[Samba] Restricting DC Roles?

Andrew Bartlett abartlet at samba.org
Fri Oct 26 15:53:45 MDT 2012

On Fri, 2012-10-26 at 16:56 +0000, Bethel, Zach wrote:
> Okay, I copied the files over and ran those two commands. Both of them returned nothing (which I assume is a good thing?) and the file permissions appear to have extended ACLs in the sysvol folder. So I'm assuming that worked.
> However, when my Windows client attempts to `gpupdate /force` (as the domain admin) from the samba machine, I get the following error message for the computer policy:
> "The processing of Group Policy failed. Windows attempted to read the file \\csetest.taylor.edu\sysvol\csetest.taylor.edu\Policies\{GUID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled."
> The user policy gets applied just fine.
> When I look in the event viewer, I get error code 5 with "Access is Denied" as the description. The same event has a DCName field which points at the samba machine, so I know that it's trying to talk to samba. I can mount the sysvol share manually as the domain administrator and see all the files just fine.
> Any idea what might be going on?

This fix I just put in master is almost certainly for this problem.

If it doesn't apply, then just run 'sh -c 'umask 0 && samba-tool ntacl
sysvolreset' to remove the umask for the duration of this operation. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-pysmbd-Set-umask-to-0-during-smbd-operations.patch
Type: text/x-patch
Size: 3679 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20121027/0d4e2fab/attachment.bin>

More information about the samba mailing list