I updated to FreeNAS-11.1-U4 and have problems with my Active Directory and GPOs. When I open the group editor I get the error message that I cannot save any changes to the default policy, so I guess something is wrong with the ACLs. I can create new files under the folder sysvol/AD.lokal/Policies/ without problems. What I cannot do is change an existing file e.g. Registry.pol
Checking ACL on Registry.pol
Creating a file under sysvol and copy the ACLs from the newly created file with:
and correct it with:
Editing the ACLs of the file within Windows with the Explorer gives me the error message:
The log file says:
Also tried:
my smb4.conf:
Checking ACL on Registry.pol
samba-tool ntacl get --as-sddl Registry.pol
Code:
Processing section "[sysvol]" Processing section "[netlogon]" Processing section "[Scanner]" connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1) O:BAG:DUD:(A;;0x001f01ff;;;BA)(A;;;;;DU)(A;;;;;WD)
Creating a file under sysvol and copy the ACLs from the newly created file with:
samba-tool ntacl get --as-sddl Newfile.txt
Code:
Processing section "[sysvol]" Processing section "[netlogon]" Processing section "[Scanner]" connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1) O:BAG:DUD:(A;;0x001f01ff;;;BA)(A;;;;;DU)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)
and correct it with:
samba-tool ntacl set "O:BAG:DUD:(A;;0x001f01ff;;;BA)(A;;;;;DU)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)" Registry.pol
Code:
Processing section "[sysvol]" Processing section "[netlogon]" Processing section "[Scanner]" connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1) set_canon_ace_list: sys_acl_set_file failed for file Registry.pol (Invalid argument). set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (-1073741811, 'An invalid parameter was passed to a service or function.') File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 92, in run setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file, use_ntvfs=use_ntvfs, service=service) File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
Editing the ACLs of the file within Windows with the Explorer gives me the error message:
Code:
Wrong parameter
The log file says:
Code:
May 23 17:57:34 Server smbd[70357]: [2018/05/23 17:57:34.166728, 2] ../source3/smbd/posix_acls.c:3008(set_canon_ace_list) May 23 17:57:34 Server smbd[70357]: set_canon_ace_list: sys_acl_set_file type file failed for file AD.lokal/Policies/{31B2F340-016D-11D2-945F-00C04FB984AA}/MACHINE/Registry.pol (Invalid argument).
Also tried:
samba-tool ntacl sysvolcheck
Code:
Processing section "[sysvol]" Processing section "[netlogon]" Processing section "[Scanner]" No builtin backend found, trying to load plugin ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory /var/db/samba4/sysvol/AD.lokal O:S-1-5-21-3077383150-2510758363-2547080399-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) does not match expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from provision File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run lp) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1721, in checksysvolacl raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))
my smb4.conf:
[global]
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 1177319
logging = syslog:2
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
ntlm auth = no
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = Server
ea support = yes
store dos attributes = yes
lm announce = yes
time server = yes
acl allow execute always = true
dos filemode = yes
multicast dns register = yes
domain logons = yes
local master = yes
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = active directory domain controller
netbios name = SERVER
workgroup = AD
realm = AD.lokal
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 2
reset on zero vc = yes
[sysvol]
path = /var/db/samba4/sysvol
read only = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
[netlogon]
path = /var/db/samba4/sysvol/AD.lokal/scripts
read only = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
[Scanner]
path = "/mnt/Storage/Scanner"
comment = Scanner
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfs_space zfsacl acl_xattr streams_xattr recycle
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare