Discussion:
Clients unable to get group policy...
(too old to reply)
Ryan Ashley
2015-05-20 17:13:46 UTC
Permalink
I have been fighting a strange issue with Samba for over a year now, and
I am at my wits end. For some reason, clients are unable to get group
policy settings from the servers. It honestly appears to be the Windows
7 systems just deciding they don't want to, but they're not terminators.
The systems can ping both Samba servers and can even map the sysvol
shares to a drive and navigate them. However, when using "gpupdate", it
errors every time claiming that it could not read gpt.ini from the
location. DNS is correct and verified. I can ping the server and the
address is correct. I can map the sysvol share and anything below it and
read all files both as a normal user and as a domain admin. The servers
can ping the workstations both by IP and hostname, heck even FQDN works.
I have disabled the firewall on the problem systems completely and still
no go. Oh and the servers can resolve domain users and groups. Using
wbinfo shows them all.

With that said, I can only think of two possibilities and I have no clue
how to check them. The first one is that when I map the sysvol share or
anything in it, I have no "Security" tab. It is like there are no
permissions on it. However, I have run "samba-tool ntacl sysvolreset"
and "samba-tool ntacl sysvolcheck" dozens of times and both report no
errors.

The second one I just now thought about. The system in question today is
a fresh install of 7 Pro 64bit using the company volume license. Nothing
is installed. We install Windows, do updates, do drivers, and that is
it. The software is pushed via GPO and/or startup script on the domain.
Therefore, the system is clean. It had to be redone due to a virus. We
zeroed the disk using dd and a live CD, so this truly is a CLEAN install.

Now, the only thing that may be an issue with this system, is that I am
not sure the machine account was removed from the domain after unjoining
it before we took it to wipe and redo it. If the old machine account is
there, what should I do? Can I tell it to get fresh info from the
workstation in some way?
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
James
2015-05-20 18:35:12 UTC
Permalink
Post by Ryan Ashley
I have been fighting a strange issue with Samba for over a year now, and
I am at my wits end. For some reason, clients are unable to get group
policy settings from the servers. It honestly appears to be the Windows
7 systems just deciding they don't want to, but they're not terminators.
The systems can ping both Samba servers and can even map the sysvol
shares to a drive and navigate them. However, when using "gpupdate", it
errors every time claiming that it could not read gpt.ini from the
location. DNS is correct and verified. I can ping the server and the
address is correct. I can map the sysvol share and anything below it and
read all files both as a normal user and as a domain admin. The servers
can ping the workstations both by IP and hostname, heck even FQDN works.
I have disabled the firewall on the problem systems completely and still
no go. Oh and the servers can resolve domain users and groups. Using
wbinfo shows them all.
With that said, I can only think of two possibilities and I have no clue
how to check them. The first one is that when I map the sysvol share or
anything in it, I have no "Security" tab. It is like there are no
permissions on it. However, I have run "samba-tool ntacl sysvolreset"
and "samba-tool ntacl sysvolcheck" dozens of times and both report no
errors.
The second one I just now thought about. The system in question today is
a fresh install of 7 Pro 64bit using the company volume license. Nothing
is installed. We install Windows, do updates, do drivers, and that is
it. The software is pushed via GPO and/or startup script on the domain.
Therefore, the system is clean. It had to be redone due to a virus. We
zeroed the disk using dd and a live CD, so this truly is a CLEAN install.
Now, the only thing that may be an issue with this system, is that I am
not sure the machine account was removed from the domain after unjoining
it before we took it to wipe and redo it. If the old machine account is
there, what should I do? Can I tell it to get fresh info from the
workstation in some way?
In smb.conf what is your [sysvol] settings? Has Group Policy ever worked?
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-05-20 19:01:25 UTC
Permalink
Post by Ryan Ashley
I have been fighting a strange issue with Samba for over a year now, and
I am at my wits end. For some reason, clients are unable to get group
policy settings from the servers. It honestly appears to be the Windows
7 systems just deciding they don't want to, but they're not terminators.
The systems can ping both Samba servers and can even map the sysvol
shares to a drive and navigate them. However, when using "gpupdate", it
errors every time claiming that it could not read gpt.ini from the
location. DNS is correct and verified. I can ping the server and the
address is correct. I can map the sysvol share and anything below it and
read all files both as a normal user and as a domain admin. The servers
can ping the workstations both by IP and hostname, heck even FQDN works.
I have disabled the firewall on the problem systems completely and still
no go. Oh and the servers can resolve domain users and groups. Using
wbinfo shows them all.
Yes, but what about getent or id ?

Rowland
Post by Ryan Ashley
With that said, I can only think of two possibilities and I have no clue
how to check them. The first one is that when I map the sysvol share or
anything in it, I have no "Security" tab. It is like there are no
permissions on it. However, I have run "samba-tool ntacl sysvolreset"
and "samba-tool ntacl sysvolcheck" dozens of times and both report no
errors.
The second one I just now thought about. The system in question today is
a fresh install of 7 Pro 64bit using the company volume license. Nothing
is installed. We install Windows, do updates, do drivers, and that is
it. The software is pushed via GPO and/or startup script on the domain.
Therefore, the system is clean. It had to be redone due to a virus. We
zeroed the disk using dd and a live CD, so this truly is a CLEAN install.
Now, the only thing that may be an issue with this system, is that I am
not sure the machine account was removed from the domain after unjoining
it before we took it to wipe and redo it. If the old machine account is
there, what should I do? Can I tell it to get fresh info from the
workstation in some way?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-05-26 15:16:13 UTC
Permalink
Sorry for the delay, I have been out of town. Your hunch was correct,
Rowland. Both getent and id only return local machine accounts, not
domain accounts. What have I overlooked which would cause this? I do
have winbind in my PAM configuration.

James, it has worked for a few years. It recently (in the last year)
started having workstations report being unable to access the gpt.ini
files. The information you requested is below. This has not been altered
by me, it was setup this way when Samba was installed.

[sysvol]
path = /samba/var/locks/sysvol
read only = No
Post by Rowland Penny
Post by Ryan Ashley
I have been fighting a strange issue with Samba for over a year now, and
I am at my wits end. For some reason, clients are unable to get group
policy settings from the servers. It honestly appears to be the Windows
7 systems just deciding they don't want to, but they're not terminators.
The systems can ping both Samba servers and can even map the sysvol
shares to a drive and navigate them. However, when using "gpupdate", it
errors every time claiming that it could not read gpt.ini from the
location. DNS is correct and verified. I can ping the server and the
address is correct. I can map the sysvol share and anything below it and
read all files both as a normal user and as a domain admin. The servers
can ping the workstations both by IP and hostname, heck even FQDN works.
I have disabled the firewall on the problem systems completely and still
no go. Oh and the servers can resolve domain users and groups. Using
wbinfo shows them all.
Yes, but what about getent or id ?
Rowland
Post by Ryan Ashley
With that said, I can only think of two possibilities and I have no clue
how to check them. The first one is that when I map the sysvol share or
anything in it, I have no "Security" tab. It is like there are no
permissions on it. However, I have run "samba-tool ntacl sysvolreset"
and "samba-tool ntacl sysvolcheck" dozens of times and both report no
errors.
The second one I just now thought about. The system in question today is
a fresh install of 7 Pro 64bit using the company volume license. Nothing
is installed. We install Windows, do updates, do drivers, and that is
it. The software is pushed via GPO and/or startup script on the domain.
Therefore, the system is clean. It had to be redone due to a virus. We
zeroed the disk using dd and a live CD, so this truly is a CLEAN install.
Now, the only thing that may be an issue with this system, is that I am
not sure the machine account was removed from the domain after unjoining
it before we took it to wipe and redo it. If the old machine account is
there, what should I do? Can I tell it to get fresh info from the
workstation in some way?
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-05-29 13:08:48 UTC
Permalink
I still have not figured this out. The only error in my logs is related
to printing, which my DCs do not do.

[2015/05/29 08:17:37.183408, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!
[2015/05/29 08:30:37.966659, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!
[2015/05/29 08:43:38.750796, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!
[2015/05/29 08:56:39.535464, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!


Both getent and id still only work with local accounts on my DC and
searching for this problem shows a few results from around 2007, but
none are my issue.
Post by Ryan Ashley
Sorry for the delay, I have been out of town. Your hunch was correct,
Rowland. Both getent and id only return local machine accounts, not
domain accounts. What have I overlooked which would cause this? I do
have winbind in my PAM configuration.
James, it has worked for a few years. It recently (in the last year)
started having workstations report being unable to access the gpt.ini
files. The information you requested is below. This has not been altered
by me, it was setup this way when Samba was installed.
[sysvol]
path = /samba/var/locks/sysvol
read only = No
Post by Rowland Penny
Post by Ryan Ashley
I have been fighting a strange issue with Samba for over a year now, and
I am at my wits end. For some reason, clients are unable to get group
policy settings from the servers. It honestly appears to be the Windows
7 systems just deciding they don't want to, but they're not terminators.
The systems can ping both Samba servers and can even map the sysvol
shares to a drive and navigate them. However, when using "gpupdate", it
errors every time claiming that it could not read gpt.ini from the
location. DNS is correct and verified. I can ping the server and the
address is correct. I can map the sysvol share and anything below it and
read all files both as a normal user and as a domain admin. The servers
can ping the workstations both by IP and hostname, heck even FQDN works.
I have disabled the firewall on the problem systems completely and still
no go. Oh and the servers can resolve domain users and groups. Using
wbinfo shows them all.
Yes, but what about getent or id ?
Rowland
Post by Ryan Ashley
With that said, I can only think of two possibilities and I have no clue
how to check them. The first one is that when I map the sysvol share or
anything in it, I have no "Security" tab. It is like there are no
permissions on it. However, I have run "samba-tool ntacl sysvolreset"
and "samba-tool ntacl sysvolcheck" dozens of times and both report no
errors.
The second one I just now thought about. The system in question today is
a fresh install of 7 Pro 64bit using the company volume license. Nothing
is installed. We install Windows, do updates, do drivers, and that is
it. The software is pushed via GPO and/or startup script on the domain.
Therefore, the system is clean. It had to be redone due to a virus. We
zeroed the disk using dd and a live CD, so this truly is a CLEAN install.
Now, the only thing that may be an issue with this system, is that I am
not sure the machine account was removed from the domain after unjoining
it before we took it to wipe and redo it. If the old machine account is
there, what should I do? Can I tell it to get fresh info from the
workstation in some way?
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-05-29 14:13:03 UTC
Permalink
hai,

add this to your smb.conf of the DC.

##---- disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

and gone are your errors about printing.

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 29 mei 2015 15:09
Onderwerp: Re: [Samba] Clients unable to get group policy...
I still have not figured this out. The only error in my logs is related
to printing, which my DCs do not do.
[2015/05/29 08:17:37.183408, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!
[2015/05/29 08:30:37.966659, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!
[2015/05/29 08:43:38.750796, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!
[2015/05/29 08:56:39.535464, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!
Both getent and id still only work with local accounts on my DC and
searching for this problem shows a few results from around 2007, but
none are my issue.
Post by Ryan Ashley
Sorry for the delay, I have been out of town. Your hunch was correct,
Rowland. Both getent and id only return local machine accounts, not
domain accounts. What have I overlooked which would cause this? I do
have winbind in my PAM configuration.
James, it has worked for a few years. It recently (in the last year)
started having workstations report being unable to access the gpt.ini
files. The information you requested is below. This has not
been altered
Post by Ryan Ashley
by me, it was setup this way when Samba was installed.
[sysvol]
path = /samba/var/locks/sysvol
read only = No
Post by Rowland Penny
Post by Ryan Ashley
I have been fighting a strange issue with Samba for over a
year now, and
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
I am at my wits end. For some reason, clients are unable
to get group
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
policy settings from the servers. It honestly appears to
be the Windows
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
7 systems just deciding they don't want to, but they're
not terminators.
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
The systems can ping both Samba servers and can even map the sysvol
shares to a drive and navigate them. However, when using
"gpupdate", it
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
errors every time claiming that it could not read gpt.ini from the
location. DNS is correct and verified. I can ping the
server and the
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
address is correct. I can map the sysvol share and
anything below it and
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
read all files both as a normal user and as a domain
admin. The servers
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
can ping the workstations both by IP and hostname, heck
even FQDN works.
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
I have disabled the firewall on the problem systems
completely and still
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
no go. Oh and the servers can resolve domain users and
groups. Using
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
wbinfo shows them all.
Yes, but what about getent or id ?
Rowland
Post by Ryan Ashley
With that said, I can only think of two possibilities and
I have no clue
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
how to check them. The first one is that when I map the
sysvol share or
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
anything in it, I have no "Security" tab. It is like there are no
permissions on it. However, I have run "samba-tool ntacl
sysvolreset"
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
and "samba-tool ntacl sysvolcheck" dozens of times and
both report no
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
errors.
The second one I just now thought about. The system in
question today is
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
a fresh install of 7 Pro 64bit using the company volume
license. Nothing
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
is installed. We install Windows, do updates, do drivers,
and that is
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
it. The software is pushed via GPO and/or startup script
on the domain.
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Therefore, the system is clean. It had to be redone due to
a virus. We
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
zeroed the disk using dd and a live CD, so this truly is a CLEAN install.
Now, the only thing that may be an issue with this system,
is that I am
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
not sure the machine account was removed from the domain
after unjoining
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
it before we took it to wipe and redo it. If the old
machine account is
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
there, what should I do? Can I tell it to get fresh info from the
workstation in some way?
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-05-29 14:40:21 UTC
Permalink
Thank you, Louis. This has not corrected the getent and id issue, however.
Post by L.P.H. van Belle
hai,
add this to your smb.conf of the DC.
##---- disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
and gone are your errors about printing.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 29 mei 2015 15:09
Onderwerp: Re: [Samba] Clients unable to get group policy...
I still have not figured this out. The only error in my logs is related
to printing, which my DCs do not do.
[2015/05/29 08:17:37.183408, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!
[2015/05/29 08:30:37.966659, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!
[2015/05/29 08:43:38.750796, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!
[2015/05/29 08:56:39.535464, 0]
../source3/printing/print_standard.c:69(std_pcap_cache_reload)
Unable to open printcap file /etc/printcap for read!
Both getent and id still only work with local accounts on my DC and
searching for this problem shows a few results from around 2007, but
none are my issue.
Post by Ryan Ashley
Sorry for the delay, I have been out of town. Your hunch was correct,
Rowland. Both getent and id only return local machine accounts, not
domain accounts. What have I overlooked which would cause this? I do
have winbind in my PAM configuration.
James, it has worked for a few years. It recently (in the last year)
started having workstations report being unable to access the gpt.ini
files. The information you requested is below. This has not
been altered
Post by Ryan Ashley
by me, it was setup this way when Samba was installed.
[sysvol]
path = /samba/var/locks/sysvol
read only = No
Post by Rowland Penny
Post by Ryan Ashley
I have been fighting a strange issue with Samba for over a
year now, and
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
I am at my wits end. For some reason, clients are unable
to get group
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
policy settings from the servers. It honestly appears to
be the Windows
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
7 systems just deciding they don't want to, but they're
not terminators.
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
The systems can ping both Samba servers and can even map the sysvol
shares to a drive and navigate them. However, when using
"gpupdate", it
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
errors every time claiming that it could not read gpt.ini from the
location. DNS is correct and verified. I can ping the
server and the
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
address is correct. I can map the sysvol share and
anything below it and
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
read all files both as a normal user and as a domain
admin. The servers
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
can ping the workstations both by IP and hostname, heck
even FQDN works.
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
I have disabled the firewall on the problem systems
completely and still
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
no go. Oh and the servers can resolve domain users and
groups. Using
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
wbinfo shows them all.
Yes, but what about getent or id ?
Rowland
Post by Ryan Ashley
With that said, I can only think of two possibilities and
I have no clue
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
how to check them. The first one is that when I map the
sysvol share or
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
anything in it, I have no "Security" tab. It is like there are no
permissions on it. However, I have run "samba-tool ntacl
sysvolreset"
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
and "samba-tool ntacl sysvolcheck" dozens of times and
both report no
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
errors.
The second one I just now thought about. The system in
question today is
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
a fresh install of 7 Pro 64bit using the company volume
license. Nothing
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
is installed. We install Windows, do updates, do drivers,
and that is
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
it. The software is pushed via GPO and/or startup script
on the domain.
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Therefore, the system is clean. It had to be redone due to
a virus. We
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
zeroed the disk using dd and a live CD, so this truly is a CLEAN install.
Now, the only thing that may be an issue with this system,
is that I am
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
not sure the machine account was removed from the domain
after unjoining
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
it before we took it to wipe and redo it. If the old
machine account is
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
there, what should I do? Can I tell it to get fresh info from the
workstation in some way?
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-06-03 15:43:40 UTC
Permalink
James, I cloned it using git. I installed it to a private partition
(/samba) back when I was first testing Samba4. It is in the path and
this worked for ages, but recently just stopped. No errors, no warnings,
nothing. Just dead.

The GP in question is the default domain policy. I already tried
unlinking it and it fails on the next one. I only have two GPOs, so it
cannot "read" either one. I also noted that, during one of my angry
moments, I just kept spamming "gpupdate" in a DOS box on the workstation
and suddenly it worked once, then went back to erroring out. Spamming it
has not fixed it since. I even wrote a small batch script which looped
until gpupdate returned success. It went into an endless loop which
lasted about 20hrs before I stopped it.

As for the sysvol location, it is in "/samba/var/locks/sysvol", which
worked for a few years, and has just stopped. Permissions appear to be
correct.
Post by Ryan Ashley
Thank you, Louis. This has not corrected the getent and id issue, however.
Ryan,
Is it a specific GP that can't be read? Can you remove all links to
one workstation and leave just the default domain GP and test? Did you
install samba from tar and provide the location for sysvol in the build?
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
James
2015-06-04 12:46:18 UTC
Permalink
Post by Ryan Ashley
James, I cloned it using git. I installed it to a private partition
(/samba) back when I was first testing Samba4. It is in the path and
this worked for ages, but recently just stopped. No errors, no warnings,
nothing. Just dead.
The GP in question is the default domain policy. I already tried
unlinking it and it fails on the next one. I only have two GPOs, so it
cannot "read" either one. I also noted that, during one of my angry
moments, I just kept spamming "gpupdate" in a DOS box on the workstation
and suddenly it worked once, then went back to erroring out. Spamming it
has not fixed it since. I even wrote a small batch script which looped
until gpupdate returned success. It went into an endless loop which
lasted about 20hrs before I stopped it.
As for the sysvol location, it is in "/samba/var/locks/sysvol", which
worked for a few years, and has just stopped. Permissions appear to be
correct.
Post by Ryan Ashley
Thank you, Louis. This has not corrected the getent and id issue, however.
Ryan,
Is it a specific GP that can't be read? Can you remove all links to
one workstation and leave just the default domain GP and test? Did you
install samba from tar and provide the location for sysvol in the build?
Ryan,

It definitely sounds like a permission problem. I can only think of
one other thing. Try

samba-tool ntacl sysvolreset --use-ntvfs

See if gpupdate works. If it works try

samba-tool ntacl sysvolreset --use-s3fs

Are you using a central store for group policy? I'm not sure what else
to try.
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-06-04 16:42:02 UTC
Permalink
I tried resetting dozens of times, neither works. I do remember a
permissions issue from ages back, where the Unix permissions had to be
777 on a share and then the ACL stuff worked. Do I need to set the
sysvol to 777?

What about getent and id not working on the DC? I cannot find any
information relevant to my situation with them online.
Post by James
Post by Ryan Ashley
James, I cloned it using git. I installed it to a private partition
(/samba) back when I was first testing Samba4. It is in the path and
this worked for ages, but recently just stopped. No errors, no warnings,
nothing. Just dead.
The GP in question is the default domain policy. I already tried
unlinking it and it fails on the next one. I only have two GPOs, so it
cannot "read" either one. I also noted that, during one of my angry
moments, I just kept spamming "gpupdate" in a DOS box on the workstation
and suddenly it worked once, then went back to erroring out. Spamming it
has not fixed it since. I even wrote a small batch script which looped
until gpupdate returned success. It went into an endless loop which
lasted about 20hrs before I stopped it.
As for the sysvol location, it is in "/samba/var/locks/sysvol", which
worked for a few years, and has just stopped. Permissions appear to be
correct.
Post by Ryan Ashley
Thank you, Louis. This has not corrected the getent and id issue, however.
Ryan,
Is it a specific GP that can't be read? Can you remove all links to
one workstation and leave just the default domain GP and test? Did you
install samba from tar and provide the location for sysvol in the build?
Ryan,
It definitely sounds like a permission problem. I can only think of
one other thing. Try
samba-tool ntacl sysvolreset --use-ntvfs
See if gpupdate works. If it works try
samba-tool ntacl sysvolreset --use-s3fs
Are you using a central store for group policy? I'm not sure what else
to try.
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-06-05 06:44:38 UTC
Permalink
Post by Ryan Ashley
What about getent and id not working on the DC? I cannot find any
information relevant to my situation with them online.
ok, try the following.

chown -R root:root /samba/var/locks/sysvol
chmod -R 755 /samba/var/locks/sysvol

kinit Administrator
samba-tool ntacl sysvolreset
kdestroy

the id/getent issue..
install libnss-winbind

and check your server again with.
read :
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
from : Make domain users/groups available locally through Winbind


Greetz,

Louis
Post by Ryan Ashley
-----Oorspronkelijk bericht-----
Verzonden: donderdag 4 juni 2015 18:42
Onderwerp: Re: [Samba] Clients unable to get group policy...
I tried resetting dozens of times, neither works. I do remember a
permissions issue from ages back, where the Unix permissions had to be
777 on a share and then the ACL stuff worked. Do I need to set the
sysvol to 777?
What about getent and id not working on the DC? I cannot find any
information relevant to my situation with them online.
Post by James
Post by Ryan Ashley
James, I cloned it using git. I installed it to a private partition
(/samba) back when I was first testing Samba4. It is in the path and
this worked for ages, but recently just stopped. No errors,
no warnings,
Post by James
Post by Ryan Ashley
nothing. Just dead.
The GP in question is the default domain policy. I already tried
unlinking it and it fails on the next one. I only have two
GPOs, so it
Post by James
Post by Ryan Ashley
cannot "read" either one. I also noted that, during one of my angry
moments, I just kept spamming "gpupdate" in a DOS box on
the workstation
Post by James
Post by Ryan Ashley
and suddenly it worked once, then went back to erroring
out. Spamming it
Post by James
Post by Ryan Ashley
has not fixed it since. I even wrote a small batch script
which looped
Post by James
Post by Ryan Ashley
until gpupdate returned success. It went into an endless loop which
lasted about 20hrs before I stopped it.
As for the sysvol location, it is in
"/samba/var/locks/sysvol", which
Post by James
Post by Ryan Ashley
worked for a few years, and has just stopped. Permissions
appear to be
Post by James
Post by Ryan Ashley
correct.
Post by Ryan Ashley
Thank you, Louis. This has not corrected the getent and
id issue, however.
Post by James
Post by Ryan Ashley
Ryan,
Is it a specific GP that can't be read? Can you remove
all links to
Post by James
Post by Ryan Ashley
one workstation and leave just the default domain GP and
test? Did you
Post by James
Post by Ryan Ashley
install samba from tar and provide the location for sysvol
in the build?
Post by James
Ryan,
It definitely sounds like a permission problem. I can
only think of
Post by James
one other thing. Try
samba-tool ntacl sysvolreset --use-ntvfs
See if gpupdate works. If it works try
samba-tool ntacl sysvolreset --use-s3fs
Are you using a central store for group policy? I'm not sure
what else
Post by James
to try.
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-06-05 14:52:28 UTC
Permalink
Louis, I have not used kinit prior to doing the reset but I just did it.
Everything worked flawlessly but I won't know if it worked until I get
to a PC at their location. Also, libnss-winbind is installed correctly.
I have done this a few times but this is the only domain with issues.
Maybe I am looking at something incorrectly, and I will re-read the
guide, again. Assuming my configuration, or the parts you asked for
here, are done correctly, what should I look at next?

***@dc01:/lib# l | grep winbind
lrwxrwxrwx 1 root root 30 Aug 22 2014 libnss_winbind.so ->
/samba/lib/libnss_winbind.so.2
***@dc01:/lib# chown -R root:root /samba/var/locks/sysvol
***@dc01:/lib# chmod -R 755 /samba/var/locks/sysvol
***@dc01:/lib# kinit reachfp
Password for ***@KIGM.LOCAL:
***@dc01:/lib# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@KIGM.LOCAL

Valid starting Expires Service principal
06/05/15 10:44:25 06/05/15 20:44:25 krbtgt/***@KIGM.LOCAL
renew until 06/06/15 10:44:19
***@dc01:/lib# samba-tool ntacl sysvolreset
***@dc01:/lib# kdestroy

Just so you know, the domain administrator is renamed to reachfp. That
is why I did not use "Administrator" as you said.
Post by L.P.H. van Belle
Post by Ryan Ashley
What about getent and id not working on the DC? I cannot find any
information relevant to my situation with them online.
ok, try the following.
chown -R root:root /samba/var/locks/sysvol
chmod -R 755 /samba/var/locks/sysvol
kinit Administrator
samba-tool ntacl sysvolreset
kdestroy
the id/getent issue..
install libnss-winbind
and check your server again with.
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
from : Make domain users/groups available locally through Winbind
Greetz,
Louis
Post by Ryan Ashley
-----Oorspronkelijk bericht-----
Verzonden: donderdag 4 juni 2015 18:42
Onderwerp: Re: [Samba] Clients unable to get group policy...
I tried resetting dozens of times, neither works. I do remember a
permissions issue from ages back, where the Unix permissions had to be
777 on a share and then the ACL stuff worked. Do I need to set the
sysvol to 777?
What about getent and id not working on the DC? I cannot find any
information relevant to my situation with them online.
Post by James
Post by Ryan Ashley
James, I cloned it using git. I installed it to a private partition
(/samba) back when I was first testing Samba4. It is in the path and
this worked for ages, but recently just stopped. No errors,
no warnings,
Post by James
Post by Ryan Ashley
nothing. Just dead.
The GP in question is the default domain policy. I already tried
unlinking it and it fails on the next one. I only have two
GPOs, so it
Post by James
Post by Ryan Ashley
cannot "read" either one. I also noted that, during one of my angry
moments, I just kept spamming "gpupdate" in a DOS box on
the workstation
Post by James
Post by Ryan Ashley
and suddenly it worked once, then went back to erroring
out. Spamming it
Post by James
Post by Ryan Ashley
has not fixed it since. I even wrote a small batch script
which looped
Post by James
Post by Ryan Ashley
until gpupdate returned success. It went into an endless loop which
lasted about 20hrs before I stopped it.
As for the sysvol location, it is in
"/samba/var/locks/sysvol", which
Post by James
Post by Ryan Ashley
worked for a few years, and has just stopped. Permissions
appear to be
Post by James
Post by Ryan Ashley
correct.
Post by Ryan Ashley
Thank you, Louis. This has not corrected the getent and
id issue, however.
Post by James
Post by Ryan Ashley
Ryan,
Is it a specific GP that can't be read? Can you remove
all links to
Post by James
Post by Ryan Ashley
one workstation and leave just the default domain GP and
test? Did you
Post by James
Post by Ryan Ashley
install samba from tar and provide the location for sysvol
in the build?
Post by James
Ryan,
It definitely sounds like a permission problem. I can
only think of
Post by James
one other thing. Try
samba-tool ntacl sysvolreset --use-ntvfs
See if gpupdate works. If it works try
samba-tool ntacl sysvolreset --use-s3fs
Are you using a central store for group policy? I'm not sure
what else
Post by James
to try.
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-06-05 15:07:51 UTC
Permalink
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of Debian. The
system runs Debian Wheezy AMD64. The paths referenced do not exist. I
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.

***@dc01:~# uname -r
2.6.32-5-amd64
***@dc01:~# l /lib | grep x86
lrwxrwxrwx 1 root root 12 Dec 27 2012 ld-linux-x86-64.so.2 ->
ld-2.11.3.so
***@dc01:~# l /usr/lib | grep x86
***@dc01:~#

Is this the problem? What version of Debian is the guide for? I believe
Debian 8 was released recently but cannot be sure since it is a systemd
distro I now use Gentoo. If the guide is for 8, maybe we need one for 7
since it is supported until the release of 9.
Post by L.P.H. van Belle
Post by Ryan Ashley
What about getent and id not working on the DC? I cannot find any
information relevant to my situation with them online.
ok, try the following.
chown -R root:root /samba/var/locks/sysvol
chmod -R 755 /samba/var/locks/sysvol
kinit Administrator
samba-tool ntacl sysvolreset
kdestroy
the id/getent issue..
install libnss-winbind
and check your server again with.
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
from : Make domain users/groups available locally through Winbind
Greetz,
Louis
Post by Ryan Ashley
-----Oorspronkelijk bericht-----
Verzonden: donderdag 4 juni 2015 18:42
Onderwerp: Re: [Samba] Clients unable to get group policy...
I tried resetting dozens of times, neither works. I do remember a
permissions issue from ages back, where the Unix permissions had to be
777 on a share and then the ACL stuff worked. Do I need to set the
sysvol to 777?
What about getent and id not working on the DC? I cannot find any
information relevant to my situation with them online.
Post by James
Post by Ryan Ashley
James, I cloned it using git. I installed it to a private partition
(/samba) back when I was first testing Samba4. It is in the path and
this worked for ages, but recently just stopped. No errors,
no warnings,
Post by James
Post by Ryan Ashley
nothing. Just dead.
The GP in question is the default domain policy. I already tried
unlinking it and it fails on the next one. I only have two
GPOs, so it
Post by James
Post by Ryan Ashley
cannot "read" either one. I also noted that, during one of my angry
moments, I just kept spamming "gpupdate" in a DOS box on
the workstation
Post by James
Post by Ryan Ashley
and suddenly it worked once, then went back to erroring
out. Spamming it
Post by James
Post by Ryan Ashley
has not fixed it since. I even wrote a small batch script
which looped
Post by James
Post by Ryan Ashley
until gpupdate returned success. It went into an endless loop which
lasted about 20hrs before I stopped it.
As for the sysvol location, it is in
"/samba/var/locks/sysvol", which
Post by James
Post by Ryan Ashley
worked for a few years, and has just stopped. Permissions
appear to be
Post by James
Post by Ryan Ashley
correct.
Post by Ryan Ashley
Thank you, Louis. This has not corrected the getent and
id issue, however.
Post by James
Post by Ryan Ashley
Ryan,
Is it a specific GP that can't be read? Can you remove
all links to
Post by James
Post by Ryan Ashley
one workstation and leave just the default domain GP and
test? Did you
Post by James
Post by Ryan Ashley
install samba from tar and provide the location for sysvol
in the build?
Post by James
Ryan,
It definitely sounds like a permission problem. I can
only think of
Post by James
one other thing. Try
samba-tool ntacl sysvolreset --use-ntvfs
See if gpupdate works. If it works try
samba-tool ntacl sysvolreset --use-s3fs
Are you using a central store for group policy? I'm not sure
what else
Post by James
to try.
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-06-05 15:23:50 UTC
Permalink
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of Debian. The
system runs Debian Wheezy AMD64. The paths referenced do not exist. I
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012 ld-linux-x86-64.so.2 ->
ld-2.11.3.so
Is this the problem? What version of Debian is the guide for? I believe
Debian 8 was released recently but cannot be sure since it is a systemd
distro I now use Gentoo. If the guide is for 8, maybe we need one for 7
since it is supported until the release of 9.
Are you sure it is running wheezy ?

On my DC:

***@dc01:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"

***@dc01:~# uname -r
3.2.0-4-amd64

***@dc01:~# ls /lib | grep x86
x86_64-linux-gnu

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-06-08 15:25:01 UTC
Permalink
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with Squeeze? If so
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of Debian. The
system runs Debian Wheezy AMD64. The paths referenced do not exist. I
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012 ld-linux-x86-64.so.2 ->
ld-2.11.3.so
Is this the problem? What version of Debian is the guide for? I believe
Debian 8 was released recently but cannot be sure since it is a systemd
distro I now use Gentoo. If the guide is for 8, maybe we need one for 7
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
Lead IT/IS Specialist
Reach Technology FP, Inc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-06-12 12:46:53 UTC
Permalink
Anybody? Is my problem that this client is still on Debian 6?

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with Squeeze? If so
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of Debian. The
system runs Debian Wheezy AMD64. The paths referenced do not exist. I
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012 ld-linux-x86-64.so.2 ->
ld-2.11.3.so
Is this the problem? What version of Debian is the guide for? I believe
Debian 8 was released recently but cannot be sure since it is a systemd
distro I now use Gentoo. If the guide is for 8, maybe we need one for 7
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-06-12 13:14:21 UTC
Permalink
Or upgrade you xen servers and a tip for a jessie install on xen 6.2 choose other linux
or upgrade to Xen 6.5. for jessie support.

or you can try upgradeing to latest 3.6 version on squeeze. ( 3.6.25 )
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install with sernet samba )
and member servers can be debian jessie with 4.1.17. thats what you want.

which samba are you using on squeeze. 3.5.x of the backported 3.6.6 ?


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-06-12 14:17:03 UTC
Permalink
Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
running. I will NOT be using Debian 8 due to systemd. If I have to do
this, we're going to plan a down-time for the client, zero everything,
do a fresh XenServer install and install Gentoo 64bit under XS. If that
is what must be done, so be it. I can do that. I'll simply have one VM
on each physical server which builds the source packages into binary
ones for the others to pull. This way Gentoo doesn't bog things down
during business hours with compiling updates.

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
Or upgrade you xen servers and a tip for a jessie install on xen 6.2 choose other linux
or upgrade to Xen 6.5. for jessie support.
or you can try upgradeing to latest 3.6 version on squeeze. ( 3.6.25 )
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install with sernet samba )
and member servers can be debian jessie with 4.1.17. thats what you want.
which samba are you using on squeeze. 3.5.x of the backported 3.6.6 ?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-06-12 14:43:59 UTC
Permalink
Post by Ryan Ashley
Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
running. I will NOT be using Debian 8 due to systemd. If I have to do
this, we're going to plan a down-time for the client, zero everything,
do a fresh XenServer install and install Gentoo 64bit under XS. If that
is what must be done, so be it. I can do that. I'll simply have one VM
on each physical server which builds the source packages into binary
ones for the others to pull. This way Gentoo doesn't bog things down
during business hours with compiling updates.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
Or upgrade you xen servers and a tip for a jessie install on xen 6.2 choose other linux
or upgrade to Xen 6.5. for jessie support.
or you can try upgradeing to latest 3.6 version on squeeze. ( 3.6.25 )
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install with sernet samba )
and member servers can be debian jessie with 4.1.17. thats what you want.
which samba are you using on squeeze. 3.5.x of the backported 3.6.6 ?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
You don't have to go to such extremes, you can still use wheezy and
latest samba from Sernet, this should buy you some time until Devaun
comes out.
I too will not use debian jessie, in my opinion, if you run a Linux
system with systemd, you might as well run windows.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-06-12 14:54:30 UTC
Permalink
Ok, so if i understand right,
your sysvol is on a shared folder which is a debian squeeze server.
i think you problem is that the needed acl cant be set on the queeze server.

and why not systemd, since gentoo also does systemd
https://wiki.gentoo.org/wiki/Systemd
and if you really want, just run your install with

preseed/late_command="in-target apt-get install -y sysvinit-core"
( see https://wiki.debian.org/systemd#Installing_without_systemd )

I've a running debian jessie as fileserver, proxy server and mail server and im really happy with it. ( yes, with systemd )
much faster boot, well much faster whole os.. ;-) but thats not on debated here..
choose what you like.

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 16:17
Onderwerp: Re: [Samba] Clients unable to get group policy...
Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
running. I will NOT be using Debian 8 due to systemd. If I have to do
this, we're going to plan a down-time for the client, zero everything,
do a fresh XenServer install and install Gentoo 64bit under XS. If that
is what must be done, so be it. I can do that. I'll simply have one VM
on each physical server which builds the source packages into binary
ones for the others to pull. This way Gentoo doesn't bog things down
during business hours with compiling updates.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
Or upgrade you xen servers and a tip for a jessie install on
xen 6.2 choose other linux
Post by L.P.H. van Belle
or upgrade to Xen 6.5. for jessie support.
or you can try upgradeing to latest 3.6 version on squeeze.
( 3.6.25 )
Post by L.P.H. van Belle
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install
with sernet samba )
Post by L.P.H. van Belle
and member servers can be debian jessie with 4.1.17. thats
what you want.
Post by L.P.H. van Belle
which samba are you using on squeeze. 3.5.x of the
backported 3.6.6 ?
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-06-12 15:03:16 UTC
Permalink
Post by L.P.H. van Belle
Ok, so if i understand right,
your sysvol is on a shared folder which is a debian squeeze server.
i think you problem is that the needed acl cant be set on the queeze server.
You are probably right Louis.
Post by L.P.H. van Belle
and why not systemd, since gentoo also does systemd
https://wiki.gentoo.org/wiki/Systemd
Ah but Gentoo only does systemd if you want to, systemd is a cure
looking for a problem, or to put it another way, it is like using a
sledgehammer to crack a nut.
Post by L.P.H. van Belle
and if you really want, just run your install with
preseed/late_command="in-target apt-get install -y sysvinit-core"
( see https://wiki.debian.org/systemd#Installing_without_systemd )
:-D :-D :-D ROFL ROFL

Have you tried NOT using systemd on Jessie!
Post by L.P.H. van Belle
I've a running debian jessie as fileserver, proxy server and mail server and im really happy with it. ( yes, with systemd )
much faster boot, well much faster whole os.. ;-) but thats not on debated here..
choose what you like.
99% of your speed gain has nothing to do with systemd.

Rowland
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 16:17
Onderwerp: Re: [Samba] Clients unable to get group policy...
Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
running. I will NOT be using Debian 8 due to systemd. If I have to do
this, we're going to plan a down-time for the client, zero everything,
do a fresh XenServer install and install Gentoo 64bit under XS. If that
is what must be done, so be it. I can do that. I'll simply have one VM
on each physical server which builds the source packages into binary
ones for the others to pull. This way Gentoo doesn't bog things down
during business hours with compiling updates.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
Or upgrade you xen servers and a tip for a jessie install on
xen 6.2 choose other linux
Post by L.P.H. van Belle
or upgrade to Xen 6.5. for jessie support.
or you can try upgradeing to latest 3.6 version on squeeze.
( 3.6.25 )
Post by L.P.H. van Belle
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install
with sernet samba )
Post by L.P.H. van Belle
and member servers can be debian jessie with 4.1.17. thats
what you want.
Post by L.P.H. van Belle
which samba are you using on squeeze. 3.5.x of the
backported 3.6.6 ?
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-06-15 13:59:04 UTC
Permalink
Well, here is my plan of action. I will migrate the VMs on the secondary
server to the primary one. Then I will zero the RAID10 array, install
the latest XenServer, and load a Gentoo VM to build the needed binary
packages. I can then create a new DC, promote it to the primary server,
move the Windows VMs back to the secondary server, and then wipe and
reload the primary box. This way I have an evolving OS which shouldn't
be left behind, no systemd, and my problems with Samba should go away.
Oh, and I am not blaming Samba for the issues. It has evolved and become
better. Debian 6 (Squeeze) has NOT, due to being oldstable and now obsolete.

Hey, it will be a learning experience for my assistant. Besides, if I
screw something up I can get great help on this list and worst case
scenario is I get to build a new domain. Thanks for the help, Rowland
and Louis.

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by L.P.H. van Belle
Ok, so if i understand right,
your sysvol is on a shared folder which is a debian squeeze server.
i think you problem is that the needed acl cant be set on the queeze server.
You are probably right Louis.
Post by L.P.H. van Belle
and why not systemd, since gentoo also does systemd
https://wiki.gentoo.org/wiki/Systemd
Ah but Gentoo only does systemd if you want to, systemd is a cure
looking for a problem, or to put it another way, it is like using a
sledgehammer to crack a nut.
Post by L.P.H. van Belle
and if you really want, just run your install with
preseed/late_command="in-target apt-get install -y sysvinit-core"
( see https://wiki.debian.org/systemd#Installing_without_systemd )
:-D :-D :-D ROFL ROFL
Have you tried NOT using systemd on Jessie!
Post by L.P.H. van Belle
I've a running debian jessie as fileserver, proxy server and mail
server and im really happy with it. ( yes, with systemd )
much faster boot, well much faster whole os.. ;-) but thats not on debated here..
choose what you like.
99% of your speed gain has nothing to do with systemd.
Rowland
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 16:17
Onderwerp: Re: [Samba] Clients unable to get group policy...
Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
running. I will NOT be using Debian 8 due to systemd. If I have to do
this, we're going to plan a down-time for the client, zero everything,
do a fresh XenServer install and install Gentoo 64bit under XS. If that
is what must be done, so be it. I can do that. I'll simply have one VM
on each physical server which builds the source packages into binary
ones for the others to pull. This way Gentoo doesn't bog things down
during business hours with compiling updates.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
Or upgrade you xen servers and a tip for a jessie install on
xen 6.2 choose other linux
Post by L.P.H. van Belle
or upgrade to Xen 6.5. for jessie support.
or you can try upgradeing to latest 3.6 version on squeeze.
( 3.6.25 )
Post by L.P.H. van Belle
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install
with sernet samba )
Post by L.P.H. van Belle
and member servers can be debian jessie with 4.1.17. thats
what you want.
Post by L.P.H. van Belle
which samba are you using on squeeze. 3.5.x of the
backported 3.6.6 ?
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-06-30 16:18:44 UTC
Permalink
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.

***@dc01:/samba/var/locks# getfacl sysvol
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

***@dc01:/samba/var/locks# uname -r
2.6.32-5-amd64

With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Well, here is my plan of action. I will migrate the VMs on the secondary
server to the primary one. Then I will zero the RAID10 array, install
the latest XenServer, and load a Gentoo VM to build the needed binary
packages. I can then create a new DC, promote it to the primary server,
move the Windows VMs back to the secondary server, and then wipe and
reload the primary box. This way I have an evolving OS which shouldn't
be left behind, no systemd, and my problems with Samba should go away.
Oh, and I am not blaming Samba for the issues. It has evolved and become
better. Debian 6 (Squeeze) has NOT, due to being oldstable and now obsolete.
Hey, it will be a learning experience for my assistant. Besides, if I
screw something up I can get great help on this list and worst case
scenario is I get to build a new domain. Thanks for the help, Rowland
and Louis.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by L.P.H. van Belle
Ok, so if i understand right,
your sysvol is on a shared folder which is a debian squeeze server.
i think you problem is that the needed acl cant be set on the queeze server.
You are probably right Louis.
Post by L.P.H. van Belle
and why not systemd, since gentoo also does systemd
https://wiki.gentoo.org/wiki/Systemd
Ah but Gentoo only does systemd if you want to, systemd is a cure
looking for a problem, or to put it another way, it is like using a
sledgehammer to crack a nut.
Post by L.P.H. van Belle
and if you really want, just run your install with
preseed/late_command="in-target apt-get install -y sysvinit-core"
( see https://wiki.debian.org/systemd#Installing_without_systemd )
:-D :-D :-D ROFL ROFL
Have you tried NOT using systemd on Jessie!
Post by L.P.H. van Belle
I've a running debian jessie as fileserver, proxy server and mail
server and im really happy with it. ( yes, with systemd )
much faster boot, well much faster whole os.. ;-) but thats not on debated here..
choose what you like.
99% of your speed gain has nothing to do with systemd.
Rowland
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 16:17
Onderwerp: Re: [Samba] Clients unable to get group policy...
Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
running. I will NOT be using Debian 8 due to systemd. If I have to do
this, we're going to plan a down-time for the client, zero everything,
do a fresh XenServer install and install Gentoo 64bit under XS. If that
is what must be done, so be it. I can do that. I'll simply have one VM
on each physical server which builds the source packages into binary
ones for the others to pull. This way Gentoo doesn't bog things down
during business hours with compiling updates.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
Or upgrade you xen servers and a tip for a jessie install on
xen 6.2 choose other linux
Post by L.P.H. van Belle
or upgrade to Xen 6.5. for jessie support.
or you can try upgradeing to latest 3.6 version on squeeze.
( 3.6.25 )
Post by L.P.H. van Belle
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install
with sernet samba )
Post by L.P.H. van Belle
and member servers can be debian jessie with 4.1.17. thats
what you want.
Post by L.P.H. van Belle
which samba are you using on squeeze. 3.5.x of the
backported 3.6.6 ?
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-06-30 19:50:40 UTC
Permalink
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Well, here is my plan of action. I will migrate the VMs on the secondary
server to the primary one. Then I will zero the RAID10 array, install
the latest XenServer, and load a Gentoo VM to build the needed binary
packages. I can then create a new DC, promote it to the primary server,
move the Windows VMs back to the secondary server, and then wipe and
reload the primary box. This way I have an evolving OS which shouldn't
be left behind, no systemd, and my problems with Samba should go away.
Oh, and I am not blaming Samba for the issues. It has evolved and become
better. Debian 6 (Squeeze) has NOT, due to being oldstable and now obsolete.
Hey, it will be a learning experience for my assistant. Besides, if I
screw something up I can get great help on this list and worst case
scenario is I get to build a new domain. Thanks for the help, Rowland
and Louis.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by L.P.H. van Belle
Ok, so if i understand right,
your sysvol is on a shared folder which is a debian squeeze server.
i think you problem is that the needed acl cant be set on the queeze server.
You are probably right Louis.
Post by L.P.H. van Belle
and why not systemd, since gentoo also does systemd
https://wiki.gentoo.org/wiki/Systemd
Ah but Gentoo only does systemd if you want to, systemd is a cure
looking for a problem, or to put it another way, it is like using a
sledgehammer to crack a nut.
Post by L.P.H. van Belle
and if you really want, just run your install with
preseed/late_command="in-target apt-get install -y sysvinit-core"
( see https://wiki.debian.org/systemd#Installing_without_systemd )
:-D :-D :-D ROFL ROFL
Have you tried NOT using systemd on Jessie!
Post by L.P.H. van Belle
I've a running debian jessie as fileserver, proxy server and mail
server and im really happy with it. ( yes, with systemd )
much faster boot, well much faster whole os.. ;-) but thats not on debated here..
choose what you like.
99% of your speed gain has nothing to do with systemd.
Rowland
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 16:17
Onderwerp: Re: [Samba] Clients unable to get group policy...
Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
running. I will NOT be using Debian 8 due to systemd. If I have to do
this, we're going to plan a down-time for the client, zero everything,
do a fresh XenServer install and install Gentoo 64bit under XS. If that
is what must be done, so be it. I can do that. I'll simply have one VM
on each physical server which builds the source packages into binary
ones for the others to pull. This way Gentoo doesn't bog things down
during business hours with compiling updates.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
Or upgrade you xen servers and a tip for a jessie install on
xen 6.2 choose other linux
Post by L.P.H. van Belle
or upgrade to Xen 6.5. for jessie support.
or you can try upgradeing to latest 3.6 version on squeeze.
( 3.6.25 )
Post by L.P.H. van Belle
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install
with sernet samba )
Post by L.P.H. van Belle
and member servers can be debian jessie with 4.1.17. thats
what you want.
Post by L.P.H. van Belle
which samba are you using on squeeze. 3.5.x of the
backported 3.6.6 ?
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Sorry about this, but I think we are going to have to start again, I
cannot remember just exactly what your problem is.

This is the result of running 'getfacl /var/lib/samba/sysvol' on my
second DC:

***@dc03:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---

As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same 'well
known SIDs' , then there doesn't seem to be much wrong.

You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-07-02 15:55:15 UTC
Permalink
Rowland, here is what I found in the ldb.

# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549

# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18

# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11

It appears as though they're in my database, but clients still cannot
update group policy. It randomly works once or twice, then goes back to
not working. Due to this, some workstations can hang for 20min trying to
update all of their GPOs upon first boot. I have wbinfo working, but
'id' and 'getent' still do not work for domain users and groups. PAM is
setup and is pasted below to save you from asking for it, should you be
so inclined.

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns wins
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

If you have any suggestions, I am all ears. If you say we must upgrade
to Gentoo, I have to bite the bullet and do it.

One more thing. I discovered that Samba4 cannot be a master browser. Due
to this, workstations are randomly being elected as the master browser.
When that system sleeps because the client doesn't turn it off, shares
become inaccessible. I have a Buffalo NAS that can be a master browser
(Samba3 on it), but Buffalo apparently locked me out of SSH access!
Could this be related?

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Well, here is my plan of action. I will migrate the VMs on the secondary
server to the primary one. Then I will zero the RAID10 array, install
the latest XenServer, and load a Gentoo VM to build the needed binary
packages. I can then create a new DC, promote it to the primary server,
move the Windows VMs back to the secondary server, and then wipe and
reload the primary box. This way I have an evolving OS which shouldn't
be left behind, no systemd, and my problems with Samba should go away.
Oh, and I am not blaming Samba for the issues. It has evolved and become
better. Debian 6 (Squeeze) has NOT, due to being oldstable and now obsolete.
Hey, it will be a learning experience for my assistant. Besides, if I
screw something up I can get great help on this list and worst case
scenario is I get to build a new domain. Thanks for the help, Rowland
and Louis.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by L.P.H. van Belle
Ok, so if i understand right,
your sysvol is on a shared folder which is a debian squeeze server.
i think you problem is that the needed acl cant be set on the queeze server.
You are probably right Louis.
Post by L.P.H. van Belle
and why not systemd, since gentoo also does systemd
https://wiki.gentoo.org/wiki/Systemd
Ah but Gentoo only does systemd if you want to, systemd is a cure
looking for a problem, or to put it another way, it is like using a
sledgehammer to crack a nut.
Post by L.P.H. van Belle
and if you really want, just run your install with
preseed/late_command="in-target apt-get install -y sysvinit-core"
( see https://wiki.debian.org/systemd#Installing_without_systemd )
:-D :-D :-D ROFL ROFL
Have you tried NOT using systemd on Jessie!
Post by L.P.H. van Belle
I've a running debian jessie as fileserver, proxy server and mail
server and im really happy with it. ( yes, with systemd )
much faster boot, well much faster whole os.. ;-) but thats not on debated here..
choose what you like.
99% of your speed gain has nothing to do with systemd.
Rowland
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 16:17
Onderwerp: Re: [Samba] Clients unable to get group policy...
Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
running. I will NOT be using Debian 8 due to systemd. If I have to do
this, we're going to plan a down-time for the client, zero everything,
do a fresh XenServer install and install Gentoo 64bit under XS. If that
is what must be done, so be it. I can do that. I'll simply have one VM
on each physical server which builds the source packages into binary
ones for the others to pull. This way Gentoo doesn't bog things down
during business hours with compiling updates.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
Or upgrade you xen servers and a tip for a jessie install on
xen 6.2 choose other linux
Post by L.P.H. van Belle
or upgrade to Xen 6.5. for jessie support.
or you can try upgradeing to latest 3.6 version on squeeze.
( 3.6.25 )
Post by L.P.H. van Belle
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install
with sernet samba )
Post by L.P.H. van Belle
and member servers can be debian jessie with 4.1.17. thats
what you want.
Post by L.P.H. van Belle
which samba are you using on squeeze. 3.5.x of the
backported 3.6.6 ?
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Sorry about this, but I think we are going to have to start again, I
cannot remember just exactly what your problem is.
This is the result of running 'getfacl /var/lib/samba/sysvol' on my
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-07-02 16:26:03 UTC
Permalink
Post by Ryan Ashley
Rowland, here is what I found in the ldb.
# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
It appears as though they're in my database, but clients still cannot
update group policy. It randomly works once or twice, then goes back to
not working. Due to this, some workstations can hang for 20min trying to
update all of their GPOs upon first boot. I have wbinfo working, but
'id' and 'getent' still do not work for domain users and groups. PAM is
setup and is pasted below to save you from asking for it, should you be
so inclined.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you have any suggestions, I am all ears. If you say we must upgrade
to Gentoo, I have to bite the bullet and do it.
One more thing. I discovered that Samba4 cannot be a master browser. Due
to this, workstations are randomly being elected as the master browser.
When that system sleeps because the client doesn't turn it off, shares
become inaccessible. I have a Buffalo NAS that can be a master browser
(Samba3 on it), but Buffalo apparently locked me out of SSH access!
Could this be related?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Well, here is my plan of action. I will migrate the VMs on the secondary
server to the primary one. Then I will zero the RAID10 array, install
the latest XenServer, and load a Gentoo VM to build the needed binary
packages. I can then create a new DC, promote it to the primary server,
move the Windows VMs back to the secondary server, and then wipe and
reload the primary box. This way I have an evolving OS which shouldn't
be left behind, no systemd, and my problems with Samba should go away.
Oh, and I am not blaming Samba for the issues. It has evolved and become
better. Debian 6 (Squeeze) has NOT, due to being oldstable and now obsolete.
Hey, it will be a learning experience for my assistant. Besides, if I
screw something up I can get great help on this list and worst case
scenario is I get to build a new domain. Thanks for the help, Rowland
and Louis.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by L.P.H. van Belle
Ok, so if i understand right,
your sysvol is on a shared folder which is a debian squeeze server.
i think you problem is that the needed acl cant be set on the queeze server.
You are probably right Louis.
Post by L.P.H. van Belle
and why not systemd, since gentoo also does systemd
https://wiki.gentoo.org/wiki/Systemd
Ah but Gentoo only does systemd if you want to, systemd is a cure
looking for a problem, or to put it another way, it is like using a
sledgehammer to crack a nut.
Post by L.P.H. van Belle
and if you really want, just run your install with
preseed/late_command="in-target apt-get install -y sysvinit-core"
( see https://wiki.debian.org/systemd#Installing_without_systemd )
:-D :-D :-D ROFL ROFL
Have you tried NOT using systemd on Jessie!
Post by L.P.H. van Belle
I've a running debian jessie as fileserver, proxy server and mail
server and im really happy with it. ( yes, with systemd )
much faster boot, well much faster whole os.. ;-) but thats not on debated here..
choose what you like.
99% of your speed gain has nothing to do with systemd.
Rowland
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 16:17
Onderwerp: Re: [Samba] Clients unable to get group policy...
Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
running. I will NOT be using Debian 8 due to systemd. If I have to do
this, we're going to plan a down-time for the client, zero everything,
do a fresh XenServer install and install Gentoo 64bit under XS. If that
is what must be done, so be it. I can do that. I'll simply have one VM
on each physical server which builds the source packages into binary
ones for the others to pull. This way Gentoo doesn't bog things down
during business hours with compiling updates.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
Or upgrade you xen servers and a tip for a jessie install on
xen 6.2 choose other linux
Post by L.P.H. van Belle
or upgrade to Xen 6.5. for jessie support.
or you can try upgradeing to latest 3.6 version on squeeze.
( 3.6.25 )
Post by L.P.H. van Belle
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install
with sernet samba )
Post by L.P.H. van Belle
and member servers can be debian jessie with 4.1.17. thats
what you want.
Post by L.P.H. van Belle
which samba are you using on squeeze. 3.5.x of the
backported 3.6.6 ?
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Sorry about this, but I think we are going to have to start again, I
cannot remember just exactly what your problem is.
This is the result of running 'getfacl /var/lib/samba/sysvol' on my
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
The only difference between your sysvol 'getfacl' output and mine is this:

other::rwx

Mine is:

other::---

But this will probably just be down to yours having unix permissions
'777' on /var/lib/samba/sysvol whilst mine is '770'

If you do not have *any* Unix clients then when connecting to the DC
from a windows client, id & getent don't need to work. wbinfo works
differently from id & getent and as it shows your users & groups means
this is working ok. Is there anything in the event logs on the clients,
I 'think' this could just be a lack of communication between the client
& DC, or the GPOs are in the wrong place or something stupid like this.
How do the clients get their dns info ? Is it a time problem ?

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gabriel Franca
2015-07-02 18:39:32 UTC
Permalink
Good Afternoon Ryan,

I had a similar problem to solve and had to put the users in the administration group.

It makes a test places the primary group of a User to administrator and test to see if the GPO will work.

Regards,

Gabriel Franca
Post by Ryan Ashley
Post by Ryan Ashley
Rowland, here is what I found in the ldb.
# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
It appears as though they're in my database, but clients still cannot
update group policy. It randomly works once or twice, then goes back to
not working. Due to this, some workstations can hang for 20min trying to
update all of their GPOs upon first boot. I have wbinfo working, but
'id' and 'getent' still do not work for domain users and groups. PAM is
setup and is pasted below to save you from asking for it, should you be
so inclined.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you have any suggestions, I am all ears. If you say we must upgrade
to Gentoo, I have to bite the bullet and do it.
One more thing. I discovered that Samba4 cannot be a master browser. Due
to this, workstations are randomly being elected as the master browser.
When that system sleeps because the client doesn't turn it off, shares
become inaccessible. I have a Buffalo NAS that can be a master browser
(Samba3 on it), but Buffalo apparently locked me out of SSH access!
Could this be related?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Well, here is my plan of action. I will migrate the VMs on the secondary
server to the primary one. Then I will zero the RAID10 array, install
the latest XenServer, and load a Gentoo VM to build the needed binary
packages. I can then create a new DC, promote it to the primary server,
move the Windows VMs back to the secondary server, and then wipe and
reload the primary box. This way I have an evolving OS which shouldn't
be left behind, no systemd, and my problems with Samba should go away.
Oh, and I am not blaming Samba for the issues. It has evolved and become
better. Debian 6 (Squeeze) has NOT, due to being oldstable and now obsolete.
Hey, it will be a learning experience for my assistant. Besides, if I
screw something up I can get great help on this list and worst case
scenario is I get to build a new domain. Thanks for the help, Rowland
and Louis.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by L.P.H. van Belle
Ok, so if i understand right,
your sysvol is on a shared folder which is a debian squeeze server.
i think you problem is that the needed acl cant be set on the queeze server.
You are probably right Louis.
Post by L.P.H. van Belle
and why not systemd, since gentoo also does systemd
https://wiki.gentoo.org/wiki/Systemd
Ah but Gentoo only does systemd if you want to, systemd is a cure
looking for a problem, or to put it another way, it is like using a
sledgehammer to crack a nut.
Post by L.P.H. van Belle
and if you really want, just run your install with
preseed/late_command="in-target apt-get install -y sysvinit-core"
( see https://wiki.debian.org/systemd#Installing_without_systemd )
:-D :-D :-D ROFL ROFL
Have you tried NOT using systemd on Jessie!
Post by L.P.H. van Belle
I've a running debian jessie as fileserver, proxy server and mail
server and im really happy with it. ( yes, with systemd )
much faster boot, well much faster whole os.. ;-) but thats not on
debated here..
choose what you like.
99% of your speed gain has nothing to do with systemd.
Rowland
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 16:17
Onderwerp: Re: [Samba] Clients unable to get group policy...
Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
running. I will NOT be using Debian 8 due to systemd. If I have to do
this, we're going to plan a down-time for the client, zero everything,
do a fresh XenServer install and install Gentoo 64bit under XS. If that
is what must be done, so be it. I can do that. I'll simply have one VM
on each physical server which builds the source packages into binary
ones for the others to pull. This way Gentoo doesn't bog things down
during business hours with compiling updates.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
Or upgrade you xen servers and a tip for a jessie install on
xen 6.2 choose other linux
Post by L.P.H. van Belle
or upgrade to Xen 6.5. for jessie support.
or you can try upgradeing to latest 3.6 version on squeeze.
( 3.6.25 )
Post by L.P.H. van Belle
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install
with sernet samba )
Post by L.P.H. van Belle
and member servers can be debian jessie with 4.1.17. thats
what you want.
Post by L.P.H. van Belle
which samba are you using on squeeze. 3.5.x of the
backported 3.6.6 ?
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Sorry about this, but I think we are going to have to start again, I
cannot remember just exactly what your problem is.
This is the result of running 'getfacl /var/lib/samba/sysvol' on my
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
other::rwx
other::---
But this will probably just be down to yours having unix permissions '777' on /var/lib/samba/sysvol whilst mine is '770'
If you do not have *any* Unix clients then when connecting to the DC from a windows client, id & getent don't need to work. wbinfo works differently from id & getent and as it shows your users & groups means this is working ok. Is there anything in the event logs on the clients, I 'think' this could just be a lack of communication between the client & DC, or the GPOs are in the wrong place or something stupid like this. How do the clients get their dns info ? Is it a time problem ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lis
Ryan Ashley
2015-07-03 14:21:11 UTC
Permalink
I cannot do such a thing. This is a place where many users struggle just
to use Windows (older people) and one is prone to getting viruses. If
this person was an admin, I would be reloading her system monthly
instead of deleting her user folder and letting it regen fresh. Besides,
GPOs are pulled BEFORE login. Even then, I have logged into the system
as domain admin and still cannot do it. This means that it isn't working
for the SYSTEM account or the domain admin account.

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Gabriel Franca
Good Afternoon Ryan,
I had a similar problem to solve and had to put the users in the administration group.
It makes a test places the primary group of a User to administrator and test to see if the GPO will work.
Regards,
Gabriel Franca
Post by Ryan Ashley
Post by Ryan Ashley
Rowland, here is what I found in the ldb.
# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
It appears as though they're in my database, but clients still cannot
update group policy. It randomly works once or twice, then goes back to
not working. Due to this, some workstations can hang for 20min trying to
update all of their GPOs upon first boot. I have wbinfo working, but
'id' and 'getent' still do not work for domain users and groups. PAM is
setup and is pasted below to save you from asking for it, should you be
so inclined.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you have any suggestions, I am all ears. If you say we must upgrade
to Gentoo, I have to bite the bullet and do it.
One more thing. I discovered that Samba4 cannot be a master browser. Due
to this, workstations are randomly being elected as the master browser.
When that system sleeps because the client doesn't turn it off, shares
become inaccessible. I have a Buffalo NAS that can be a master browser
(Samba3 on it), but Buffalo apparently locked me out of SSH access!
Could this be related?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Well, here is my plan of action. I will migrate the VMs on the secondary
server to the primary one. Then I will zero the RAID10 array, install
the latest XenServer, and load a Gentoo VM to build the needed binary
packages. I can then create a new DC, promote it to the primary server,
move the Windows VMs back to the secondary server, and then wipe and
reload the primary box. This way I have an evolving OS which shouldn't
be left behind, no systemd, and my problems with Samba should go away.
Oh, and I am not blaming Samba for the issues. It has evolved and become
better. Debian 6 (Squeeze) has NOT, due to being oldstable and now obsolete.
Hey, it will be a learning experience for my assistant. Besides, if I
screw something up I can get great help on this list and worst case
scenario is I get to build a new domain. Thanks for the help, Rowland
and Louis.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by L.P.H. van Belle
Ok, so if i understand right,
your sysvol is on a shared folder which is a debian squeeze server.
i think you problem is that the needed acl cant be set on the queeze server.
You are probably right Louis.
Post by L.P.H. van Belle
and why not systemd, since gentoo also does systemd
https://wiki.gentoo.org/wiki/Systemd
Ah but Gentoo only does systemd if you want to, systemd is a cure
looking for a problem, or to put it another way, it is like using a
sledgehammer to crack a nut.
Post by L.P.H. van Belle
and if you really want, just run your install with
preseed/late_command="in-target apt-get install -y sysvinit-core"
( see https://wiki.debian.org/systemd#Installing_without_systemd )
:-D :-D :-D ROFL ROFL
Have you tried NOT using systemd on Jessie!
Post by L.P.H. van Belle
I've a running debian jessie as fileserver, proxy server and mail
server and im really happy with it. ( yes, with systemd )
much faster boot, well much faster whole os.. ;-) but thats not on
debated here..
choose what you like.
99% of your speed gain has nothing to do with systemd.
Rowland
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 16:17
Onderwerp: Re: [Samba] Clients unable to get group policy...
Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
running. I will NOT be using Debian 8 due to systemd. If I have to do
this, we're going to plan a down-time for the client, zero everything,
do a fresh XenServer install and install Gentoo 64bit under XS. If that
is what must be done, so be it. I can do that. I'll simply have one VM
on each physical server which builds the source packages into binary
ones for the others to pull. This way Gentoo doesn't bog things down
during business hours with compiling updates.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
Or upgrade you xen servers and a tip for a jessie install on
xen 6.2 choose other linux
Post by L.P.H. van Belle
or upgrade to Xen 6.5. for jessie support.
or you can try upgradeing to latest 3.6 version on squeeze.
( 3.6.25 )
Post by L.P.H. van Belle
http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
or even better move up to 4.2.2. ( i advice a wheezy install
with sernet samba )
Post by L.P.H. van Belle
and member servers can be debian jessie with 4.1.17. thats
what you want.
Post by L.P.H. van Belle
which samba are you using on squeeze. 3.5.x of the
backported 3.6.6 ?
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 12 juni 2015 14:47
Onderwerp: Re: [Samba] Clients unable to get group policy...
Anybody? Is my problem that this client is still on Debian 6?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Rowland, you are correct. I remember now. When we started using
XenServer, Wheezy would not work under it. This is a Squeeze
installation, not Wheezy. Will Samba no longer work with
Squeeze? If so
Post by Ryan Ashley
it may be an excuse to upgrade the domain after all these years.
Post by Rowland Penny
Post by Ryan Ashley
I noticed something different on the page you linked. It must be
outdated or maybe it is setup for a different version of
Debian. The
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
system runs Debian Wheezy AMD64. The paths referenced do
not exist. I
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
also checked several other Debian systems and NONE have the
"x86_64-linux-gnu" directories.
2.6.32-5-amd64
lrwxrwxrwx 1 root root 12 Dec 27 2012
ld-linux-x86-64.so.2 ->
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
ld-2.11.3.so
Is this the problem? What version of Debian is the guide
for? I believe
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Debian 8 was released recently but cannot be sure since it
is a systemd
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
distro I now use Gentoo. If the guide is for 8, maybe we
need one for 7
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
since it is supported until the release of 9.
Are you sure it is running wheezy ?
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
3.2.0-4-amd64
x86_64-linux-gnu
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Sorry about this, but I think we are going to have to start again, I
cannot remember just exactly what your problem is.
This is the result of running 'getfacl /var/lib/samba/sysvol' on my
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
other::rwx
other::---
But this will probably just be down to yours having unix permissions '777' on /var/lib/samba/sysvol whilst mine is '770'
If you do not have *any* Unix clients then when connecting to the DC from a windows client, id & getent don't need to work. wbinfo works differently from id & getent and as it shows your users & groups means this is working ok. Is there anything in the event logs on the clients, I 'think' this could just be a lack of communication between the client & DC, or the GPOs are in the wrong place or something stupid like this. How do the clients get their dns info ? Is it a time problem ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/
Ryan Ashley
2015-07-03 14:18:49 UTC
Permalink
The only Unix client I can think of would be the Buffalo NAS. It runs
Samba3 and hosts various shares via SMB. DNS is handled by BIND9 on the
Samba4 DC. DNS does work and the domain name resolves to the IP address
of the server. DHCP is also handled on the DC. As for the GPO's, they're
in the correct place as far as I can tell. In fact, the error in the
event log says it cannot access gpt.ini, but if I click the link in the
log, the ini file opens in Notepad, so it is accessible. This is very
strange due to this fact. The event log error is 1058 if I recall
correctly. The client location is closed today, but maybe I can remote
in and find a workstation on to test with. If I can I will post the
exact error shortly.

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Post by Ryan Ashley
Rowland, here is what I found in the ldb.
# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
It appears as though they're in my database, but clients still cannot
update group policy. It randomly works once or twice, then goes back to
not working. Due to this, some workstations can hang for 20min trying to
update all of their GPOs upon first boot. I have wbinfo working, but
'id' and 'getent' still do not work for domain users and groups. PAM is
setup and is pasted below to save you from asking for it, should you be
so inclined.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you have any suggestions, I am all ears. If you say we must upgrade
to Gentoo, I have to bite the bullet and do it.
One more thing. I discovered that Samba4 cannot be a master browser. Due
to this, workstations are randomly being elected as the master browser.
When that system sleeps because the client doesn't turn it off, shares
become inaccessible. I have a Buffalo NAS that can be a master browser
(Samba3 on it), but Buffalo apparently locked me out of SSH access!
Could this be related?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is
affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Sorry about this, but I think we are going to have to start again, I
cannot remember just exactly what your problem is.
This is the result of running 'getfacl /var/lib/samba/sysvol' on my
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
other::rwx
other::---
But this will probably just be down to yours having unix permissions
'777' on /var/lib/samba/sysvol whilst mine is '770'
If you do not have *any* Unix clients then when connecting to the DC
from a windows client, id & getent don't need to work. wbinfo works
differently from id & getent and as it shows your users & groups means
this is working ok. Is there anything in the event logs on the
clients, I 'think' this could just be a lack of communication between
the client & DC, or the GPOs are in the wrong place or something
stupid like this. How do the clients get their dns info ? Is it a time
problem ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-07-03 14:44:09 UTC
Permalink
Post by Ryan Ashley
The only Unix client I can think of would be the Buffalo NAS. It runs
Samba3 and hosts various shares via SMB. DNS is handled by BIND9 on the
Samba4 DC. DNS does work and the domain name resolves to the IP address
of the server. DHCP is also handled on the DC. As for the GPO's, they're
in the correct place as far as I can tell. In fact, the error in the
event log says it cannot access gpt.ini, but if I click the link in the
log, the ini file opens in Notepad, so it is accessible. This is very
strange due to this fact. The event log error is 1058 if I recall
correctly. The client location is closed today, but maybe I can remote
in and find a workstation on to test with. If I can I will post the
exact error shortly.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Post by Ryan Ashley
Rowland, here is what I found in the ldb.
# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
It appears as though they're in my database, but clients still cannot
update group policy. It randomly works once or twice, then goes back to
not working. Due to this, some workstations can hang for 20min trying to
update all of their GPOs upon first boot. I have wbinfo working, but
'id' and 'getent' still do not work for domain users and groups. PAM is
setup and is pasted below to save you from asking for it, should you be
so inclined.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you have any suggestions, I am all ears. If you say we must upgrade
to Gentoo, I have to bite the bullet and do it.
One more thing. I discovered that Samba4 cannot be a master browser. Due
to this, workstations are randomly being elected as the master browser.
When that system sleeps because the client doesn't turn it off, shares
become inaccessible. I have a Buffalo NAS that can be a master browser
(Samba3 on it), but Buffalo apparently locked me out of SSH access!
Could this be related?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Sorry about this, but I think we are going to have to start again, I
cannot remember just exactly what your problem is.
This is the result of running 'getfacl /var/lib/samba/sysvol' on my
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
other::rwx
other::---
But this will probably just be down to yours having unix permissions
'777' on /var/lib/samba/sysvol whilst mine is '770'
If you do not have *any* Unix clients then when connecting to the DC
from a windows client, id & getent don't need to work. wbinfo works
differently from id & getent and as it shows your users & groups means
this is working ok. Is there anything in the event logs on the
clients, I 'think' this could just be a lack of communication between
the client & DC, or the GPOs are in the wrong place or something
stupid like this. How do the clients get their dns info ? Is it a time
problem ?
Rowland
Try having a look here: https://support.microsoft.com/en-us/kb/314494
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-07-03 14:58:39 UTC
Permalink
They left a PC on, so I got the info. The info pissed me off, but not
because of the issue. This time it worked flawlessly, but I got the
error from the event log from prior attempts. First, today's results.

C:\Users\reachfp.KIGM>gpupdate
Updating Policy...

User Policy update has completed successfully.
Computer Policy update has completed successfully.


C:\Users\reachfp.KIGM>gpupdate /force
Updating Policy...

User Policy update has completed successfully.
Computer Policy update has completed successfully.


C:\Users\reachfp.KIGM>



Now, what was happening EVERY time until today.

The processing of Group Policy failed. Windows attempted to read the
file
\\kigm.local\sysvol\kigm.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

The error comes and goes, but it happens more often than not now, which
makes it an issue. I will review the link you sent me.

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
The only Unix client I can think of would be the Buffalo NAS. It runs
Samba3 and hosts various shares via SMB. DNS is handled by BIND9 on the
Samba4 DC. DNS does work and the domain name resolves to the IP address
of the server. DHCP is also handled on the DC. As for the GPO's, they're
in the correct place as far as I can tell. In fact, the error in the
event log says it cannot access gpt.ini, but if I click the link in the
log, the ini file opens in Notepad, so it is accessible. This is very
strange due to this fact. The event log error is 1058 if I recall
correctly. The client location is closed today, but maybe I can remote
in and find a workstation on to test with. If I can I will post the
exact error shortly.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Post by Ryan Ashley
Rowland, here is what I found in the ldb.
# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
It appears as though they're in my database, but clients still cannot
update group policy. It randomly works once or twice, then goes back to
not working. Due to this, some workstations can hang for 20min trying to
update all of their GPOs upon first boot. I have wbinfo working, but
'id' and 'getent' still do not work for domain users and groups. PAM is
setup and is pasted below to save you from asking for it, should you be
so inclined.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you have any suggestions, I am all ears. If you say we must upgrade
to Gentoo, I have to bite the bullet and do it.
One more thing. I discovered that Samba4 cannot be a master
browser. Due
to this, workstations are randomly being elected as the master browser.
When that system sleeps because the client doesn't turn it off, shares
become inaccessible. I have a Buffalo NAS that can be a master browser
(Samba3 on it), but Buffalo apparently locked me out of SSH access!
Could this be related?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Sorry about this, but I think we are going to have to start again, I
cannot remember just exactly what your problem is.
This is the result of running 'getfacl /var/lib/samba/sysvol' on my
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
other::rwx
other::---
But this will probably just be down to yours having unix permissions
'777' on /var/lib/samba/sysvol whilst mine is '770'
If you do not have *any* Unix clients then when connecting to the DC
from a windows client, id & getent don't need to work. wbinfo works
differently from id & getent and as it shows your users & groups means
this is working ok. Is there anything in the event logs on the
clients, I 'think' this could just be a lack of communication between
the client & DC, or the GPOs are in the wrong place or something
stupid like this. How do the clients get their dns info ? Is it a time
problem ?
Rowland
Try having a look here: https://support.microsoft.com/en-us/kb/314494
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-07-03 15:20:58 UTC
Permalink
Post by Ryan Ashley
They left a PC on, so I got the info. The info pissed me off, but not
because of the issue. This time it worked flawlessly, but I got the
error from the event log from prior attempts. First, today's results.
C:\Users\reachfp.KIGM>gpupdate
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.
C:\Users\reachfp.KIGM>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.
C:\Users\reachfp.KIGM>
Now, what was happening EVERY time until today.
The processing of Group Policy failed. Windows attempted to read the
file
\\kigm.local\sysvol\kigm.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
The error comes and goes, but it happens more often than not now, which
makes it an issue. I will review the link you sent me.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
The only Unix client I can think of would be the Buffalo NAS. It runs
Samba3 and hosts various shares via SMB. DNS is handled by BIND9 on the
Samba4 DC. DNS does work and the domain name resolves to the IP address
of the server. DHCP is also handled on the DC. As for the GPO's, they're
in the correct place as far as I can tell. In fact, the error in the
event log says it cannot access gpt.ini, but if I click the link in the
log, the ini file opens in Notepad, so it is accessible. This is very
strange due to this fact. The event log error is 1058 if I recall
correctly. The client location is closed today, but maybe I can remote
in and find a workstation on to test with. If I can I will post the
exact error shortly.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Post by Ryan Ashley
Rowland, here is what I found in the ldb.
# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
It appears as though they're in my database, but clients still cannot
update group policy. It randomly works once or twice, then goes back to
not working. Due to this, some workstations can hang for 20min trying to
update all of their GPOs upon first boot. I have wbinfo working, but
'id' and 'getent' still do not work for domain users and groups. PAM is
setup and is pasted below to save you from asking for it, should you be
so inclined.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you have any suggestions, I am all ears. If you say we must upgrade
to Gentoo, I have to bite the bullet and do it.
One more thing. I discovered that Samba4 cannot be a master browser. Due
to this, workstations are randomly being elected as the master browser.
When that system sleeps because the client doesn't turn it off, shares
become inaccessible. I have a Buffalo NAS that can be a master browser
(Samba3 on it), but Buffalo apparently locked me out of SSH access!
Could this be related?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Sorry about this, but I think we are going to have to start again, I
cannot remember just exactly what your problem is.
This is the result of running 'getfacl /var/lib/samba/sysvol' on my
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
other::rwx
other::---
But this will probably just be down to yours having unix permissions
'777' on /var/lib/samba/sysvol whilst mine is '770'
If you do not have *any* Unix clients then when connecting to the DC
from a windows client, id & getent don't need to work. wbinfo works
differently from id & getent and as it shows your users & groups means
this is working ok. Is there anything in the event logs on the
clients, I 'think' this could just be a lack of communication between
the client & DC, or the GPOs are in the wrong place or something
stupid like this. How do the clients get their dns info ? Is it a time
problem ?
Rowland
Try having a look here: https://support.microsoft.com/en-us/kb/314494
OK, I used to hate intermittent faults, they *never* appeared when you
went to fix them :-)

Anyway, the error message gives a possible reason, you are using a
.local domain, is avahi running on the DC ? if it is, turn it off and
see how you go on.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2015-07-03 15:33:44 UTC
Permalink
You and Louis confirmed my fear. MS recommended we use ".local" back in
the day. This is an OLD domain. I now use ".lan" for my domains. Avahi
is there, but I configured it to listen for ".avahi". If you want, I can
post my avahi configuration. At least, this is what my memory says.

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
They left a PC on, so I got the info. The info pissed me off, but not
because of the issue. This time it worked flawlessly, but I got the
error from the event log from prior attempts. First, today's results.
C:\Users\reachfp.KIGM>gpupdate
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.
C:\Users\reachfp.KIGM>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.
C:\Users\reachfp.KIGM>
Now, what was happening EVERY time until today.
The processing of Group Policy failed. Windows attempted to read the
file
\\kigm.local\sysvol\kigm.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be
a) Name Resolution/Network Connectivity to the current domain
controller.
b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
The error comes and goes, but it happens more often than not now, which
makes it an issue. I will review the link you sent me.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
The only Unix client I can think of would be the Buffalo NAS. It runs
Samba3 and hosts various shares via SMB. DNS is handled by BIND9 on the
Samba4 DC. DNS does work and the domain name resolves to the IP address
of the server. DHCP is also handled on the DC. As for the GPO's, they're
in the correct place as far as I can tell. In fact, the error in the
event log says it cannot access gpt.ini, but if I click the link in the
log, the ini file opens in Notepad, so it is accessible. This is very
strange due to this fact. The event log error is 1058 if I recall
correctly. The client location is closed today, but maybe I can remote
in and find a workstation on to test with. If I can I will post the
exact error shortly.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Post by Ryan Ashley
Rowland, here is what I found in the ldb.
# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
It appears as though they're in my database, but clients still cannot
update group policy. It randomly works once or twice, then goes back to
not working. Due to this, some workstations can hang for 20min trying to
update all of their GPOs upon first boot. I have wbinfo working, but
'id' and 'getent' still do not work for domain users and groups. PAM is
setup and is pasted below to save you from asking for it, should you be
so inclined.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you have any suggestions, I am all ears. If you say we must upgrade
to Gentoo, I have to bite the bullet and do it.
One more thing. I discovered that Samba4 cannot be a master browser. Due
to this, workstations are randomly being elected as the master browser.
When that system sleeps because the client doesn't turn it off, shares
become inaccessible. I have a Buffalo NAS that can be a master browser
(Samba3 on it), but Buffalo apparently locked me out of SSH access!
Could this be related?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Sorry about this, but I think we are going to have to start again, I
cannot remember just exactly what your problem is.
This is the result of running 'getfacl /var/lib/samba/sysvol' on my
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
other::rwx
other::---
But this will probably just be down to yours having unix permissions
'777' on /var/lib/samba/sysvol whilst mine is '770'
If you do not have *any* Unix clients then when connecting to the DC
from a windows client, id & getent don't need to work. wbinfo works
differently from id & getent and as it shows your users & groups means
this is working ok. Is there anything in the event logs on the
clients, I 'think' this could just be a lack of communication between
the client & DC, or the GPOs are in the wrong place or something
stupid like this. How do the clients get their dns info ? Is it a time
problem ?
Rowland
Try having a look here: https://support.microsoft.com/en-us/kb/314494
OK, I used to hate intermittent faults, they *never* appeared when you
went to fix them :-)
Anyway, the error message gives a possible reason, you are using a
.local domain, is avahi running on the DC ? if it is, turn it off and
see how you go on.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-07-03 15:45:46 UTC
Permalink
Post by Ryan Ashley
You and Louis confirmed my fear. MS recommended we use ".local" back in
the day. This is an OLD domain. I now use ".lan" for my domains. Avahi
is there, but I configured it to listen for ".avahi". If you want, I can
post my avahi configuration. At least, this is what my memory says.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
They left a PC on, so I got the info. The info pissed me off, but not
because of the issue. This time it worked flawlessly, but I got the
error from the event log from prior attempts. First, today's results.
C:\Users\reachfp.KIGM>gpupdate
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.
C:\Users\reachfp.KIGM>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.
C:\Users\reachfp.KIGM>
Now, what was happening EVERY time until today.
The processing of Group Policy failed. Windows attempted to read the
file
\\kigm.local\sysvol\kigm.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
The error comes and goes, but it happens more often than not now, which
makes it an issue. I will review the link you sent me.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
The only Unix client I can think of would be the Buffalo NAS. It runs
Samba3 and hosts various shares via SMB. DNS is handled by BIND9 on the
Samba4 DC. DNS does work and the domain name resolves to the IP address
of the server. DHCP is also handled on the DC. As for the GPO's, they're
in the correct place as far as I can tell. In fact, the error in the
event log says it cannot access gpt.ini, but if I click the link in the
log, the ini file opens in Notepad, so it is accessible. This is very
strange due to this fact. The event log error is 1058 if I recall
correctly. The client location is closed today, but maybe I can remote
in and find a workstation on to test with. If I can I will post the
exact error shortly.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Post by Ryan Ashley
Rowland, here is what I found in the ldb.
# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
It appears as though they're in my database, but clients still cannot
update group policy. It randomly works once or twice, then goes back to
not working. Due to this, some workstations can hang for 20min trying to
update all of their GPOs upon first boot. I have wbinfo working, but
'id' and 'getent' still do not work for domain users and groups. PAM is
setup and is pasted below to save you from asking for it, should you be
so inclined.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you have any suggestions, I am all ears. If you say we must upgrade
to Gentoo, I have to bite the bullet and do it.
One more thing. I discovered that Samba4 cannot be a master browser. Due
to this, workstations are randomly being elected as the master browser.
When that system sleeps because the client doesn't turn it off, shares
become inaccessible. I have a Buffalo NAS that can be a master browser
(Samba3 on it), but Buffalo apparently locked me out of SSH access!
Could this be related?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Sorry about this, but I think we are going to have to start again, I
cannot remember just exactly what your problem is.
This is the result of running 'getfacl /var/lib/samba/sysvol' on my
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
other::rwx
other::---
But this will probably just be down to yours having unix permissions
'777' on /var/lib/samba/sysvol whilst mine is '770'
If you do not have *any* Unix clients then when connecting to the DC
from a windows client, id & getent don't need to work. wbinfo works
differently from id & getent and as it shows your users & groups means
this is working ok. Is there anything in the event logs on the
clients, I 'think' this could just be a lack of communication between
the client & DC, or the GPOs are in the wrong place or something
stupid like this. How do the clients get their dns info ? Is it a time
problem ?
Rowland
Try having a look here: https://support.microsoft.com/en-us/kb/314494
OK, I used to hate intermittent faults, they *never* appeared when you
went to fix them :-)
Anyway, the error message gives a possible reason, you are using a
.local domain, is avahi running on the DC ? if it is, turn it off and
see how you go on.
Rowland
You are quite correct, microsoft did say you could use .local, but this
was before apple came up with mDNS or avahi as it is known to Linux, if
it is running on the DC, it could, and probably will, reply to anything
to do with .local. You have really only two choices, rename the domain
which is not really practicable, or turn off avahi on the DC.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-07-03 15:02:09 UTC
Permalink
....

forget the previous mail.
this can be a mDNS problem.
kigm.local ..
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 3 juli 2015 16:59
Onderwerp: Re: [Samba] Clients unable to get group policy...
They left a PC on, so I got the info. The info pissed me off, but not
because of the issue. This time it worked flawlessly, but I got the
error from the event log from prior attempts. First, today's results.
C:\Users\reachfp.KIGM>gpupdate
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.
C:\Users\reachfp.KIGM>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.
C:\Users\reachfp.KIGM>
Now, what was happening EVERY time until today.
The processing of Group Policy failed. Windows attempted to read the
file
\\kigm.local\sysvol\kigm.local\Policies\{31B2F340-016D-11D2-945
F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be
a) Name Resolution/Network Connectivity to the current domain
controller.
b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
The error comes and goes, but it happens more often than not now, which
makes it an issue. I will review the link you sent me.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
The only Unix client I can think of would be the Buffalo
NAS. It runs
Post by Rowland Penny
Post by Ryan Ashley
Samba3 and hosts various shares via SMB. DNS is handled by
BIND9 on the
Post by Rowland Penny
Post by Ryan Ashley
Samba4 DC. DNS does work and the domain name resolves to
the IP address
Post by Rowland Penny
Post by Ryan Ashley
of the server. DHCP is also handled on the DC. As for the
GPO's, they're
Post by Rowland Penny
Post by Ryan Ashley
in the correct place as far as I can tell. In fact, the error in the
event log says it cannot access gpt.ini, but if I click the
link in the
Post by Rowland Penny
Post by Ryan Ashley
log, the ini file opens in Notepad, so it is accessible.
This is very
Post by Rowland Penny
Post by Ryan Ashley
strange due to this fact. The event log error is 1058 if I recall
correctly. The client location is closed today, but maybe I
can remote
Post by Rowland Penny
Post by Ryan Ashley
in and find a workstation on to test with. If I can I will post the
exact error shortly.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
Rowland, here is what I found in the ldb.
# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
It appears as though they're in my database, but clients
still cannot
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
update group policy. It randomly works once or twice, then goes back to
not working. Due to this, some workstations can hang for 20min trying to
update all of their GPOs upon first boot. I have wbinfo
working, but
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
'id' and 'getent' still do not work for domain users and groups. PAM is
setup and is pasted below to save you from asking for it, should you be
so inclined.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages
# `info libc "Name Service Switch"' for information about
this file.
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you have any suggestions, I am all ears. If you say we
must upgrade
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
to Gentoo, I have to bite the bullet and do it.
One more thing. I discovered that Samba4 cannot be a master browser. Due
to this, workstations are randomly being elected as the master browser.
When that system sleeps because the client doesn't turn
it off, shares
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
become inaccessible. I have a Buffalo NAS that can be a
master browser
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
(Samba3 on it), but Buffalo apparently locked me out of
SSH access!
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Could this be related?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my issue is somehow
related to ACL's in Squeeze? The client is against upgrading unless we
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Sorry about this, but I think we are going to have to
start again, I
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
cannot remember just exactly what your problem is.
This is the result of running 'getfacl
/var/lib/samba/sysvol' on my
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
The only difference between your sysvol 'getfacl' output
and mine is
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
other::rwx
other::---
But this will probably just be down to yours having unix
permissions
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
'777' on /var/lib/samba/sysvol whilst mine is '770'
If you do not have *any* Unix clients then when connecting
to the DC
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
from a windows client, id & getent don't need to work. wbinfo works
differently from id & getent and as it shows your users &
groups means
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
this is working ok. Is there anything in the event logs on the
clients, I 'think' this could just be a lack of
communication between
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
the client & DC, or the GPOs are in the wrong place or something
stupid like this. How do the clients get their dns info ?
Is it a time
Post by Rowland Penny
Post by Ryan Ashley
Post by Rowland Penny
problem ?
Rowland
Try having a look here: https://support.microsoft.com/en-us/kb/314494
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-07-03 14:59:58 UTC
Permalink
in the correct place as far as I can tell. In fact, the error in the
Post by Ryan Ashley
event log says it cannot access gpt.ini, but if I click the link in the
log, the ini file opens in Notepad, so it is accessible. This is very
strange due to this fact. The event log error is 1058 if I recall
go correct your sysvol SHARE rights first. and reset it from within windows.
test and keep "everyone" full acces on the share right.
then go to the security tab, and set.
Verificed users. Read and execute
SYSTEM, Full control
Administrators, Full controll
Server Operators. Read and execute


then try from 1 pc.

login as DOMAIN\Administrator
try accessing \\server\sysvol
and try \\server.your.domain.tld\sysvol

do they both work ? if only \\server.your.domain.tld works,
then add the domain option to your dhcp server. and there are 2 ! domain options.
1 for the pc and 1 for the domain search.
whats the difference...
pc joins the domain and wil be named pc.your.domain.tld.
pc search can be different, and this can be set wrong in dhcp server.



test this also on the remote location.

make a test user, set the primairy group to "Domain User"
try above again.

but, when i read through your mails below, im thinking almost sure your sysvol share rights are not correct.



Greetz,

Louis
Post by Ryan Ashley
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 3 juli 2015 16:19
Onderwerp: Re: [Samba] Clients unable to get group policy...
The only Unix client I can think of would be the Buffalo NAS. It runs
Samba3 and hosts various shares via SMB. DNS is handled by BIND9 on the
Samba4 DC. DNS does work and the domain name resolves to the IP address
of the server. DHCP is also handled on the DC. As for the
GPO's, they're
in the correct place as far as I can tell. In fact, the error in the
event log says it cannot access gpt.ini, but if I click the link in the
log, the ini file opens in Notepad, so it is accessible. This is very
strange due to this fact. The event log error is 1058 if I recall
correctly. The client location is closed today, but maybe I can remote
in and find a workstation on to test with. If I can I will post the
exact error shortly.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Ryan Ashley
Post by Ryan Ashley
Rowland, here is what I found in the ldb.
# record 68
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 70
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid: S-1-5-32-549
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 73
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 16
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid: S-1-5-11
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
It appears as though they're in my database, but clients
still cannot
Post by Ryan Ashley
Post by Ryan Ashley
update group policy. It randomly works once or twice, then
goes back to
Post by Ryan Ashley
Post by Ryan Ashley
not working. Due to this, some workstations can hang for
20min trying to
Post by Ryan Ashley
Post by Ryan Ashley
update all of their GPOs upon first boot. I have wbinfo working, but
'id' and 'getent' still do not work for domain users and
groups. PAM is
Post by Ryan Ashley
Post by Ryan Ashley
setup and is pasted below to save you from asking for it,
should you be
Post by Ryan Ashley
Post by Ryan Ashley
so inclined.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you have any suggestions, I am all ears. If you say we
must upgrade
Post by Ryan Ashley
Post by Ryan Ashley
to Gentoo, I have to bite the bullet and do it.
One more thing. I discovered that Samba4 cannot be a master
browser. Due
Post by Ryan Ashley
Post by Ryan Ashley
to this, workstations are randomly being elected as the
master browser.
Post by Ryan Ashley
Post by Ryan Ashley
When that system sleeps because the client doesn't turn it
off, shares
Post by Ryan Ashley
Post by Ryan Ashley
become inaccessible. I have a Buffalo NAS that can be a
master browser
Post by Ryan Ashley
Post by Ryan Ashley
(Samba3 on it), but Buffalo apparently locked me out of SSH access!
Could this be related?
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Rowland Penny
Post by Ryan Ashley
I hate to revive this, but before I push my client through an upgrade, I
have to be sure my issue is with ACLs not being supported, as suggested.
Squeeze does have ACL support.
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
2.6.32-5-amd64
With this information, are we absolutely sure that my
issue is somehow
Post by Ryan Ashley
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
related to ACL's in Squeeze? The client is against
upgrading unless we
Post by Ryan Ashley
Post by Ryan Ashley
Post by Rowland Penny
Post by Ryan Ashley
have no other option, but now the problem has spread and is affecting a
large number, but not all PCs at their location.
Lead IT/IS Specialist
Reach Technology FP, Inc
Sorry about this, but I think we are going to have to
start again, I
Post by Ryan Ashley
Post by Ryan Ashley
Post by Rowland Penny
cannot remember just exactly what your problem is.
This is the result of running 'getfacl /var/lib/samba/sysvol' on my
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000 --> dn: CN=S-1-5-32-544
user::rwx
user:root:rwx
user:3000000:rwx --> dn: CN=S-1-5-32-544
user:3000009:r-x --> dn: CN=S-1-5-11
user:3000016:r-x --> dn: CN=S-1-5-32-549
user:3000017:rwx --> dn: CN=S-1-5-18
group::rwx
group:3000000:rwx --> dn: CN=S-1-5-32-544
group:3000009:r-x --> dn: CN=S-1-5-11
group:3000016:r-x --> dn: CN=S-1-5-32-549
group:3000017:rwx --> dn: CN=S-1-5-18
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx --> dn: CN=S-1-5-32-544
default:user:3000009:r-x --> dn: CN=S-1-5-11
default:user:3000016:r-x --> dn: CN=S-1-5-32-549
default:user:3000017:rwx --> dn: CN=S-1-5-18
default:group::---
default:group:3000000:rwx --> dn: CN=S-1-5-32-544
default:group:3000009:r-x --> dn: CN=S-1-5-11
default:group:3000016:r-x --> dn: CN=S-1-5-32-549
default:group:3000017:rwx --> dn: CN=S-1-5-18
default:mask::rwx
default:other::---
As you can see, I have added some extra info, this is what the
xidNumbers are mapped from, so if your xidNumbers map to the same
'well known SIDs' , then there doesn't seem to be much wrong.
You can check your 'idmap.ldb' file with: ldbedit -e nano -H
/var/lib/samba/private/idmap.ldb
Rowland
other::rwx
other::---
But this will probably just be down to yours having unix permissions
'777' on /var/lib/samba/sysvol whilst mine is '770'
If you do not have *any* Unix clients then when connecting to the DC
from a windows client, id & getent don't need to work. wbinfo works
differently from id & getent and as it shows your users &
groups means
Post by Ryan Ashley
this is working ok. Is there anything in the event logs on the
clients, I 'think' this could just be a lack of communication between
the client & DC, or the GPOs are in the wrong place or something
stupid like this. How do the clients get their dns info ? Is
it a time
Post by Ryan Ashley
problem ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Loading...