[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Richard p1 at originsystems.co.za
Thu Jan 12 16:41:31 UTC 2017 

Hi Andrew,

thanks so much for the feedback.

Yes, you're 100% right.  I'm new at this and originally changed the default GPO, however subsequently reset the default and created a new GPO. (so this getfacl output is post creation of a new GPO)

The getfacl output is shown here:

# getfacl /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
# owner: root
# group: 10013
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000010:r-x
group::rwx
group:10013:rwx
group:10014:r-x
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000010:r-x
default:group::---
default:group:10013:rwx
default:group:10014:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba
Sent: 12 January 2017 18:07
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

On 1/12/2017 7:07 AM, Richard via samba wrote:
> I have Samba 4.5.3 working fine as an AD DC and DNS provider.
>
> I now need to set up a group policy on the DC but I am having problems 
> with the internal sysvol and netlogon shares.
>
> Via the Windows Group Policy Manager snap-in I successfully created a 
> GPO specifying the DC as the primary time source for all clients, 
> using the Administrator user
>
> ...but my windows domain test client "ignores" the new policy 
> completely and in the event log on the client I see the following:
>
>   
>
> The processing of Group Policy failed. Windows attempted to read the 
> file
> \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-0
> 0C04FB
> 984F9}\gpt.ini
> <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D
> 2-945F -00C04FB984F9%7d/gpt.ini>  from a domain controller and was not 
> successful.
> Group Policy settings may not be applied until this event is resolved. 
> This issue may be transient and could be caused by one or more of the following:
>
> a) Name Resolution/Network Connectivity to the current domain controller.
>
> b) File Replication Service Latency (a file created on another domain 
> controller has not replicated to the current domain controller).
>
> c) The Distributed File System (DFS) client has been disabled.
>
>   
>
>   
>
> On further investigation on the domain controller itself:
>
>   
>
> smbclient //localhost/sysvol -UAdministrator -c 'ls'
>
>   
>
> returns a valid directory listing, but running the same command for 
> any other valid domain account returns:
>
>   
>
> Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3]
>
> NT_STATUS_ACCESS_DENIED listing \*
>
>   
>
> .so it appears that normal domain accounts are unable to access the 
> sysvol share, which would explain the error returned by the windows 
> client. (the same applies to the netlogon share)
>
>   
>
> Among other things, I have run:
>
>   
>
> samba-tool ntacl sysvolreset
>
>   
>
> but the problem persists.
>
>   
>
> So it appears there is something wrong with the permissions on these 
> shares but I am at my wits end trying to correct the issue.
>
>   
>
> Any help would be greatly appreciated!
>
>   
>
> Thanks in advance
>
>   
>
> Richard
>
>   
>
>   
>
>   
>

It looks as if you are trying to modify the default domain policy GPO? I normally don't touch that policy but create additional ones. What is the output of

getfacl
/usr/local/samba/var/locks/sysvol/mydomain.com/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/

Can you create a new GPO with your settings and check the permissions again?

--
- James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list