[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Richard p1 at originsystems.co.za
Thu Jan 12 12:07:06 UTC 2017 

I have Samba 4.5.3 working fine as an AD DC and DNS provider. 

I now need to set up a group policy on the DC but I am having problems with
the internal sysvol and netlogon shares.

Via the Windows Group Policy Manager snap-in I successfully created a GPO
specifying the DC as the primary time source for all clients, using the
Administrator user

...but my windows domain test client "ignores" the new policy completely and
in the event log on the client I see the following:

 

The processing of Group Policy failed. Windows attempted to read the file
\\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB
984F9}\gpt.ini
<file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D2-945F
-00C04FB984F9%7d/gpt.ini>  from a domain controller and was not successful.
Group Policy settings may not be applied until this event is resolved. This
issue may be transient and could be caused by one or more of the following: 

a) Name Resolution/Network Connectivity to the current domain controller. 

b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller). 

c) The Distributed File System (DFS) client has been disabled.

 

 

On further investigation on the domain controller itself:

 

smbclient //localhost/sysvol -UAdministrator -c 'ls'

 

returns a valid directory listing, but running the same command for any
other valid domain account returns:

 

Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3]

NT_STATUS_ACCESS_DENIED listing \*

 

.so it appears that normal domain accounts are unable to access the sysvol
share, which would explain the error returned by the windows client. (the
same applies to the netlogon share)

 

Among other things, I have run:

 

samba-tool ntacl sysvolreset

 

but the problem persists.

 

So it appears there is something wrong with the permissions on these shares
but I am at my wits end trying to correct the issue. 

 

Any help would be greatly appreciated!

 

Thanks in advance

 

Richard

More information about the samba mailing list