[Samba] Fwd: Re: Sysvolreset [SOLVED]
Carlos
carlos.hollow at gmail.com
Tue Jan 16 19:36:01 UTC 2018
Hi!!
I Resolved problem:
1 - Demote DC with problem
2 - Purge files samba(files compilated)
3 - Join DC
4 - Copy idmap.tdb(DC(FSMO) -> DC(Problem))
5 - Reboot
6 - Resolve , no more erros in gpupdate
Thanks for all.
Regardss
On 15-01-2018 20:13, Kacper Wirski via samba wrote:
> Hello,
>
> Wile getting this error, can You navigate to this folder via File
> Explorer in Windows or are You getting access denied error there?
>
> Also check which DC was used as logonserver, then check on this DC acl
> on this policy with "getfacl" and compare output of "getfacl" on the
> same policy, but on Your DC with PDC FSMO (the one that is the
> "source" for rsync sysvol replication.
>
> In my case the cause of this issue was different idmap on one of the dc's
>
> W dniu 15.01.2018 o 18:25, Carlos via samba pisze:
>> Hello!
>>
>> After process, error continue......
>>
>> ----------------------------------------------------------------
>>
>> C: \ Users \ USER1XXX> gpupdate / force
>> Updating Policy ...
>>
>> Unable to update user policy successfully. The following errors for
>> found:
>>
>> Group Policy was not processed. Windows was unable to apply the settings
>> registry-based policy for the LDAP Group Policy object LDAP://CN
>> =User,cn={AED3AF6A-D79E-436F-B63A-158BEC3E80B7},cn=policies,cn=system,DC=interno
>>
>> ,DC=XXXX,DC=XXXX,DC=br.. Group Policy settings will not be reso
>> this event is not resolved. View event details for more information
>> about the path name and path of the file that caused the failure.
>> Unable to update computer policy successfully. The following error
>> s were found:
>>
>> Group Policy was not processed. Windows was unable to apply the settings
>> registry-based policy for the LDAP Group Policy object LDAP://CN
>> =Machine,cn={69A4F8E5-0693-40BD-9F0D-845DD5AA342C},cn=policies,cn=system,DC=inte
>>
>> rno,DC=XXXXX,DC=XXX,DC=br . The Group Policy settings will not be r
>> resolved until this event is resolved. View event details for
>> more information about the path name and path of the file that caused
>> the failure.
>> The following warnings were encountered while processing policy
>> directives
>> computer:
>>
>> Windows crashes while applying Scripting settings. Maybe the settings
>> have their own log file. Click the "More Information" link
>> .
>>
>> To diagnose the failure, review the event log or run GPRESULT / H GPRepo
>> rt.html from the command line to access the results information from
>> the Dire
>>
>> ----------------------------------------------------------------
>>
>>
>> Regards,
>>
>> -------- Forwarded Message --------
>> Subject: Re: [Samba] Sysvolreset
>> Date: Sat, 13 Jan 2018 11:37:37 -0200
>> From: Carlos <carlos.hollow at gmail.com>
>> To: samba at lists.samba.org
>>
>>
>>
>> Hello!
>>
>> I'll try that.
>> Done with result.
>>
>>
>> Regards,
>>
>>
>> On 11-01-2018 20:45, Kacper Wirski via samba wrote:
>>> Hello,
>>>
>>> copying idmap is fairly straightforward.
>>>
>>> 1) on your first DC (that one that has PDC FSMO, and is the source
>>> for rsync) create backup of idmap.ldb
>>>
>>> tdbbackup -s .bak /path/to/samba/private/idmap.ldb
>>>
>>> it will create idmap.ldb.bak
>>>
>>> 2) stop samba service on second DC
>>>
>>> 3) copy idmap.ldb.bak from first dc to second dc, lose the .bak
>>> suffix and just copy it over idmap.ldb on second dc
>>>
>>> 4) start samba on second dc
>>>
>>> I'm not sure if it's necessery, but you can flush winbindd cache:
>>>
>>> net cache flush
>>>
>>> and that's it
>>>
>>> No problems occured for me, when I did that.
>>>
>>>
>>> W dniu 11.01.2018 o 18:50, Carlos via samba pisze:
>>>> Hi,
>>>>
>>>> how do I do that ?
>>>> And what would be the possible problems? (Both are in production)
>>>>
>>>> "One way to avoid that would be to copy idmap.ldb from your first
>>>> DC to the other two DCs."
>>>>
>>>> Regards;
>>>>
>>>>
>>>> On 11-01-2018 14:42, Denis Cardon wrote:
>>>>> Hi Carlos,
>>>>>>
>>>>>> DC to DC2/DC3 ->
>>>>>>
>>>>>> /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol
>>>>>> root at samba-dc102:/opt/samba/var/locks/
>>>>>>
>>>>>> /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol
>>>>>> root at samba-dc102:/opt/samba/var/locks/
>>>>>
>>>>> looking at your smb.conf file, you are using tdb idmap (default on
>>>>> DC). So the UID/SID mapping will be different on the different DC,
>>>>> and your rsync will thus mess up the ACLs of sysvol. ACLs on
>>>>> sysvol are very important, otherwise GPO won't be applied.
>>>>>
>>>>> So it is logic for you to have to apply sysvolreset after your rsync.
>>>>>
>>>>> One way to avoid that would be to copy idmap.ldb from your first
>>>>> DC to the other two DCs. The other way would be to configure
>>>>> rfc2307, but I'd say it is too much of a hassle.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Denis
>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>>
>>>>>> On 10-01-2018 11:59, Carlos wrote:
>>>>>>> Hi!
>>>>>>>
>>>>>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>>>>>>
>>>>>>> All is ok, but GPO in DC3, with erro the permission, with dont
>>>>>>> load in
>>>>>>> windows(gpresult /force).
>>>>>>>
>>>>>>>
>>>>>>> My smb.conf all samba server DC.
>>>>>>>
>>>>>>>
>>>>>>> [global]
>>>>>>> netbios name = SAMBA-DC103
>>>>>>> realm = <DOMAIN>
>>>>>>> server role = active directory domain controller
>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>>>> workgroup = XXXXXXX
>>>>>>>
>>>>>>> ldap server require strong auth = no
>>>>>>>
>>>>>>> [netlogon]
>>>>>>> path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>>>>>> read only = No
>>>>>>>
>>>>>>> [sysvol]
>>>>>>> path = /opt/samba/var/locks/sysvol
>>>>>>> read only = No
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i
>>>>>>> see a
>>>>>>> not good ideia..(
>>>>>>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>>>>>>
>>>>>>>
>>>>>>> Any ?
>>>>>>>
>>>>>>>
>>>>>>> Regards;
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>
More information about the samba
mailing list