
Attribute "NTACL" has a 320 byte value for /var/lib/samba/sysvol
achim~
>
>> Em 22/05/2015, à(s) 11:22, Achim Gottinger <ac...@ag-web.biz
>> <mailto:ac...@ag-web.biz>> escreveu:
>>>> <danielm...@gmail.com <mailto:danielm...@gmail.com>> escreveu:
>>>>
>>>>
>>>>
>>>> 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel...@gmail.com
>>>> <mailto:gabriel...@gmail.com><mailto:gabriel...@gmail.com>>:
>>>>
>>>> I found it strange more and something I have already noticed a while.
>>>>
>>>> No GPO is applied when the User is the "Domain Users", so I wonder
>>>> if I'm doing something wrong or I have to change something.
>>>>
>>>> I believe the "Domain Users" are not allowed to change the Windows
>>>> registry so the issue.
>>>>
>>>> Sincerely,
>>>>
>>>> Gabriel Franca
>>>>
>>>>
>>>> I don't know if is a Windows problem, but i've got the same
>>>> behavior trying to set Firewall rules. I've fixed the problem
>>>> changing the "Domain Users" in GPO "Security Filter" for
>>>> "Authenticated Users" and now is working fine.
>>>>
>>>> I hope this help.
>>>>
>>>> Greetings!!
>>>>
>>>>> Em 22/05/2015, à(s) 02:31, Neil <nwils...@gmail.com
>>>>> <mailto:nwils...@gmail.com><mailto:nwils...@gmail.com>> escreveu:
>>>>>
>>>>> Good morning everyone,
>>>>>
>>>>> Gabriel: I haven't had a chance to test this yet, but I'm also
>>>>> needing the same IE: Domain Users to have the GPO applied. Did you
>>>>> come right with this?
>>>>>
>>>>> Andrey: Thank you for letting me know about the SysVol replication
>>>>> across DC's, I haven't enabled this yet and will be doing so, is
>>>>> there anything I should watch out for? I'll just be using the
>>>>> "https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication>
>>>>> <https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication>>"
>>>>> because I don't require Bi-Directional Replication.
>>>>>
>>>>> Thank you.
>>>>>
>>>>> Regards.
>>>>>
>>>>> Neil Wilson.
>>>>>
>>>>>
>>>>> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca
>>>>> <gabriel...@gmail.com
>>>>> <mailto:gabriel...@gmail.com><mailto:gabriel...@gmail.com>
>>>>> <mailto:gabriel...@gmail.com<mailto:gabriel...@gmail.com>>> wrote:
>>>>> Good morning friends !!!
>>>>>
>>>>> I am following this topic and performed some tests to validate the
>>>>> process and noted the following.
>>>>>
>>>>> 1) when the User is the "Domain Users" GPO is not applied.
>>>>>
>>>>> 2) when the user is the "Domain Admins" the GPO is applied.
>>>>>
>>>>> Is there any way to apply the GPOS "Domain Users" ???
>>>>>
>>>>> Sincerely,
>>>>>
>>>>> Gabriel Franca
>>>>>
>>>>>
>>>>>> Em 20/05/2015, à(s) 09:37, Neil <nwils...@gmail.com
>>>>>> <mailto:nwils...@gmail.com><mailto:nwils...@gmail.com>
>>>>>> <mailto:nwils...@gmail.com<mailto:nwils...@gmail.com>>> escreveu:
>>>>>>
>>>>>> Hi Louis,
>>>>>>
>>>>>> Thank you very much for your speedy response. I'll definitely go
>>>>>> ahead and
>>>>>> investigate further.
>>>>>>
>>>>>> Much appreciated.
>>>>>>
>>>>>> Regards.
>>>>>>
>>>>>> Neil Wilson.
>>>>>>
>>>>>> On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle
>>>>>> <be...@bazuin.nl <mailto:be...@bazuin.nl><mailto:be...@bazuin.nl>
>>>>>> <mailto:be...@bazuin.nl<mailto:be...@bazuin.nl>>> wrote:
>>>>>>
>>>>>>> yes, this is possible, by GPO.
>>>>>>>
>>>>>>> In GPO, go to:
>>>>>>> (user or computer )Configuration
>>>>>>> - Policy
>>>>>>> – Administrative template
>>>>>>> – System
>>>>>>> – Removable storage Access
>>>>>>>
>>>>>>> Play with these settings to get what you want.
>>>>>>>
>>>>>>> for Managing Hardware Restrictions via Group Policy read :
>>>>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx>
>>>>>>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx>>
>>>>>>>
>>>>>>>
>>>>>>> Greetz,
>>>>>>>
>>>>>>> Louis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van:nwils...@gmail.com
>>>>>>>> <mailto:nwils...@gmail.com><mailto:nwils...@gmail.com>
>>>>>>>> <mailto:nwils...@gmail.com<mailto:nwils...@gmail.com>>
>>>>>>>> [mailto:samba-...@lists.samba.org<mailto:samba-...@lists.samba.org>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions:
>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:
>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:
>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
--
Gabriel Franca
Put the acl_xattr: ignore system acl = yes in netlogon and sysvol share
I restarted samba and had the same error.
Remembering that I'm using Centos 7 with XFS
Let me ask you a question as to whether and because of that this error.
this week I updated to the newest version of Samba 4.2.x and had a problem of not coseguir longer access the RDP of the machines.
So I deleted the smb.conf and redid the entire configuration with the "samba-tool domain provision"
IPC: This server and testing
Sincerely,
Gabriel Franca
>>>>> 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel...@gmail.com <mailto:gabriel...@gmail.com> <mailto:gabriel...@gmail.com <mailto:gabriel...@gmail.com>>>:
>>>>>
>>>>> I found it strange more and something I have already noticed a while.
>>>>>
>>>>> No GPO is applied when the User is the "Domain Users", so I wonder if I'm doing something wrong or I have to change something.
>>>>>
>>>>> I believe the "Domain Users" are not allowed to change the Windows registry so the issue.
>>>>>
>>>>> Sincerely,
>>>>>
>>>>> Gabriel Franca
>>>>>
>>>>>
>>>>> I don't know if is a Windows problem, but i've got the same behavior trying to set Firewall rules. I've fixed the problem changing the "Domain Users" in GPO "Security Filter" for "Authenticated Users" and now is working fine.
>>>>>
>>>>> I hope this help.
>>>>>
>>>>> Greetings!!
>>>>>
>>>>>> Em 22/05/2015, à(s) 02:31, Neil <nwils...@gmail.com <mailto:nwils...@gmail.com> <mailto:nwils...@gmail.com <mailto:nwils...@gmail.com>>> escreveu:
>>>>>>
>>>>>> Good morning everyone,
>>>>>>
>>>>>> Gabriel: I haven't had a chance to test this yet, but I'm also needing the same IE: Domain Users to have the GPO applied. Did you come right with this?
>>>>>>
>>>>>> Andrey: Thank you for letting me know about the SysVol replication across DC's, I haven't enabled this yet and will be doing so, is there anything I should watch out for? I'll just be using the "https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication>> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication>>>" because I don't require Bi-Directional Replication.
>>>>>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Greetz,
>>>>>>>>
>>>>>>>> Louis
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>> Van: nwils...@gmail.com <mailto:nwils...@gmail.com> <mailto:nwils...@gmail.com <mailto:nwils...@gmail.com>> <mailto:nwils...@gmail.com <mailto:nwils...@gmail.com> <mailto:nwils...@gmail.com <mailto:nwils...@gmail.com>>>
>>>>>>>>> [mailto:samba-...@lists.samba.org <mailto:samba-...@lists.samba.org> <mailto:samba-...@lists.samba.org <mailto:samba-...@lists.samba.org>> <mailto:samba-...@lists.samba.org <mailto:samba-...@lists.samba.org> <mailto:samba-...@lists.samba.org <mailto:samba-...@lists.samba.org>>>] Namens Neil
>>>>>>>>> Verzonden: woensdag 20 mei 2015 12:10
>>>>>>>>> Aan: samba
>>>>>>>>> Onderwerp: [Samba] Samba4 Disable USB ports
>>>>>>>>>
>>>>>>>>> Hi guys,
>>>>>>>>>
>>>>>>>>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4
>>>>>>>>> Samba4 DC's all joined to the same AD domain myorg.local
>>>>>>>>>
>>>>>>>>> My client wants me to disable all USB ports for all the users
>>>>>>>>> joined to the
>>>>>>>>> domain.
>>>>>>>>>
>>>>>>>>> Is it possible to do this via a group policy so that users
>>>>>>>>> logging onto any
>>>>>>>>> of the DC's will not be able to use their USB ports?
>>>>>>>>>
>>>>>>>>> I currently admin my AD with a combination of the samba-tool
>>>>>>>>> as well as the
>>>>>>>>> AD Users and Groups MMC Windows utility.
>>>>>>>>>
>>>>>>>>> Any guidance is greatly appreciated.
>>>>>>>>>
>>>>>>>>> Thank you.
>>>>>>>>>
>>>>>>>>> Regards.
>>>>>>>>>
>>>>>>>>> Neil Wilson
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>>
>>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>>
Achim Gottinger
I"ll answer to the lists email adress.
Am 22.05.2015 um 16:54 schrieb Gabriel Franca:
> follows the output of the command:
>
> attr -l / var / lib / samba / sysvol
> Attribute "SGI_ACL_FILE" has a 124 byte value for / var / lib / samba
> / sysvol
> Attribute "SGI_ACL_DEFAULT" has a 124 byte value for / var / lib /
> samba / sysvol
> Attribute "NTACL" has a 320 byte value for / var / lib / samba / sysvol
>
> att,
>
> Gabriel Franca
Thank you for the test xfs should have xattrs enabled by default. Can
you post your smb.conf here please.
Another xattr test i found here
https://www.samba.org/samba/docs/man/manpages/vfs_acl_xattr.8.html is
getfattr -n security.NTACL /var/lib/samba/sysvol
Also are there any other errors if you run sysvolreset?
achim~
>
>
>> Em 22/05/2015, à(s) 10:40, Achim Gottinger <ac...@ag-web.biz
>>>>>> <mailto:gabriel...@gmail.com><mailto:gabriel...@gmail.com>>:
>>>>>>
>>>>>> I found it strange more and something I have already noticed a while.
>>>>>>
>>>>>> No GPO is applied when the User is the "Domain Users", so I
>>>>>> wonder if I'm doing something wrong or I have to change something.
>>>>>>
>>>>>> I believe the "Domain Users" are not allowed to change the
>>>>>> Windows registry so the issue.
>>>>>>
>>>>>> Sincerely,
>>>>>>
>>>>>> Gabriel Franca
>>>>>>
>>>>>>
>>>>>> I don't know if is a Windows problem, but i've got the same
>>>>>> behavior trying to set Firewall rules. I've fixed the problem
>>>>>> changing the "Domain Users" in GPO "Security Filter" for
>>>>>> "Authenticated Users" and now is working fine.
>>>>>>
>>>>>> I hope this help.
>>>>>>
>>>>>> Greetings!!
>>>>>>
>>>>>>> Em 22/05/2015, à(s) 02:31, Neil <nwils...@gmail.com
>>>>>>> <mailto:nwils...@gmail.com><mailto:nwils...@gmail.com>>
>>>>>>> escreveu:
>>>>>>>
>>>>>>> Good morning everyone,
>>>>>>>
>>>>>>> Gabriel: I haven't had a chance to test this yet, but I'm also
>>>>>>> needing the same IE: Domain Users to have the GPO applied. Did
>>>>>>> you come right with this?
>>>>>>>
>>>>>>> Andrey: Thank you for letting me know about the SysVol
>>>>>>> replication across DC's, I haven't enabled this yet and will be
>>>>>>> doing so, is there anything I should watch out for? I'll just be
>>>>>>> using the
>>>>>>> "https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication>
>>>>>>> <https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication>>"
>>>>>>> because I don't require Bi-Directional Replication.
>>>>>>>
>>>>>>> Thank you.
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>> Neil Wilson.
>>>>>>>
>>>>>>>
>>>>>>> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca
>>>>>>> <gabriel...@gmail.com
>>>>>>> <mailto:gabriel...@gmail.com><mailto:gabriel...@gmail.com>
>>>>>>> <mailto:gabriel...@gmail.com<mailto:gabriel...@gmail.com>>>
>>>>>>> wrote:
>>>>>>> Good morning friends !!!
>>>>>>>
>>>>>>> I am following this topic and performed some tests to validate
>>>>>>> the process and noted the following.
>>>>>>>
>>>>>>> 1) when the User is the "Domain Users" GPO is not applied.
>>>>>>>
>>>>>>> 2) when the user is the "Domain Admins" the GPO is applied.
>>>>>>>
>>>>>>> Is there any way to apply the GPOS "Domain Users" ???
>>>>>>>
>>>>>>> Sincerely,
>>>>>>>
>>>>>>> Gabriel Franca
>>>>>>>
>>>>>>>
>>>>>>>> Em 20/05/2015, à(s) 09:37, Neil <nwils...@gmail.com
>>>>>>>> <mailto:nwils...@gmail.com><mailto:nwils...@gmail.com>
>>>>>>>> <mailto:nwils...@gmail.com<mailto:nwils...@gmail.com>>>
>>>>>>>> escreveu:
>>>>>>>>
>>>>>>>> Hi Louis,
>>>>>>>>
>>>>>>>> Thank you very much for your speedy response. I'll definitely
>>>>>>>> go ahead and
>>>>>>>> investigate further.
>>>>>>>>
>>>>>>>> Much appreciated.
>>>>>>>>
>>>>>>>> Regards.
>>>>>>>>
>>>>>>>> Neil Wilson.
>>>>>>>>
>>>>>>>> On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle
>>>>>>>> <be...@bazuin.nl
>>>>>>>> <mailto:be...@bazuin.nl><mailto:be...@bazuin.nl>
>>>>>>>> <mailto:be...@bazuin.nl<mailto:be...@bazuin.nl>>> wrote:
>>>>>>>>
>>>>>>>>> yes, this is possible, by GPO.
>>>>>>>>>
>>>>>>>>> In GPO, go to:
>>>>>>>>> (user or computer )Configuration
>>>>>>>>> - Policy
>>>>>>>>> – Administrative template
>>>>>>>>> – System
>>>>>>>>> – Removable storage Access
>>>>>>>>>
>>>>>>>>> Play with these settings to get what you want.
>>>>>>>>>
>>>>>>>>> for Managing Hardware Restrictions via Group Policy read :
>>>>>>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx>
>>>>>>>>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Greetz,
>>>>>>>>>
>>>>>>>>> Louis
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>> Van:nwils...@gmail.com
>>>>>>>>>> <mailto:nwils...@gmail.com><mailto:nwils...@gmail.com>
>>>>>>>>>> <mailto:nwils...@gmail.com<mailto:nwils...@gmail.com>>
>>>>>>>>>> [mailto:samba-...@lists.samba.org<mailto:samba-...@lists.samba.org>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>> instructions:
>>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions:
>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:
>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>
--
Nico Kadel-Garcia
> Hi guys,
>
> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4
> Samba4 DC's all joined to the same AD domain myorg.local
>
> My client wants me to disable all USB ports for all the users joined to the
> domain.
smart phone tethering, recharging, keyboards and mice? With wifi
network devices or in-office file sharing done with USB devices? Or
tested this? How, excactly, do they plan to *use* their computers
since few devices have PS2 ports anymore?
Daniel Carrasco Marín
For now they are talking about block usb mass storages, not all usb devices.
Nico Kadel-Garcia
<danielm...@gmail.com> wrote:
>
> El 23/5/2015 3:27 p. m., "Nico Kadel-Garcia" <nka...@gmail.com> escribió:
>>
>> On Wed, May 20, 2015 at 6:10 AM, Neil <nwils...@gmail.com> wrote:
>> > Hi guys,
>> >
>> > I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4
>> > Samba4 DC's all joined to the same AD domain myorg.local
>> >
>> > My client wants me to disable all USB ports for all the users joined to
>> > the
>> > domain.
>>
>> Has your client thought carefully about possible interference with
>> smart phone tethering, recharging, keyboards and mice? With wifi
>> network devices or in-office file sharing done with USB devices? Or
>> tested this? How, excactly, do they plan to *use* their computers
>> since few devices have PS2 ports anymore?
> For now they are talking about block usb mass storages, not all usb devices.
Thank you for making that clear!
Gabriel Franca
On Friday I had to leave so I could no longer continue with our lab.
Weekend and holy all have to rest as much as possible. = D
So I'm back and I will put the smb.conf for analysis.
# Global parameters
[global]
workgroup = CMC
realm = CMC.CORP
netbios name = SAMBA
server role = active directory domain controller
dns forwarder = 172.16.1.1
# Habilitar Impressoras.
printing = cups
load printers = yes
#Ativar a internacionalizacao: permitir caracteres acentuados pelo windows
dos charset = CP850
unix charset = ISO8859-1
# Tratar os arquivos que comecam com "." como ocultos para maquinas Windows
hidedotfiles = yes
# nao tentar fazer um lock nestes arquivos
veto files = /*.mp3/*.nws/*.{*}/
veto oplock files = /*.doc/*.xls/*.mdb/*.docx/*.DOC/*.DOCX/*.XLSX/*.xlsx/*.rtf/*.RTF/
#Auditoria de Arquivos
vfs objects = full_audit recycle
full_audit:success = open, opendir, write, unlink, rename, mkdir, rmdir, chmod, chown
full_audit:prefix = %u|%I|%S
full_audit:failure = none
full_audit:facility = local5
full_audit:priority = notice
#Lixeira individual
recycle:keeptree = yes
recycle:versions = yes
recycle:repository = /dados/trash/%U
recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso
recycle:exclude_dir = tmp, cache
[netlogon]
# path = /var/lib/samba/sysvol/cmc.corp/scripts
path = /dados/scripts
read only = No
acl_xattr:ignore system acl = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
acl_xattr:ignore system acl = yes
[home]
comment = Diretorio Pessoal de Cada Usuario
path = /dados/users/%U
browseable = No
read only = No
[dpto]
comment = Pasta Departamental
path = /dados/dpto
read only = No
#Bloqueio de extensoes de midia no samba
veto files = /*.mp3/*.nws/*.{*}/*.avi/*.mpeg/*.mpg/*.wma/*.wmv/*.exe
#nao tentar fazer um lock nesses arquivos
veto oplock files = /*.doc/*.xls/*.mdb/*.docx/*.DOC/*.DOCX/*.XLSX/*.xlsx/*.rtf/*.RTF/
[share]
comment = Pasta Compartilhada
path = /dados/share
read only = No
#Bloqueio de extensoes de midia no samba
# veto files = /*.mp3/*.nws/*.{*}/*.avi/*.mpeg/*.mpg/*.wma/*.wmv/*.exe
#nao tentar fazer um lock nesses arquivos
veto oplock files = /*.doc/*.xls/*.mdb/*.docx/*.DOC/*.DOCX/*.XLSX/*.xlsx/*.rtf/*.RTF/
[lixeira]
path = /dados/trash/%U
read only = No
[printers]
comment = Todas as Impressoras
path = /var/spool/samba
print ok = yes
guest ok = yes
browseable = yes
if possible give any tips to improve my setup will be very grateful.
Sincerely,
Gabriel Franca
>>>>>>>>>>> Hi guys,
>>>>>>>>>>>
>>>>>>>>>>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4
>>>>>>>>>>> Samba4 DC's all joined to the same AD domain myorg.local
>>>>>>>>>>>
>>>>>>>>>>> My client wants me to disable all USB ports for all the users
>>>>>>>>>>> joined to the
>>>>>>>>>>> domain.
>>>>>>>>>>>
>>>>>>>>>>> Is it possible to do this via a group policy so that users
>>>>>>>>>>> logging onto any
>>>>>>>>>>> of the DC's will not be able to use their USB ports?
>>>>>>>>>>>
>>>>>>>>>>> I currently admin my AD with a combination of the samba-tool
>>>>>>>>>>> as well as the
>>>>>>>>>>> AD Users and Groups MMC Windows utility.
>>>>>>>>>>>
>>>>>>>>>>> Any guidance is greatly appreciated.
>>>>>>>>>>>
>>>>>>>>>>> Thank you.
>>>>>>>>>>>
>>>>>>>>>>> Regards.
>>>>>>>>>>>
>>>>>>>>>>> Neil Wilson
>>>>>>>>>>> --
>>>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>
>>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
Gabriel Franca
getfattr: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
security.NTACL=0sBAAEAAAAAgAEAAIAAQDIfNE105P2UdhFwfWjcmv34BiCg5fIVEaj/j9hplFwGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAEpBF3pKj9ABeG1k5vnP6zljcu+heBpvgrk+GlhuKaaipYfP8llvFUIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAFJC0AAAA0AAAAAAAAADgAAAAAQUAAAAAAAUVAAAAaZVmt9XijfMyfpwZ9AEAAAECAAAAAAAFIAAAACACAAAEAGAABAAAAAADGAD/AR8AAQIAAAAAAAUgAAAAIAIAAAADGACpABIAAQIAAAAAAAUgAAAAJQIAAAADFAD/AR8AAQEAAAAAAAUSAAAAAAMUAKkAEgABAQAAAAAABQsAAAA=
Also are there any other errors if you run sysvolreset?
Not only the error that reported.
att,
Gabriel Franca
> Em 22/05/2015, à(s) 12:26, Achim Gottinger <ac...@ag-web.biz> escreveu:
>
> getfattr -n security.NTACL /var/lib/samba/sysvol
Gabriel Franca
Mouse and keyboard still functioning normally.
Sincerely,
Gabriel Franca
> Em 23/05/2015, à(s) 10:26, Nico Kadel-Garcia <nka...@gmail.com> escreveu:
>
> Has your client thought carefully about possible interference with
> smart phone tethering, recharging, keyboards and mice? With wifi
> network devices or in-office file sharing done with USB devices? Or
> tested this? How, excactly, do they plan to *use* their computers
> since few devices have PS2 ports anymore?
--
Achim Gottinger
Beside a few minor things like veto oplocks and cahrset settings may be
not needed anymore, i can not see issues in your smb.conf.
xattrs seem to work as expected also. Does acl's work? You can test that
with getfacl /var/lib/saba/sysvol for example.
Example output on my setup.
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
I googled your error messages and found one old thread here with an
similar issue, reprovisioning fixed it in this case.
But before that you can enable debugging output abit by adding -d[1-9]
Try for example.
samba-tool ntacl sysvolcheck -d3
achim~
>
>> Em 22/05/2015, à(s) 12:26, Achim Gottinger <ac...@ag-web.biz
>> <mailto:ac...@ag-web.biz>> escreveu:
>>
>> Hi Gabriel,
>>
>> I"ll answer to the lists email adress.
>>
>> Am 22.05.2015 um 16:54 schrieb Gabriel Franca:
>>> follows the output of the command:
>>>
>>> attr -l / var / lib / samba / sysvol
>>> Attribute "SGI_ACL_FILE" has a 124 byte value for / var / lib /
>>> samba / sysvol
>>> Attribute "SGI_ACL_DEFAULT" has a 124 byte value for / var / lib /
>>> samba / sysvol
>>> Attribute "NTACL" has a 320 byte value for / var / lib / samba / sysvol
>>>
>>> att,
>>>
>>> Gabriel Franca
>> Thank you for the test xfs should have xattrs enabled by default. Can
>> you post your smb.conf here please.
>>
>> Another xattr test i found here
>> https://www.samba.org/samba/docs/man/manpages/vfs_acl_xattr.8.html is
>>
>> getfattr -n security.NTACL /var/lib/samba/sysvol
>>
>> Also are there any other errors if you run sysvolreset?
>>
>> achim~
>>>
>>>
>>>> Em 22/05/2015, à(s) 10:40, Achim Gottinger <ac...@ag-web.biz
>>>> <mailto:ac...@ag-web.biz> <mailto:ac...@ag-web.biz>> escreveu:
>>>>>> <mailto:ac...@ag-web.biz> <mailto:ac...@ag-web.biz>> escreveu:
>>>>>>
>>>>>> Hello Gabriel,
>>>>>>
>>>>>> I recommend you use
>>>>>>
>>>>>> gpupdate /force
>>>>>>
>>>>>> on the windows command line after login.
>>>>>> The results of above command can be checked afterwards with the
>>>>>> "gpresults" command.
>>>>>>
>>>>>> Can be you have an permission problem on your samba server. Only
>>>>>> skimmed ofver the thread but did you try
>>>>>> samba-tools ntacl sysvolreset
>>>>>> on your samba server?
>>>>>>
>>>>>> achim~
>>>>>>
>>>>>> Am 22.05.2015 um 12:08 schrieb Gabriel Franca:
>>>>>>> Good morning Daniel,
>>>>>>>
>>>>>>> The amendment that I spoke have to be done on the server.
>>>>>>>
>>>>>>> All user created in Samba4 receives the "Domain Users" group as
>>>>>>> primary.
>>>>>>>
>>>>>>> I did several tests on the GPO to no avail.
>>>>>>>
>>>>>>> When I took the User of the "Domain Users" and put in "Domain
>>>>>>> Admins" the GPO to make any changes now operates.
>>>>>>>
>>>>>>> I believe that because of the "Domain Users" did not have
>>>>>>> privileges to edit the GPO record in the station can not be applied.
>>>>>>>
>>>>>>> I wonder if the guys who are using Samba 4, is using
>>>>>>> successfully GPOS the "Domain Users"
>>>>>>>
>>>>>>> Sincerely,
>>>>>>>
>>>>>>> Gabriel Franca
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>> <https://wiki.samba.org/index.php/SysVol_Replication%3Chttps://wiki.samba.org/index.php/SysVol_Replication%3E>
>>>>>>>>> <https://wiki.samba.org/index.php/SysVol_Replication<https://wiki.samba.org/index.php/SysVol_Replication>
>>>>>>>>> <https://wiki.samba.org/index.php/SysVol_Replication%3Chttps://wiki.samba.org/index.php/SysVol_Replication%3E>>"
>>>>>>>>>>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx%3Chttp://technet.microsoft.com/en-us/magazine/cc138012.aspx%3E>
>>>>>>>>>>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx<http://technet.microsoft.com/en-us/magazine/cc138012.aspx>
>>>>>>>>>>> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx%3Chttp://technet.microsoft.com/en-us/magazine/cc138012.aspx%3E>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Greetz,
>>>>>>>>>>>
>>>>>>>>>>> Louis
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>>>> Van:nwils...@gmail.com <http://gmail.com>
>>>>>>>>>>>> --
>>>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>>>> read the
>>>>>>>>>>>> instructions:
>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba%3Chttps://lists.samba.org/mailman/options/samba%3E>
>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba%3Chttps://lists.samba.org/mailman/options/samba%3E>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>>> read the
>>>>>>>>>>> instructions:
>>>>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba%3Chttps://lists.samba.org/mailman/options/samba%3E>
>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba%3Chttps://lists.samba.org/mailman/options/samba%3E>>
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>> read the
>>>>>>>>>> instructions:
>>>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>>>> <https://lists.samba.org/mailman/options/samba%3Chttps://lists.samba.org/mailman/options/samba%3E>
>>>>>>>>>> <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>>>> <https://lists.samba.org/mailman/options/samba%3Chttps://lists.samba.org/mailman/options/samba%3E>>
>>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions:
>>>>>>>> https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>> <https://lists.samba.org/mailman/options/samba%3Chttps://lists.samba.org/mailman/options/samba%3E>