[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Ryan Ashley ryana at reachtechfp.com
Thu Jan 12 15:19:04 UTC 2017


I just want to throw my hat into the ring here. I have been having this
problem for two years or more on some domains. Using a sysvolreset does
not work and using sysvolcheck reports no issues, but the gpt.ini claims
to be unreadable according to the event log. However, as a normal or
admin user I can read the log. The "domain computers" group does have
read access to the sysvol. The only fix I have EVER found was to
completely remove Samba and configuration files, rebuild, join as a DC
to the existing domain, and after it syncs up, do the same on the other
DC. If you only have one DC, good luck! I will be following this thread.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/12/2017 07:07 AM, Richard via samba wrote:
> I have Samba 4.5.3 working fine as an AD DC and DNS provider. 
> 
> I now need to set up a group policy on the DC but I am having problems with
> the internal sysvol and netlogon shares.
> 
> Via the Windows Group Policy Manager snap-in I successfully created a GPO
> specifying the DC as the primary time source for all clients, using the
> Administrator user
> 
> ...but my windows domain test client "ignores" the new policy completely and
> in the event log on the client I see the following:
> 
>  
> 
> The processing of Group Policy failed. Windows attempted to read the file
> \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB
> 984F9}\gpt.ini
> <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D2-945F
> -00C04FB984F9%7d/gpt.ini>  from a domain controller and was not successful.
> Group Policy settings may not be applied until this event is resolved. This
> issue may be transient and could be caused by one or more of the following: 
> 
> a) Name Resolution/Network Connectivity to the current domain controller. 
> 
> b) File Replication Service Latency (a file created on another domain
> controller has not replicated to the current domain controller). 
> 
> c) The Distributed File System (DFS) client has been disabled.
> 
>  
> 
>  
> 
> On further investigation on the domain controller itself:
> 
>  
> 
> smbclient //localhost/sysvol -UAdministrator -c 'ls'
> 
>  
> 
> returns a valid directory listing, but running the same command for any
> other valid domain account returns:
> 
>  
> 
> Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3]
> 
> NT_STATUS_ACCESS_DENIED listing \*
> 
>  
> 
> .so it appears that normal domain accounts are unable to access the sysvol
> share, which would explain the error returned by the windows client. (the
> same applies to the netlogon share)
> 
>  
> 
> Among other things, I have run:
> 
>  
> 
> samba-tool ntacl sysvolreset
> 
>  
> 
> but the problem persists.
> 
>  
> 
> So it appears there is something wrong with the permissions on these shares
> but I am at my wits end trying to correct the issue. 
> 
>  
> 
> Any help would be greatly appreciated!
> 
>  
> 
> Thanks in advance
> 
>  
> 
> Richard
> 
>  
> 
>  
> 
>  
> 



More information about the samba mailing list