[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Richard p1 at originsystems.co.za
Thu Jan 12 19:47:00 UTC 2017 

Hi Rowland, 

I've done the below and retried to log on as a normal user, but sadly:

C:\> gpupdate /force     still returns

The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Also a normal domain user still can't get a listing on sysvol

smbclient //localhost/sysvol -Urichard.h -c 'ls'
Enter richard.h's password: 
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
NT_STATUS_ACCESS_DENIED listing \*

but Administrator can fine:

smbclient //localhost/sysvol -UAdministrator -c 'ls'
Enter Administrator's password: 
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
  .                                   D        0  Thu Jan 12 20:58:10 2017
  ..                                  D        0  Thu Jan 12 21:21:00 2017
  ct.mydomain.com    D        0  Thu Feb 18 00:16:24 2016

		244669724 blocks of size 1024. 235669456 blocks available


Also, I've rerun getfacl and I see that GID 10013 still exists for both group and other, even though I have removed it from "domain admins"

group::rwx
group:10013:rwx
group:10014:r-x
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000010:r-x
default:group::---
default:group:10013:rwx
default:group:10014:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

so not really sure where to go from here

(btw - I won't keep saying thank you but just to let you know that I really really appreciate all the help you guys are giving on this)

Richard

PS - I just thought may be worthwhile pasting my smb.conf file here (domain name and forwarder ips changed)

 [global]
	workgroup = CT
	realm = ct.mydomain.com
	netbios name = DC1
	server role = active directory domain controller

              allow dns updates = nonsecure and secure
        
	dns forwarder = 1.2.3.4 10.20.30.40
	idmap_ldb:use rfc2307 = yes
        
              ldap server require strong auth = no

[netlogon]
	path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: 12 January 2017 21:10
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

On Thu, 12 Jan 2017 20:46:15 +0200
Richard via samba <samba at lists.samba.org> wrote:

> Hi James
> 
> The output is as follows...
> 
> wbinfo --gid-info=10013    =>  CT\domain admins:x:10013:
> 
> wbinfo --uid-info=3000008 => CT\domain 
> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false

If you remove the gidNumber from Domain Admins, you will find that it gets the same GID as its UID '3000008'

> 
> Yes I have set "domain admins" to have NIS domain "CT" and GID "10013"  
> - I can remove this no problem

See above and I would suggest removing the gidNumber, then run 'net cache flush'

> 
> Yes I have set "domain users" to have NIS domain "CT" and GID "10014"  
> - I can remove this no problem

No that is OK

> 
> No I haven't set a UID or GID for Administrator

Good, you just Administrator into a normal Unix user if you do.

> 
> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this 
> from smb.conf?

No, you need it

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list