[Samba] Fwd: AD Policies are not applying properly

Anantha Raghava raghav at exzatechconsulting.com
Fri Jun 23 10:55:49 UTC 2017 

Hello James,

Thanks for your reply.

Our replies are in line.

Any guidance?

-- 

Thanks & Regards,


Anantha Raghava


On 22/06/17 8:16 PM, lingpanda101 via samba wrote:
> On 6/22/2017 9:41 AM, Anantha Raghava via samba wrote:
>> Hi,
>>
>> No solutions to get out of this?
>>
> Not sure exactly what your issue is but based on your error Samba is 
> reporting the following on that particular Policy;
Group policies are not consistently applied on all workstations. Some 
get applied some not. This is the primary problem. On the Windows XP / 7 
/ 8 (8.1) / 10 workstations, the client reports that it is unable to 
resolve the domain controller name to fetch policies. This is the 
primary problem. We have observed that there is time skew, which we are 
correcting. Whether this has any impact on policies?
>
>  * Lost Allow Object and Container inheritance on each ACE.
We are using RFC2307 and we believe this enable contain inheritence.
>  * Create Owner missing ACE and you have Built in Administrators with
>    an ACE 
> * You have the primary owner as Built in Administrators Group. Samba
>    expects it to be Domain Administrators Group
Can we enable this manually using windows gpedit console and set the 
Create Owner as Domain Administrators instead of Builtin Administrators?
>  * Primary Group you have as Domain users. Samba expects it to be
>    Domain Administrators.
What exactly you mean by this? Can we set this manually using gpedit 
console?
>  * Samba expects the SE_DACL_Protected flag be set.
How do we set this?
>
> Are you using RFC2307 in your smb.conf? Did you assign Domain Admins a 
> Unix GID(You shouldn't)? Have you run 'samba-tool ntacl sysvolreset' 
> to see if Samba could correct the permissions?
RFC2307 is used in smb.conf. We have not assigned any UNIX GID to Domain 
Admins. We attempted 'samba-tool ntacl sysvolreset'. However, instead of 
correcting the permissions, it corrupted the whole set of policies.

I have also seen in one of the posts that one should not attempt 
sysvolreset as it has some bug.

More information about the samba mailing list