Author Topic: [Solved ]Problem creating GPOs with vfs object = full_audit  (Read 1239 times)

fmoreira86

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +2/-0
    • View Profile
[Solved ]Problem creating GPOs with vfs object = full_audit
« on: March 24, 2022, 09:07:01 pm »
I was trying to do this procedure:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRhCAK

Basically it would allow my firewall to identify the users based on the samba4 logs.

You've to add this:

  syslog = 3
        vfs object = full_audit
        full_audit:success = connect
        full_audit:failure = disconnect
        full_audit:prefix = %u %I | %S
        full_audit:facility = local5

To smb.conf.

I added to /usr/share/zentyal/stubs/samba/smb.conf.mas , rebooted the server and the logs work.

However if I try to create a GPO via RSAT, with this configuration, I get "This security ID may not be assigned as the owner of this object"

Pretty much like this report:

https://lists.samba.org/archive/samba/2017-April/207962.html

Any hint?

Thank you!
« Last Edit: March 27, 2022, 03:57:06 am by fmoreira86 »

fmoreira86

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +2/-0
    • View Profile
Re: Problem creating GPOs with vfs object = full_audit
« Reply #1 on: March 27, 2022, 03:56:56 am »
Solution:

vfs objects = acl_xattr full_audit

dzidek23

  • Zen Apprentice
  • *
  • Posts: 45
  • Karma: +1/-0
    • View Profile
Re: [Solved ]Problem creating GPOs with vfs object = full_audit
« Reply #2 on: March 29, 2022, 10:33:38 am »
Hi,

I see this has been resolved but I have some questions.

I was looking at the Samba4 vfs with acl_xattr here:
https://wiki.samba.org/index.php/Using_the_acl_xattr_VFS_Module
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

This says that the acl_xattr should be already enabled on a DC and then it's NOT to be applied to individual shares. Did you find any issues when activating the acl_xattr?

does this mean that Zentyal doesn't have this enabled by default as suggested in Samba4 docs?

fmoreira86

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +2/-0
    • View Profile
Re: [Solved ]Problem creating GPOs with vfs object = full_audit
« Reply #3 on: April 10, 2022, 05:50:14 pm »
I didn't have any problem since I made this config.