[Samba] GPO Computer settings not applied
Pavel Valach
valach.pavel at outlook.com
Fri Mar 29 13:09:41 MDT 2013
Hello,
I'm having one strange issue with latest stable Samba 4.0.4. I'm testing it as a domain controller for two virtual machines.
The Samba AD DC is Debian stable, with two domain members - Windows XP Pro and trial Windows 8 Enterprise.
User configuration using GPOs is working as expected. However, Computer configuration is never applied properly. Event logs show this entry:
------
Source: GroupPolicy (Microsoft-Windows-GroupPolicy)
Event ID: 1058
EventData
SupportInfo1 4
SupportInfo2 820
ProcessingMode 0
ProcessingTimeInMilliseconds 516
ErrorCode 5
ErrorDescription Access is denied.
DCName debian-server.gym.internal
GPOCNName cn={CE7B09A1-D85A-4A40-9C2F-3DD0DA013345},cn=policies,cn=system,DC=gym,DC=internal
FilePath \\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini
The processing of Group Policy failed. Windows attempted to read the file \\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
------
a) Name resolution works, gym.internal is accessible and DNS query for gym.internal returns correct result.
b) File gpt.ini is readable with following content:
------
[General]
Version=3
displayName=Nový objekt zásad skupiny
------
c) Distributed File System is not enabled on my VMs.
I'm suspecting a possible problem with permissions. I have already tried to:
1) link GPO to the proper domain / OU
2) reboot computer several times
3) set various permissions for various people
Currently I have two GPOs which modify computer settings. "Default Domain Policy" and "Nejaka nastaveni pro ucebnu". Neither of them show up in the GPRESULT report. "Default Domain Policy" modify both user and computer configuration, "Nejaka nastaveni pro ucebnu" modify only computer configuration.
Permissions for "Nejaka nastaveni pro ucebnu":
- Authenticated Users - Read (from Security Filtering) - Not Inherited
- Domain Admins - Edit settings, delete, modify security - Not Inherited
- Enterprise Admins - Edit settings, delete, modify security - Not Inherited
- ServerLogon - Read - Not Inherited
- SYSTEM - Edit settings, delete, modify security - Not Inherited
Here is result of GPRESULT /R command that ran on the Win8 VM. On Windows XP, Computer Settings had N/A security groups - which is weird.
=====
RSOP data for GYM\valachp on UC01-TEST : Logging Mode
------------------------------------------------------
OS Configuration: Member Workstation
OS Version: 6.2.9200
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\valachp
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=UC01-TEST,OU=Ucebny,DC=gym,DC=internal
Last time Group Policy was applied: 29. 3. 2013 at 19:35:17
Group Policy was applied from: debian-server.gym.internal
Group Policy slow link threshold: 500 kbps
Domain Name: WINDOWS-UJ49S6B
Domain Type: WindowsNT 4
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
System Mandatory Level
Everyone
BUILTIN\Users
NT AUTHORITY\SERVICE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
BDESVC
BITS
CertPropSvc
DsmSvc
Eaphost
hkmsvc
IKEEXT
iphlpsvc
LanmanServer
MMCSS
MSiSCSI
NcaSvc
RasAuto
RasMan
RemoteAccess
Schedule
SCPolicySvc
SENS
SessionEnv
SharedAccess
ShellHWDetection
SystemEventsBroker
wercplsupport
Winmgmt
wlidsvc
wuauserv
LOCAL
BUILTIN\Administrators
USER SETTINGS
--------------
CN=Pavel Valach,CN=Users,DC=gym,DC=internal
Last time Group Policy was applied: 29. 3. 2013 at 19:35:17
Group Policy was applied from: debian-server.gym.internal
Group Policy slow link threshold: 500 kbps
Domain Name: GYM
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Default Domain Policy
Zásady pro studenty
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Studenti
Medium Mandatory Level
=====
Well, I think that's enough for now... I'd very appreciate if someone could take a look at this. I hope it's just me overlooking something so simple.
If you need any other information, please let me know.
Thanks and best regards
-Pavel
More information about the samba
mailing list