[Samba] DC2 denies access when sa­ving through the Group Po­licy Management Console

?icro MEGAS micromegas at mail333.com
Sat Nov 1 09:28:07 MDT 2014 

Hello list,

I am not sure if this is a bug or known already but I will describe it. I have two domain controllers running on 4.1.12/sernet which are linked together. I am using unison for bidirectional sync for the sysvol directory as described on samba's wiki, although in my opinion the problem I will describe in the following has nothing to do with the sync process. The sync occurs every 5min.

On a win7 client I open the Group Policy Management Console (run/execute the command "gpmc.msc"). When i right-click on the left pane onto my domain name "mydom.example.com" I can choose "Change Domain Controller...". Inside the window which is opened, on the bottom I see my two domain controllers which I can choose I'd like to connect to. Whatever I can configure while connected on DC1, the changes are propagated to DC2 after max. 5minutes and I can check that the settings are successfully transferred to DC2.

But ==> Whenever I try to make modifications while connected to DC2 I get errors like "No permission" or "Error 0x80070005 during the save  ... Access denied" and stuff like that. I cannot modify settings on DC2, why? Shouldn't it normally work?

Mirco.I think I am approaching the issue. When I am logged in with a domain admin account on the windows machine and try to access the share \\dc1\sysvol or \\dc2\sysvol I get access denied. So I did "getfacl /var/lib/samba/sysvol" on both, DC1 and DC2 and the result is...

# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

As you see, the gid=3000000 is not resolved on my domain controllers, thus it's explained why my domain admin account cannot access the share. The strange thing is: why am I able to make modifications on GPOs on DC1 ?? And the most important question: how do I reset/setup the correct acl parameters for sysvol? I want to add, that I don't use winbind on DC1 or DC2. Do I really have to enable winbind also on DC1+DC2? Please give me some advice.

Thank you.
Mirco

More information about the samba mailing list