[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

lingpanda101 lingpanda101 at gmail.com
Thu Jan 12 17:09:02 UTC 2017 

On 1/12/2017 11:41 AM, Richard via samba wrote:
> Hi Andrew,
>
> thanks so much for the feedback.
>
> Yes, you're 100% right.  I'm new at this and originally changed the default GPO, however subsequently reset the default and created a new GPO. (so this getfacl output is post creation of a new GPO)
>
> The getfacl output is shown here:
>
> # getfacl /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> # owner: root
> # group: 10013
> user::rwx
> user:root:rwx
> user:3000002:rwx
> user:3000003:r-x
> user:3000006:rwx
> user:3000010:r-x
> group::rwx
> group:10013:rwx
> group:10014:r-x
> group:3000002:rwx
> group:3000003:r-x
> group:3000006:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000006:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:10013:rwx
> default:group:10014:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000006:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba
> Sent: 12 January 2017 18:07
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
>
> On 1/12/2017 7:07 AM, Richard via samba wrote:
>> I have Samba 4.5.3 working fine as an AD DC and DNS provider.
>>
>> I now need to set up a group policy on the DC but I am having problems
>> with the internal sysvol and netlogon shares.
>>
>> Via the Windows Group Policy Manager snap-in I successfully created a
>> GPO specifying the DC as the primary time source for all clients,
>> using the Administrator user
>>
>> ...but my windows domain test client "ignores" the new policy
>> completely and in the event log on the client I see the following:
>>
>>    
>>
>> The processing of Group Policy failed. Windows attempted to read the
>> file
>> \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-0
>> 0C04FB
>> 984F9}\gpt.ini
>> <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D
>> 2-945F -00C04FB984F9%7d/gpt.ini>  from a domain controller and was not
>> successful.
>> Group Policy settings may not be applied until this event is resolved.
>> This issue may be transient and could be caused by one or more of the following:
>>
>> a) Name Resolution/Network Connectivity to the current domain controller.
>>
>> b) File Replication Service Latency (a file created on another domain
>> controller has not replicated to the current domain controller).
>>
>> c) The Distributed File System (DFS) client has been disabled.
>>
>>    
>>
>>    
>>
>> On further investigation on the domain controller itself:
>>
>>    
>>
>> smbclient //localhost/sysvol -UAdministrator -c 'ls'
>>
>>    
>>
>> returns a valid directory listing, but running the same command for
>> any other valid domain account returns:
>>
>>    
>>
>> Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3]
>>
>> NT_STATUS_ACCESS_DENIED listing \*
>>
>>    
>>
>> .so it appears that normal domain accounts are unable to access the
>> sysvol share, which would explain the error returned by the windows
>> client. (the same applies to the netlogon share)
>>
>>    
>>
>> Among other things, I have run:
>>
>>    
>>
>> samba-tool ntacl sysvolreset
>>
>>    
>>
>> but the problem persists.
>>
>>    
>>
>> So it appears there is something wrong with the permissions on these
>> shares but I am at my wits end trying to correct the issue.
>>
>>    
>>
>> Any help would be greatly appreciated!
>>
>>    
>>
>> Thanks in advance
>>
>>    
>>
>> Richard
>>
>>    
>>
>>    
>>
>>    
>>
> It looks as if you are trying to modify the default domain policy GPO? I normally don't touch that policy but create additional ones. What is the output of
>
> getfacl
> /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
>
> Can you create a new GPO with your settings and check the permissions again?
>
> --
> - James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>

It looks as if you are using 'idmap_ldb:use rfc2307 = Yes' in your 
smb.conf? It also looks as if you have given 'Domain Admins' a GID 
number? I have noticed problems in the past if I gave Domain Admins a 
GID. I would remove it.  It also looks as if you may have given 
Administrator a UID? After removing the UID and GID attempt to reset 
your sysvol. What is the output of the following before you do though?

wbinfo --gid-info=10013

wbinfo --gid-info=10014

wbinfo --uid-info=3000000

wbinfo --uid-info=3000008





-- 
- James

More information about the samba mailing list