Discussion:
[Samba] Unable to create GPO "Allow log on locally"
n***@gmail.com
2016-08-04 14:11:53 UTC
Permalink
Hi,

I've a Samba 4.4.5 AD DC working fine.
But when I try to create a GPO on "Computer Configuration>Policies>
Windows Settings>Security Settings>Local Policies>User Rights
Assignment>Allow Logon Locally" I can add Administrators, Domain Admin
to the listbox but I'm unable to apply.

When I click "Ok" or "Apply" the dialog won't close.

I tested this on a real Win2008R2 Server and it works here without problems.

Any ideas how to get out there? There aare no logs (neiter on
Samba-Server nor on the Windows RSAT client).



Thanks in advance
--
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
l***@gmail.com
2016-08-04 15:11:13 UTC
Permalink
Post by n***@gmail.com
Hi,
I've a Samba 4.4.5 AD DC working fine.
But when I try to create a GPO on "Computer Configuration>Policies>
Windows Settings>Security Settings>Local Policies>User Rights
Assignment>Allow Logon Locally" I can add Administrators, Domain Admin
to the listbox but I'm unable to apply.
When I click "Ok" or "Apply" the dialog won't close.
I tested this on a real Win2008R2 Server and it works here without problems.
Any ideas how to get out there? There aare no logs (neiter on
Samba-Server nor on the Windows RSAT client).
Thanks in advance
I created this policy twice. Once in the default 'Group Policy Objects'
container and one as a 'create a GPO in this domain, and link it
here...'. Both worked with the same user and groups you specified. This
is on a Windows 7 device using RSAT. Not sure what your issue is, but it
does seem to work.
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
n***@gmail.com
2016-08-05 06:12:36 UTC
Permalink
Post by l***@gmail.com
Post by n***@gmail.com
Hi,
I've a Samba 4.4.5 AD DC working fine.
But when I try to create a GPO on "Computer Configuration>Policies>
Windows Settings>Security Settings>Local Policies>User Rights
Assignment>Allow Logon Locally" I can add Administrators, Domain Admin
to the listbox but I'm unable to apply.
When I click "Ok" or "Apply" the dialog won't close.
I tested this on a real Win2008R2 Server and it works here without problems.
Any ideas how to get out there? There aare no logs (neiter on
Samba-Server nor on the Windows RSAT client).
Thanks in advance
I created this policy twice. Once in the default 'Group Policy Objects'
container and one as a 'create a GPO in this domain, and link it
here...'. Both worked with the same user and groups you specified. This
is on a Windows 7 device using RSAT. Not sure what your issue is, but it
does seem to work.
Hmmm, perhaps it's Windows10 and the RSAT Tools for Windows10 ?
Since it's impossible to install the RSAT Tools for Windows7 on
Windows10 I'll try the Win7 RSAT Tools on Win7 Client and report back.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
n***@gmail.com
2016-08-05 09:04:37 UTC
Permalink
Post by l***@gmail.com
Post by n***@gmail.com
Hi,
I've a Samba 4.4.5 AD DC working fine.
But when I try to create a GPO on "Computer Configuration>Policies>
Windows Settings>Security Settings>Local Policies>User Rights
Assignment>Allow Logon Locally" I can add Administrators, Domain Admin
to the listbox but I'm unable to apply.
When I click "Ok" or "Apply" the dialog won't close.
I tested this on a real Win2008R2 Server and it works here without problems.
Any ideas how to get out there? There aare no logs (neiter on
Samba-Server nor on the Windows RSAT client).
Thanks in advance
I created this policy twice. Once in the default 'Group Policy Objects'
container and one as a 'create a GPO in this domain, and link it
here...'. Both worked with the same user and groups you specified. This
is on a Windows 7 device using RSAT. Not sure what your issue is, but it
does seem to work.
Interestingly it seems to be related to a german Windows10/RSAT and the
translation of "Administratoren"(EN:Administrators) built-in groups into
the SID '*S-1-5-32-544'

I've digged into GPO manually and edited the 'GptTmpl.inf' file. When I
add all the groups manually it works and will be shown afterwards in the
gpedit.msc.

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
SeInteractiveLogonRight =
*S-1-5-32-544,*S-1-5-21-2350650622-768076714-1495782470-512,*S-1-5-21-2350650622-768076714-1495782470-500,Administrators,*S-1-5-21-2350650622-768076714-1495782470-1115


Using Winows7/RSAT Tools for Win7 doesn't worked, probably because it
was also in german. Next thing I want to try is using an englisch
version of Win10/RSAT tools.
I'll report back...
--
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-08-05 12:35:13 UTC
Permalink
Not sure this could help, anyway I try : )

Here, with French speaking Windows, when we have to give rights to some
object using MS standard objects (as administrators, guest, authenticated
users...) we must use French syntax of these objects.
I expect this behaviour coming from the fact Windows systems know only one
language at a time (here our Windows systems are French dudes).

Anyway I had a look into our GPOs designed to add some AD group to
LOCAL\Administrators. When we created these GPOs I'm almost sure I had to
use "Administrateurs" and not "Administrators".
In our GptTmpl.inf it is the SID of that group which is used, not the
string version of the group name:
cat Machine/microsoft/windows\ nt/SecEdit/GptTmpl.inf
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Group Membership]
*S-1-5-21-0123456789-9876543210-0123456789-1558__Memberof = *S-1-5-32-544
*S-1-5-21-0123456789-9876543210-0123456789-1558__Members =

As you decided to use group name string rather than SID and because Samba
is speaking English (thanks to Samba team :D) you had to use English
version of that name.

A last note: when using Windows UI to search group or user the default
location of the search is AD domain. To be able to chose local user/group
you have to change that location and then select local computer name rather
domain name.
Once that is done if you look for "Administratoren" in that UI it should
refers to LOCAL\Administrators.

What's good is even you select local_computer_name\administrators this will
be transformed into SID (S-1-5-32-544 for local\administrators) and so this
GPO work on any computer, not only the one where was selected this local
group.

I expect all these remarks related to local objects are still valid when
speaking about AD objects.


Hoping this could help, cheers,

Mathias
Post by n***@gmail.com
Post by l***@gmail.com
Post by n***@gmail.com
Hi,
I've a Samba 4.4.5 AD DC working fine.
But when I try to create a GPO on "Computer Configuration>Policies>
Windows Settings>Security Settings>Local Policies>User Rights
Assignment>Allow Logon Locally" I can add Administrators, Domain Admin
to the listbox but I'm unable to apply.
When I click "Ok" or "Apply" the dialog won't close.
I tested this on a real Win2008R2 Server and it works here without problems.
Any ideas how to get out there? There aare no logs (neiter on
Samba-Server nor on the Windows RSAT client).
Thanks in advance
I created this policy twice. Once in the default 'Group Policy Objects'
container and one as a 'create a GPO in this domain, and link it
here...'. Both worked with the same user and groups you specified. This
is on a Windows 7 device using RSAT. Not sure what your issue is, but it
does seem to work.
Interestingly it seems to be related to a german Windows10/RSAT and the
translation of "Administratoren"(EN:Administrators) built-in groups into
the SID '*S-1-5-32-544'
I've digged into GPO manually and edited the 'GptTmpl.inf' file. When I
add all the groups manually it works and will be shown afterwards in the
gpedit.msc.
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
SeInteractiveLogonRight =
*S-1-5-32-544,*S-1-5-21-2350650622-768076714-1495782470-512,*S-1-5-21-
2350650622-768076714-1495782470-500,Administrators,*S-1-5-21-2350650622-
768076714-1495782470-1115
Using Winows7/RSAT Tools for Win7 doesn't worked, probably because it
was also in german. Next thing I want to try is using an englisch
version of Win10/RSAT tools.
I'll report back...
--
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
n***@gmail.com
2016-08-08 10:09:40 UTC
Permalink
Well, I've set up a completely new test AD Domain with Samba 4.4.5 and
one Windows 10 Client running RSAT tools in an isolated VM net.

Creating a new empty GPO using RSAT tools
Computer Configuration->
Policies->
Windows Settings->
Security Settings->
Local Policies->
User Rights Assignment->
Allow Logon Locally"
does not work. I am able to add users/groups to the listbox but I'm
unable to "Apply" or "Ok".
The RSAT Dialog will refuse to apply with the message
"Administrators must be granted the logon local right" and the Dialog
stays open.

It does not matter which version of Windows or which language is being
used.

To reproduce just try to add "DOMAIN\Administrator" or
"CLIENT\Administrator" to the GPO mentioned above with any recent RSAT
Client on a Samba 4.4.5 DC.

It is possible to edit these information inside the GPO file
"GptTmpl.inf" using the right SIDs and it will work then. Also the
Usernames will be shown correctly in RSAT after adding them manually.
(Well I would do it this way but my colleagues won't manually edit the
files I bet. So this is nothing I can advise the 'rest of the world'
especially ;-)

Doing the same on a Windows 2008R2 DC everything works as expected.

When I increase logging on samba with log level = all:255 there's no
relevant output. Some messages when accessing the GPOs but no logs when
trying to apply.


Am I missing something or is this a samba bug?
On which Samba-Version is this working?
Currently I've no clue where to start on resolving these problems...


Any help is very appreciated
Oops, sorry, my gmail box did not show me there was already replies...
Not sure this could help, anyway I try : )
Here, with French speaking Windows, when we have to give rights to
some object using MS standard objects (as administrators, guest,
authenticated users...) we must use French syntax of these objects.
I expect this behaviour coming from the fact Windows systems know
only one language at a time (here our Windows systems are French dudes).
Anyway I had a look into our GPOs designed to add some AD group to
LOCAL\Administrators. When we created these GPOs I'm almost sure I
had to use "Administrateurs" and not "Administrators".
In our GptTmpl.inf it is the SID of that group which is used, not
cat Machine/microsoft/windows\ nt/SecEdit/GptTmpl.inf
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Group Membership]
*S-1-5-21-0123456789-9876543210-0123456789-1558__Memberof = *S-1-5-32-544
*S-1-5-21-0123456789-9876543210-0123456789-1558__Members =
As you decided to use group name string rather than SID and because
Samba is speaking English (thanks to Samba team :D) you had to use
English version of that name.
A last note: when using Windows UI to search group or user the
default location of the search is AD domain. To be able to chose
local user/group you have to change that location and then select
local computer name rather domain name.
Once that is done if you look for "Administratoren" in that UI it
should refers to LOCAL\Administrators.
What's good is even you select local_computer_name\administrators
this will be transformed into SID (S-1-5-32-544 for
local\administrators) and so this GPO work on any computer, not only
the one where was selected this local group.
I expect all these remarks related to local objects are still valid
when speaking about AD objects.
Hoping this could help, cheers,
Mathias
Post by l***@gmail.com
Post by n***@gmail.com
Hi,
I've a Samba 4.4.5 AD DC working fine.
But when I try to create a GPO on "Computer Configuration>Policies>
Windows Settings>Security Settings>Local Policies>User Rights
Assignment>Allow Logon Locally" I can add Administrators, Domain Admin
to the listbox but I'm unable to apply.
When I click "Ok" or "Apply" the dialog won't close.
I tested this on a real Win2008R2 Server and it works here without
problems.
Any ideas how to get out there? There aare no logs (neiter on
Samba-Server nor on the Windows RSAT client).
Thanks in advance
I created this policy twice. Once in the default 'Group Policy Objects'
container and one as a 'create a GPO in this domain, and link it
here...'. Both worked with the same user and groups you specified. This
is on a Windows 7 device using RSAT. Not sure what your issue is, but it
does seem to work.
Interestingly it seems to be related to a german Windows10/RSAT and the
translation of "Administratoren"(EN:Administrators) built-in groups into
the SID '*S-1-5-32-544'
I've digged into GPO manually and edited the 'GptTmpl.inf' file. When I
add all the groups manually it works and will be shown
afterwards in the
gpedit.msc.
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
SeInteractiveLogonRight =
*S-1-5-32-544,*S-1-5-21-2350650622-768076714-1495782470-512,*S-1-5-21-2350650622-768076714-1495782470-500,Administrators,*S-1-5-21-2350650622-768076714-1495782470-1115
Using Winows7/RSAT Tools for Win7 doesn't worked, probably because it
was also in german. Next thing I want to try is using an englisch
version of Win10/RSAT tools.
I'll report back...
--
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>
--
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-08 11:48:11 UTC
Permalink
Post by n***@gmail.com
To reproduce just try to add "DOMAIN\Administrator" or
"CLIENT\Administrator" to the GPO mentioned above with any recent RSAT
Client on a Samba 4.4.5 DC.
I can not reproduce you problem, works fine here. ( also samba 4.4.5 )
I do this also for my "remote desktop" users.

The group "domain admin" is added to BUILDIN\Adminstrators .
I can, which any modification, login localy. ( NO RDP )

And to do this over RDP, you need do add a domain group to the local "Remote Desktop Users" group.
And set the remote desktop service to automatic.

Add this in the default domain policy or create a separated GPO for it.
But the more GPO's the slower your login.

And dont try this with COMPUTERNAME\Administrator, that one is disabled.
Create a new admin (domain) add that one do domain admins and try again.


Greetz,

Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...