[Samba] probably auth problem

Ádám Koleszár adam.koleszar at virtual-call-center.eu
Fri May 16 08:08:42 MDT 2014


I am using samba 4.1.7 as Domain Controller. Actually I have two samba 
servers DC1 and DC2. DC1 is the primary DC and DC2 joined as another DC. 
We use the Active Directory for a couple of weeks. The directory 
replication works fine, and a sysvol replication works with rsync. (I 
set it up based on the samba wiki). But I have a problem with the 
authentication. If I log in to a windows machine (which is part of the 
domain) I can reach all GPO's folder (and files included) on the SYSVOL 
volume on DC1 but I can't reach on the DC2. The "authenticated users" 
have read rights on GPO's folders but I can read just on DC1. Then I 
stopped the DC1, restarted the windows and I could read the GPO's 
directory on DC2.

It looks like if I log in to the Windows I've been added to the 
"authenticated users" group on just one of the domain controllers not 
all of them. And it generates error when I am running gpupdate. If the 
gpupdate tries to reach the GPO on different server than I logged in, I 
got access denied. It happens on Win8. Win7 works fine. Maybe Win7 gets 
the GPO from the same DC every time and the Win8 selects randomly. I 
think when I log in to the a Windows my user should be added to the 
"authenticated users" group on all domain controllers.

I tried "samba-tool ntacl sysvolreset" multiple times, haven't solved 
the problem. The sysvol and every GPO folders' permissions are right, 
there is read permission for the "authenticated users" group.

What could be the problem? Am I doing something wrong or it's a bug? Is 
anyone here that facing with this issue?

By the way, how can I list the currently authenticated users on a samba 

Thank You,

More information about the samba mailing list