[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
Ryan Ashley
ryana at reachtechfp.com
Thu Jan 12 15:19:04 UTC 2017
I just want to throw my hat into the ring here. I have been having this
problem for two years or more on some domains. Using a sysvolreset does
not work and using sysvolcheck reports no issues, but the gpt.ini claims
to be unreadable according to the event log. However, as a normal or
admin user I can read the log. The "domain computers" group does have
read access to the sysvol. The only fix I have EVER found was to
completely remove Samba and configuration files, rebuild, join as a DC
to the existing domain, and after it syncs up, do the same on the other
DC. If you only have one DC, good luck! I will be following this thread.
Lead IT/IS Specialist
Reach Technology FP, Inc
On 01/12/2017 07:07 AM, Richard via samba wrote:
> I have Samba 4.5.3 working fine as an AD DC and DNS provider.
>
> I now need to set up a group policy on the DC but I am having problems with
> the internal sysvol and netlogon shares.
>
> Via the Windows Group Policy Manager snap-in I successfully created a GPO
> specifying the DC as the primary time source for all clients, using the
> Administrator user
>
> ...but my windows domain test client "ignores" the new policy completely and
> in the event log on the client I see the following:
>
>
>
> The processing of Group Policy failed. Windows attempted to read the file
> \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB
> 984F9}\gpt.ini
> <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D2-945F
> -00C04FB984F9%7d/gpt.ini> from a domain controller and was not successful.
> Group Policy settings may not be applied until this event is resolved. This
> issue may be transient and could be caused by one or more of the following:
>
> a) Name Resolution/Network Connectivity to the current domain controller.
>
> b) File Replication Service Latency (a file created on another domain
> controller has not replicated to the current domain controller).
>
> c) The Distributed File System (DFS) client has been disabled.
>
>
>
>
>
> On further investigation on the domain controller itself:
>
>
>
> smbclient //localhost/sysvol -UAdministrator -c 'ls'
>
>
>
> returns a valid directory listing, but running the same command for any
> other valid domain account returns:
>
>
>
> Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3]
>
> NT_STATUS_ACCESS_DENIED listing \*
>
>
>
> .so it appears that normal domain accounts are unable to access the sysvol
> share, which would explain the error returned by the windows client. (the
> same applies to the netlogon share)
>
>
>
> Among other things, I have run:
>
>
>
> samba-tool ntacl sysvolreset
>
>
>
> but the problem persists.
>
>
>
> So it appears there is something wrong with the permissions on these shares
> but I am at my wits end trying to correct the issue.
>
>
>
> Any help would be greatly appreciated!
>
>
>
> Thanks in advance
>
>
>
> Richard
>
>
>
>
>
>
>
More information about the samba
mailing list