[Samba] Fwd: Re: Sysvolreset

Kacper Wirski kacper.wirski at gmail.com
Mon Jan 15 22:13:48 UTC 2018 

Hello,

Wile getting this error, can You navigate to this folder via File 
Explorer in Windows or are You getting access denied error there?

Also check which DC was used as logonserver, then check on this DC acl 
on this policy with "getfacl" and compare output of "getfacl" on the 
same policy, but on Your DC with PDC FSMO (the one that is the "source" 
for rsync sysvol replication.

In my case the cause of this issue was different idmap on one of the dc's

W dniu 15.01.2018 o 18:25, Carlos via samba pisze:
> Hello!
>
> After process, error continue......
>
> ----------------------------------------------------------------
>
> C: \ Users \ USER1XXX> gpupdate / force
> Updating Policy ...
>
> Unable to update user policy successfully. The following errors for 
> found:
>
> Group Policy was not processed. Windows was unable to apply the settings
> registry-based policy for the LDAP Group Policy object LDAP://CN
> =User,cn={AED3AF6A-D79E-436F-B63A-158BEC3E80B7},cn=policies,cn=system,DC=interno 
>
> ,DC=XXXX,DC=XXXX,DC=br.. Group Policy settings will not be reso
> this event is not resolved. View event details for more information 
> about the path name and path of the file that caused the failure.
> Unable to update computer policy successfully. The following error
> s were found:
>
> Group Policy was not processed. Windows was unable to apply the settings
> registry-based policy for the LDAP Group Policy object LDAP://CN
> =Machine,cn={69A4F8E5-0693-40BD-9F0D-845DD5AA342C},cn=policies,cn=system,DC=inte 
>
> rno,DC=XXXXX,DC=XXX,DC=br . The Group Policy settings will not be r
> resolved until this event is resolved. View event details for
> more information about the path name and path of the file that caused 
> the failure.
> The following warnings were encountered while processing policy 
> directives
> computer:
>
> Windows crashes while applying Scripting settings. Maybe the settings
> have their own log file. Click the "More Information" link
> .
>
> To diagnose the failure, review the event log or run GPRESULT / H GPRepo
> rt.html from the command line to access the results information from 
> the Dire
>
> ----------------------------------------------------------------
>
>
> Regards,
>
> -------- Forwarded Message --------
> Subject:     Re: [Samba] Sysvolreset
> Date:     Sat, 13 Jan 2018 11:37:37 -0200
> From:     Carlos <carlos.hollow at gmail.com>
> To:     samba at lists.samba.org
>
>
>
> Hello!
>
> I'll try that.
> Done with result.
>
>
> Regards,
>
>
> On 11-01-2018 20:45, Kacper Wirski via samba wrote:
>> Hello,
>>
>> copying idmap is fairly straightforward.
>>
>> 1) on your first DC (that one that has PDC FSMO, and is the source 
>> for rsync) create backup of idmap.ldb
>>
>> tdbbackup -s .bak /path/to/samba/private/idmap.ldb
>>
>> it will create idmap.ldb.bak
>>
>> 2) stop samba service on second DC
>>
>> 3) copy idmap.ldb.bak from first dc to second dc, lose the .bak 
>> suffix and just copy it over idmap.ldb on second dc
>>
>> 4) start samba on second dc
>>
>> I'm not sure if it's necessery, but you can flush winbindd cache:
>>
>> net cache flush
>>
>> and that's it
>>
>> No problems occured for me, when I did that.
>>
>>
>> W dniu 11.01.2018 o 18:50, Carlos via samba pisze:
>>> Hi,
>>>
>>> how do I do that ?
>>> And what would be the possible problems? (Both are in production)
>>>
>>> "One way to avoid that would be to copy idmap.ldb from your first DC 
>>> to the other two DCs."
>>>
>>> Regards;
>>>
>>>
>>> On 11-01-2018 14:42, Denis Cardon wrote:
>>>> Hi Carlos,
>>>>>
>>>>> DC to DC2/DC3 ->
>>>>>
>>>>>  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
>>>>> root at samba-dc102:/opt/samba/var/locks/
>>>>>
>>>>>  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
>>>>> root at samba-dc102:/opt/samba/var/locks/
>>>>
>>>> looking at your smb.conf file, you are using tdb idmap (default on 
>>>> DC). So the UID/SID mapping will be different on the different DC, 
>>>> and your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol 
>>>> are very important, otherwise GPO won't be applied.
>>>>
>>>> So it is logic for you to have to apply sysvolreset after your rsync.
>>>>
>>>> One way to avoid that would be to copy idmap.ldb from your first DC 
>>>> to the other two DCs. The other way would be to configure rfc2307, 
>>>> but I'd say it is too much of a hassle.
>>>>
>>>> Cheers,
>>>>
>>>> Denis
>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>>
>>>>> On 10-01-2018 11:59, Carlos wrote:
>>>>>> Hi!
>>>>>>
>>>>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>>>>>
>>>>>> All is ok, but GPO in DC3, with erro the permission, with dont 
>>>>>> load in
>>>>>> windows(gpresult /force).
>>>>>>
>>>>>>
>>>>>> My smb.conf all samba server DC.
>>>>>>
>>>>>>
>>>>>> [global]
>>>>>>         netbios name = SAMBA-DC103
>>>>>>         realm = <DOMAIN>
>>>>>>         server role = active directory domain controller
>>>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>>>         workgroup = XXXXXXX
>>>>>>
>>>>>>         ldap server require strong auth = no
>>>>>>
>>>>>> [netlogon]
>>>>>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>>>>>         read only = No
>>>>>>
>>>>>> [sysvol]
>>>>>>         path = /opt/samba/var/locks/sysvol
>>>>>>         read only = No
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i 
>>>>>> see a
>>>>>> not good ideia..(
>>>>>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>>>>>
>>>>>>
>>>>>> Any ?
>>>>>>
>>>>>>
>>>>>> Regards;
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>

More information about the samba mailing list