[Samba] GPO Editor says "Access denied" for Group Policy Objects

Jakob Curdes jc at info-systems.de
Thu May 2 11:51:54 UTC 2024 

Hello Rowland,

Am 02.05.2024 um 13:00 schrieb Rowland Penny via samba:
> On Thu, 2 May 2024 12:07:13 +0200
> Jakob Curdes via samba <samba at lists.samba.org> wrote:
>
>> Hello all, to return to the original topic:
>>
>> My original problem was that I could not edit GP objects with the GP
>> Editor, even as Domain admin. I always got "access denied". A
>> sysvolcheck returned no errors and the Windows "Security" tab for the
>> object in question on the sysvol share looked correct.
>>
>> I now found out that the group id of the sysvol folder (and
>> everything below) was 3000000, while the "Administrators" group has
>> the group ID 3000002. I corrected the group ID assigned to the sysvol
>> folder on both DCs and now I can edit the GP objects with the GPO
>> editor.
> The permissions set on the sysvol directory are:
> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>
> Which in a more readable form is:
> Owner:LOCAL_ADMIN Group:BUILTIN_ADMINISTRATORS D:P(Allow;Full
> control;;;BUILTIN_ADMINISTRATORS)(Allow;Read and
> Execute,Inherited;;;SERVER_OPERATORS)(Allow;Full
> control;;;LOCAL_SYSTEM)(Allow;Read and
> Execute,Inherited;;;_AUTHENTICATED_USERS)
>
> Now all that depends on the various users and groups having the same ID
> on every DC, the problem with that is, you cannot depend on every DC
> giving the same IDs to users and groups, they are handed out on a
> 'first come' basis. This is why you need to sync idmap.ldb from one DC
> (usually the one holding the PDC_Emulator FSMO role) to all others.
>   
Yes, I know and we have a periodic sync, also the group ID for 
"Administrators" on both DCs were the same, it just did not match what 
was set on the sysvol directory.
>> I still do not understand why on my DCs "getent group" and "getent
>> user" do not return the Windows groups and users, but that is
>> probably a cosmetic thing as you can get all info via wbinfo and
>> samba-tool. Just for this case here it would then also display the
>> group ownership of the sysvol folder. I have "winbind" in nsswitch
>> .conf and no other special settings, on other similar DCs getent
>> group returns the groups, not sure why it is not working here, but
>> perhaps not important enough to invest more time.
> If you run 'getent group' and get no result, try:
> getent group Domain\ Users
>
> Does this return output ? If it doesn't, check that you have the
> correct libnss winbind links installed and that /etc/nsswitch.conf is
> setup correctly.
>
Ha, there you hit me, actually the libnss library was still missing, I 
cannot remember which checklist we followed when installing these 
servers, but after "sudo apt-get install libnss-winbind" all is well now!
Obviously, without the libraries nsswitch.conf settings cannot be 
applied completely.

This also solved the problem that I did not see the group name when 
doing ls -l /var/lib/samba/sysvol.


So all solved now, thank you for your help!

Best regards, Jakob

More information about the samba mailing list