[Samba] Continued Group Policy issues

Anantha Raghava raghav at exzatechconsulting.com
Thu Jul 12 13:01:42 UTC 2018

Hello Rowland,

Thanks for your quick response.

We are syncing only sysvol from first Domain Controller, but not 
idmap.ldb. Do we need to sync idmap.ldb as well?


Thanks & Regards,

Anantha Raghava

Do not print this e-mail unless required. Save Paper & trees.
On 12/07/18 6:20 PM, Rowland Penny via samba wrote:
> On Thu, 12 Jul 2018 18:13:47 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>> Hi,
>> We have 4 Domain Controllers all on CentOS 7.5 and Samba Version
>> 4.7.5.
>> We are using iNotify to watch the folder and pushing any changes made
>> to GPO from our first Domain Controller.
>> Off late, we started observing that, unless the client is reading the
>> Group Policies from the first Domain Controller, none of the Group
>> Policies gets applied. On the Windows Clients, we have observed that
>> clients are reporting "Access Denied" error to Group Policy Objects
>> on other Domain Controllers.
>> "samba-tool ntacl sysvolcheck" reports no errors on the GPO on any
>> Domain Controllers. Yet, the clients report "Access Denied" on all
>> other DCs except first one.
>> What could have gone wrong? Any clues?
> I take it you are syncing 'sysvol' to the DC's from the first DC, but
> are you also syncing idmap.ldb as well ?
> Rowland

More information about the samba mailing list