[Samba] DC2 denies access when sa­ving through the Group Po­licy Management Console

Achim Gottinger achim at ag-web.biz
Sat Nov 1 16:06:01 MDT 2014

Am 01.11.2014 16:28, schrieb ?icro MEGAS:
> Hello list,
> I am not sure if this is a bug or known already but I will describe it. I have two domain controllers running on 4.1.12/sernet which are linked together. I am using unison for bidirectional sync for the sysvol directory as described on samba's wiki, although in my opinion the problem I will describe in the following has nothing to do with the sync process. The sync occurs every 5min.
> On a win7 client I open the Group Policy Management Console (run/execute the command "gpmc.msc"). When i right-click on the left pane onto my domain name "mydom.example.com" I can choose "Change Domain Controller...". Inside the window which is opened, on the bottom I see my two domain controllers which I can choose I'd like to connect to. Whatever I can configure while connected on DC1, the changes are propagated to DC2 after max. 5minutes and I can check that the settings are successfully transferred to DC2.
> But ==> Whenever I try to make modifications while connected to DC2 I get errors like "No permission" or "Error 0x80070005 during the save  ... Access denied" and stuff like that. I cannot modify settings on DC2, why? Shouldn't it normally work?
> Mirco.I think I am approaching the issue. When I am logged in with a domain admin account on the windows machine and try to access the share \\dc1\sysvol or \\dc2\sysvol I get access denied. So I did "getfacl /var/lib/samba/sysvol" on both, DC1 and DC2 and the result is...
> # file: sysvol
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> As you see, the gid=3000000 is not resolved on my domain controllers, thus it's explained why my domain admin account cannot access the share. The strange thing is: why am I able to make modifications on GPOs on DC1 ?? And the most important question: how do I reset/setup the correct acl parameters for sysvol? I want to add, that I don't use winbind on DC1 or DC2. Do I really have to enable winbind also on DC1+DC2? Please give me some advice.
> Thank you.
> Mirco
Do things work if you test as "Administrator" (root) ?


More information about the samba mailing list