Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: fmoreira86 on March 24, 2022, 09:07:01 pm

Title: [Solved ]Problem creating GPOs with vfs object = full_audit
Post by: fmoreira86 on March 24, 2022, 09:07:01 pm
I was trying to do this procedure:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRhCAK

Basically it would allow my firewall to identify the users based on the samba4 logs.

You've to add this:

  syslog = 3
        vfs object = full_audit
        full_audit:success = connect
        full_audit:failure = disconnect
        full_audit:prefix = %u %I | %S
        full_audit:facility = local5

To smb.conf.

I added to /usr/share/zentyal/stubs/samba/smb.conf.mas , rebooted the server and the logs work.

However if I try to create a GPO via RSAT, with this configuration, I get "This security ID may not be assigned as the owner of this object"

Pretty much like this report:

https://lists.samba.org/archive/samba/2017-April/207962.html

Any hint?

Thank you!
Title: Re: Problem creating GPOs with vfs object = full_audit
Post by: fmoreira86 on March 27, 2022, 03:56:56 am
Solution:

vfs objects = acl_xattr full_audit
Title: Re: [Solved ]Problem creating GPOs with vfs object = full_audit
Post by: dzidek23 on March 29, 2022, 10:33:38 am
Hi,

I see this has been resolved but I have some questions.

I was looking at the Samba4 vfs with acl_xattr here:
https://wiki.samba.org/index.php/Using_the_acl_xattr_VFS_Module (https://wiki.samba.org/index.php/Using_the_acl_xattr_VFS_Module)
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)

This says that the acl_xattr should be already enabled on a DC and then it's NOT to be applied to individual shares. Did you find any issues when activating the acl_xattr?

does this mean that Zentyal doesn't have this enabled by default as suggested in Samba4 docs?
Title: Re: [Solved ]Problem creating GPOs with vfs object = full_audit
Post by: fmoreira86 on April 10, 2022, 05:50:14 pm
I didn't have any problem since I made this config.