Zentyal Forum, Linux Small Business Server

Zentyal Server => Directory and Authentication => Topic started by: Leo Moss on January 04, 2021, 02:43:11 pm

Title: GPO's under user configuration
Post by: Leo Moss on January 04, 2021, 02:43:11 pm
Hello all, i have zentyal 6.2 and trying to do GPO's under USER CONFIGURATION but nothing work's ( it works under COMPUTER CONFIGURATION) im missing something?  Clients are W10
Title: Re: GPO's under user configuration
Post by: badapple7 on January 05, 2021, 10:30:03 pm
create gpo on rsat?? or samba-tool gpo? the new policies its present in sysvol? check present gpo with samba-tool gpo listall.
Title: Re: GPO's under user configuration
Post by: Leo Moss on January 06, 2021, 02:16:50 pm
im creating the GPO's on RSAT, it is showed on SYSVOL, on event viewer of clients there is no errors related with gpo and if u do a gpresult the gpo is there but nothing happens. ( not even a simple gpo to  map a drive )
Title: Re: GPO's under user configuration
Post by: badapple7 on January 17, 2021, 03:17:56 am
im creating the GPO's on RSAT, it is showed on SYSVOL, on event viewer of clients there is no errors related with gpo and if u do a gpresult the gpo is there but nothing happens. ( not even a simple gpo to  map a drive )

I think "fast" solution is delete this gpo and create new one, if also dont work, could be permissions problem, please post results;

samba-tool gpo listall
samba-tool gpo show (uid gpo)
getfacl /var/lib/samba/sysvol/yourdomain/Policies/selectyougpo
Title: Re: GPO's under user configuration
Post by: Leo Moss on January 21, 2021, 06:29:26 pm
im creating the GPO's on RSAT, it is showed on SYSVOL, on event viewer of clients there is no errors related with gpo and if u do a gpresult the gpo is there but nothing happens. ( not even a simple gpo to  map a drive )

I think "fast" solution is delete this gpo and create new one, if also dont work, could be permissions problem, please post results;

samba-tool gpo listall
samba-tool gpo show (uid gpo)
getfacl /var/lib/samba/sysvol/yourdomain/Policies/selectyougpo

Sadly this is happening with every GPO under USER CONFIGURATION.
This is a new gpo trying to MAP a drive (SYSVOL) where everyone has RO
 
 samba-tool gpo show {350F6B90-53FB-4609-8EC8-1788A79AB62D}
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.CONTACTCENTER.COM<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name ROSDC002.contactcenter.com<0x20>
GPO          : {350F6B90-53FB-4609-8EC8-1788A79AB62D}
display name : MAP DRIVE
path         : \\contactcenter.com\SysVol\contactcenter.com\Policies\{350F6B90-53FB-4609-8EC8-1788A79AB62D}
dn           : CN={350F6B90-53FB-4609-8EC8-1788A79AB62D},CN=Policies,CN=System,DC=contactcenter,DC=com
version      : 262144
flags        : NONE
ACL          : <hidden>


getfacl /var/lib/samba/sysvol/contactcenter.com/Policies/{350F6B90-53FB-4609-8EC8-1788A79AB62D}
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/contactcenter.com/Policies/{350F6B90-53FB-4609-8EC8-1788A79AB62D}
# owner: CONTACTCENTER\134da-leonmosq
# group: CONTACTCENTER\134domain\040admins
user::rwx
user:CONTACTCENTER\134da-leonmosq:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000010:r-x
user:3000019:r-x
group::rwx
group:CONTACTCENTER\134domain\040admins:rwx
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
group:CONTACTCENTER\134enterprise\040admins:rwx
group:NT\040AUTHORITY\134serverlogon:r-x
group:CONTACTCENTER\134domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:CONTACTCENTER\134da-leonmosq:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000010:r-x
default:user:3000019:r-x
default:group::---
default:group:CONTACTCENTER\134domain\040admins:rwx
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:group:CONTACTCENTER\134enterprise\040admins:rwx
default:group:NT\040AUTHORITY\134serverlogon:r-x
default:group:CONTACTCENTER\134domain\040computers:r-x
default:mask::rwx
default:other::---








Title: Re: GPO's under user configuration
Post by: doncamilo on January 25, 2021, 01:42:58 pm
  :o

I tried to configure a user based GPO and I had the same issue you reported.

GPRESULT shows all right but the GPO doesn't  seem to run.

(I added delegation for Domain Computers (r) and Domain Users (r). )

Windows 10 Pro.  1607 (OS Build 14393.0)
Zentyal 6.2

Code: [Select]
General
hide
User name ZENTYAL-DOMAIN\admindc
Domain zentyal-domain.lan
Security Group Membership
hide
ZENTYAL-DOMAIN\Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
LOCAL
ZENTYAL-DOMAIN\Domain Admins
ZENTYAL-DOMAIN\Denied RODC Password Replication Group
Mandatory Label\High Mandatory Level

...

Group Policy Objects
hide
Applied GPOs
hide
testgpo [{02594854-7656-40C7-AC4A-0E41B183E334}]
hide
Link Location zentyal-domain.lan
Extensions Configured Group Policy Drive Maps
Group Policy Infrastructure
Enforced No
Disabled None
Security Filters NT AUTHORITY\Authenticated Users
Revision AD (10), SYSVOL (10)
WMI Filter

Code: [Select]
#  samba-tool gpo show {02594854-7656-40C7-AC4A-0E41B183E334}
...
GPO          : {02594854-7656-40C7-AC4A-0E41B183E334}
display name : testgpo
path         : \\zentyal-domain.lan\SysVol\zentyal-domain.lan\Policies\{02594854-7656-40C7-AC4A-0E41B183E334}
dn           : CN={02594854-7656-40C7-AC4A-0E41B183E334},CN=Policies,CN=System,DC=zentyal-domain,DC=lan
version      : 655360
flags        : NONE
ACL          : <hidden>


Code: [Select]
getfacl /var/lib/samba/sysvol/zentyal-domain.lan/Policies/\{02594854-7656-40C7-AC4A-0E41B183E334\}
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/zentyal-domain.lan/Policies/{02594854-7656-40C7-AC4A-0E41B183E334}
# owner: ZENTYAL-DOMAIN\134admindc
# group: ZENTYAL-DOMAIN\134domain\040admins
user::rwx
user:ZENTYAL-DOMAIN\134admindc:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000010:r-x
user:3000018:r-x
group::rwx
group:ZENTYAL-DOMAIN\134domain\040admins:rwx
group:ZENTYAL-DOMAIN\134domain\040users:r-x
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
group:ZENTYAL-DOMAIN\134enterprise\040admins:rwx
group:NT\040AUTHORITY\134serverlogon:r-x
group:ZENTYAL-DOMAIN\134domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:ZENTYAL-DOMAIN\134admindc:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000010:r-x
default:user:3000018:r-x
default:group::---
default:group:ZENTYAL-DOMAIN\134domain\040admins:rwx
default:group:ZENTYAL-DOMAIN\134domain\040users:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:group:ZENTYAL-DOMAIN\134enterprise\040admins:rwx
default:group:NT\040AUTHORITY\134serverlogon:r-x
default:group:ZENTYAL-DOMAIN\134domain\040computers:r-x
default:mask::rwx
default:other::---


Could be I forgotten some evident thing?

Cheers!

Title: Re: GPO's under user configuration
Post by: badapple7 on January 27, 2021, 04:18:14 am
Sorry for the time, please post;

wbinfo --uid-info= (all user)
Title: Re: GPO's under user configuration
Post by: Leo Moss on January 27, 2021, 03:36:33 pm
Sorry for the time, please post;

wbinfo --uid-info= (all user)

This is de cmld? thx in advance 4 your help

root@rosdc001:/home/administrator# wbinfo --uid-info= all user
CONTACTCENTER\administrator:*:0:2513::/home/administrator:/bin/bash
Title: Re: GPO's under user configuration
Post by: badapple7 on January 27, 2021, 06:12:12 pm
  Sorry man;


  wbinfo --uid-info= 3000002
  wbinfo --uid-info= 3000003
  wbinfo --uid-info= 3000007
  wbinfo --uid-info= 3000010
  wbinfo --uid-info= 3000019
Title: Re: GPO's under user configuration
Post by: Leo Moss on January 29, 2021, 04:23:25 pm
  Sorry man;


  wbinfo --uid-info= 3000002
  wbinfo --uid-info= 3000003
  wbinfo --uid-info= 3000007
  wbinfo --uid-info= 3000010
  wbinfo --uid-info= 3000019

root@rosdc001:/home/administrator# wbinfo --uid-info=3000002
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000002
root@rosdc001:/home/administrator# wbinfo --uid-info=3000003
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000003
root@rosdc001:/home/administrator# wbinfo --uid-info=3000007
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000007
root@rosdc001:/home/administrator# wbinfo --uid-info=3000010
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000010
root@rosdc001:/home/administrator# wbinfo --uid-info=3000019
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000019
Title: Re: GPO's under user configuration
Post by: badapple7 on January 30, 2021, 05:48:28 am
Hi leo, you have syntax error in   
Quote
wbinfo --uid-info=3000002

sintax ok :wbinfo --uid-info= 3000002

------

I thinks in other possible solution, if not we will return to the terminal :-(

ok I think in delete gpo, but the next (on rsat admin, very easy );

well now I use "gpo_new" for example;

(https://i.postimg.cc/NfKYqRpg/1.png)

deleting gpo;

(https://i.postimg.cc/8Pf8nNzc/2.png)


the next is very important, sometimes after delete the  gpo, if you verify with samba-tool gpo listall, It is there, from rsat we do not see it but it is still there .. for continue easy use editor adsi for delete gpo

(https://i.postimg.cc/YC3wQ8Sz/3.png)


the gpo is deleted really!!!

now create new gpo but, Not for "users" or "user authenticated ", you search  "groups" for gpo "active"


(https://i.postimg.cc/RZGjWFPP/5.png)



if all this process does not work, then we will have to work on the shell, but remember to check the syntax.

                                                                     
Title: Re: GPO's under user configuration
Post by: Leo Moss on January 31, 2021, 06:17:35 pm
Hi leo, you have syntax error in   
Quote
wbinfo --uid-info=3000002

sintax ok :wbinfo --uid-info= 3000002
root@rosdc001:/home/administrator# wbinfo --uid-info= 3000002
failed to call wbcGetpwuid: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not get info for uid 0
root@rosdc001:/home/administrator# wbinfo --uid-info= 3000003
CONTACTCENTER\administrator:*:0:2513::/home/administrator:/bin/bash
root@rosdc001:/home/administrator# wbinfo --uid-info= 3000007
CONTACTCENTER\administrator:*:0:2513::/home/administrator:/bin/bash
root@rosdc001:/home/administrator# wbinfo --uid-info= 3000010
CONTACTCENTER\administrator:*:0:2513::/home/administrator:/bin/bash
root@rosdc001:/home/administrator# wbinfo --uid-info= 3000019
CONTACTCENTER\administrator:*:0:2513::/home/administrator:/bin/bash

now create new gpo but, Not for "users" or "user authenticated ", you search  "groups" for gpo "active"                                                                   

i could delete the gpo but i didnt understood this quite well.. i createad a new gpo.. delete Authenticated users from scope and added a group of mine the user that is trying to "map drive" belongs to this group.
I tried but didnt work :(
Title: Re: GPO's under user configuration
Post by: Leo Moss on February 22, 2021, 04:35:19 pm
any ideas? :(
Title: Re: GPO's under user configuration
Post by: badapple7 on February 27, 2021, 11:16:04 pm
sorry man, for the time, my english is ver bad, after delete of gpo, cretate an new gpo, but for groups, normally the gpo is created for "user authenticated"


---

other opcion is reset sysvol on samba-tool

https://wiki.samba.org/index.php/Sysvolreset