[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
Richard
p1 at originsystems.co.za
Thu Jan 12 19:47:00 UTC 2017
Hi Rowland,
I've done the below and retried to log on as a normal user, but sadly:
C:\> gpupdate /force still returns
The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Also a normal domain user still can't get a listing on sysvol
smbclient //localhost/sysvol -Urichard.h -c 'ls'
Enter richard.h's password:
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
NT_STATUS_ACCESS_DENIED listing \*
but Administrator can fine:
smbclient //localhost/sysvol -UAdministrator -c 'ls'
Enter Administrator's password:
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
. D 0 Thu Jan 12 20:58:10 2017
.. D 0 Thu Jan 12 21:21:00 2017
ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016
244669724 blocks of size 1024. 235669456 blocks available
Also, I've rerun getfacl and I see that GID 10013 still exists for both group and other, even though I have removed it from "domain admins"
group::rwx
group:10013:rwx
group:10014:r-x
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000010:r-x
default:group::---
default:group:10013:rwx
default:group:10014:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---
so not really sure where to go from here
(btw - I won't keep saying thank you but just to let you know that I really really appreciate all the help you guys are giving on this)
Richard
PS - I just thought may be worthwhile pasting my smb.conf file here (domain name and forwarder ips changed)
[global]
workgroup = CT
realm = ct.mydomain.com
netbios name = DC1
server role = active directory domain controller
allow dns updates = nonsecure and secure
dns forwarder = 1.2.3.4 10.20.30.40
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = no
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: 12 January 2017 21:10
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
On Thu, 12 Jan 2017 20:46:15 +0200
Richard via samba <samba at lists.samba.org> wrote:
> Hi James
>
> The output is as follows...
>
> wbinfo --gid-info=10013 => CT\domain admins:x:10013:
>
> wbinfo --uid-info=3000008 => CT\domain
> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false
If you remove the gidNumber from Domain Admins, you will find that it gets the same GID as its UID '3000008'
>
> Yes I have set "domain admins" to have NIS domain "CT" and GID "10013"
> - I can remove this no problem
See above and I would suggest removing the gidNumber, then run 'net cache flush'
>
> Yes I have set "domain users" to have NIS domain "CT" and GID "10014"
> - I can remove this no problem
No that is OK
>
> No I haven't set a UID or GID for Administrator
Good, you just Administrator into a normal Unix user if you do.
>
> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this
> from smb.conf?
No, you need it
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list