[Samba] GPO Editor says "Access denied" for Group Policy Objects

Luis Peromarta lperoma at icloud.com
Thu Apr 25 16:27:36 UTC 2024 

I don’t think you need winbind on a DC as user mapping is done by its own databases. I think you have mixed up member server configs into DC configs.

A smb.conf like this should be enough:

[global]
	dns forwarder = 1.1.1.1
	netbios name = AAA
	realm = XXXT
	server role = active directory domain controller
	workgroup = MAD
	idmap_ldb:use rfc2307  = yes

#Allow this for free radius to work
	ntlm auth = mschapv2-and-ntlmv2-only

# Disable Netbios
        disable netbios = yes

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[netlogon]
	path = /var/lib/samba/sysvol/XXXTscripts
	read only = No


See this for details.

http://samba.bigbird.es/doku.php?id=samba:idmap-backends




LP
On Apr 25, 2024 at 17:20 +0100, Jakob Curdes via samba <samba at lists.samba.org>, wrote:
> Hi Rowland, all,
>
> Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba:
> > On Thu, 25 Apr 2024 16:55:55 +0200
> > Jakob Curdes via samba<samba at lists.samba.org> wrote:
> >
> > > .. we setup 2 new DCs replacing older DCs and joined them to the
> > > domain, then decommissioned the old DCs. I now discover that I cannot
> > > edit the GPO objects anymore.
> > > "sysvolcheck" shows no errors. I read through some documentation but
> > > it sounds outdated to me. Any hints where I would start looking? Who
> > > should normally be the owner of the sysvol directory itself?
> > >
> > > What I find strange is that on a domain member, getent group shows me
> > > all Domain groups, while on the DC these are not shown.
> > > But that might be totally unrelated.
> > >
> > > Any hints?
> > >
> > Without more info, Anything would be guess work, but a guess in the
> > dark would be to ask if you are using rfc2307 attributes and if so,
> > does Domain Admins have a gidNumber attribute ?
> >
> > Rowland
>
> Yes, we are using rfc2307 attributes, and I do not see a gidNumber
> attribute in the properties of the "Domain Admins" group.
> To be honest, I never understood this gid / rfc2307 problem completely,
> although there are descriptions out there.
>
> The group ID of the sysvol entry is "3000000", while on the domain
> member, the Domain Admin group has the group ID "300512".
>
> The relevant portion of the DC config is:
>
> [global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active
> directory domain controller dns forwarder = X,Y workgroup = ZZ
> idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use
> default domain = true winbind offline logon = false winbind nss info =
> rfc2307 winbind enum users = yes winbind enum groups = yes winbind
> nested groups = Yes server schannel = yes [sysvol] path =
> /var/lib/samba/sysvol read only = No
>
> So what do I need to change?
>
> Regards, Jakob
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list