[Samba] GPO fail to apply for Computers

Johannes Engel jcnengel at gmail.com
Sat Jul 28 14:32:30 UTC 2018


Dear all,

after migrating from Samba 4.6.15 to 4.8.3 (two fresh DCs) I see that
computers are no longer applying GPOs while it still works for Users.
GPResult states that GPOs are not applied due to missing access rights.
My smb.conf:
# Global parameters
[global]
        netbios name = DC
        realm = MY.DOMAIN.TLD
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = MYDOMAIN
        binddns dir = /var/lib/samba/bind-dns
        smb ports = 445

        host msdfs = yes
        vfs object = dfs_samba4, acl_xattr

        tls enabled = yes
        tls keyfile = tls/dc.key
        tls certfile = tls/dc2018.crt
        tls cafile = tls/ca.crt

        ntlm auth = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab
        template shell = /bin/bash
        template homedir = /home/%U

        #log level = 1 smbd:5

[netlogon]
        path = /var/lib/samba/sysvol/my.domain.tld/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        acl_xattr:ignore system acls = yes

[dfs]
        path = /export/dfsroot
        msdfs root = yes
        read only = no

getfacl for one of the GPO folders in question shows this:
# file:
var/lib/samba/sysvol/my.domain.tld/Policies/{EE5E503C-4CB9-4B95-ABD5-705EFE4E088A}/
# owner: 3000007
# group: MYDOMAIN\134domain\040admins
user::rwx
user:root:rwx
user:3000000:r-x
user:3000001:rwx
user:3000002:rwx
user:3000030:r-x
group::rwx
group:BUILTIN\134server\040operators:r-x
group:NT\040AUTHORITY\134system:rwx
group:BUILTIN\134administrators:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:r-x
default:user:3000001:rwx
default:user:3000002:rwx
default:user:3000030:r-x
default:group::---
default:group:BUILTIN\134server\040operators:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:BUILTIN\134administrators:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:mask::rwx
default:other::---

Any suggestion how to fix this? Thanks a lot!

Best regards
Johannes


More information about the samba mailing list