[Samba] gpupdate /force not applied

Elias Pereira empbilly at gmail.com
Mon Jul 30 14:17:24 UTC 2018

The principle was not made any changes to occur this problem.

We infra have dc3 and dc4 ADDC.

root at dc3:/etc/samba# samba -V
Version 4.7.7-Debian (van-blle apt)

Result of gpupdate /force in a joined computer client:

C:\>gpupdate /force
> Updating Policy...
> User policy could not be updated successfully. The following errors were
> encountered:
> The processing of Group Policy failed. Windows could not determine if the
> user and computer accounts are in the same forest. Ensure the user domain
> name matches the name of a trusted domain that resides in the same forest
> as the computer account.
> Computer Policy update has completed successfully.
> To diagnose the failure, review the event log or run GPRESULT /H
> GPReport.html from the command line to access information about Group
> Policy results.

root at dc3:/etc/samba/scripts# cat /etc/hosts localhost
200.xxx.xxx.160 dc3.campus.sertao.ifrs.edu.br dc3
200.xxx.xxx.151     puppet.sertao.ifrs.edu.br    puppet

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

root at dc3:/etc/samba/scripts# cat /etc/resolv.conf
domain campus.sertao.ifrs.edu.br
search campus.sertao.ifrs.edu.br
nameserver 200.xxx.xxx.160

# Global parameters
        netbios name = DC3
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = CAMPUS
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no
        #log file = /var/log/samba/log.%m
        #log level = 10
        ntlm auth = yes
        #ntlm auth = mschapv2-and-ntlmv2-only

        path = /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

        default_realm = CAMPUS.SERTAO.IFRS.EDU.BR
        dns_lookup_realm = false
        dns_lookup_kdc = true

root at dc3:/etc/samba/scripts# ls -lah /etc/krb5.conf
-rw-r--r-- 1 root bind 106 nov 16  2017 /etc/krb5.conf

sysvol permissions:
root at dc3:/var/lib/samba# ls -lah
total 1,4M
drwxr-xr-x   8 root root          4,0K jul 30 10:03 .
drwxr-xr-x  32 root root          4,0K jul  3 09:27 ..
-rw-------   1 root root          412K nov  8  2017 account_policy.tdb
-rw-------   1 root root           696 nov  8  2017 group_mapping.tdb
drwxr-x---   2 root ntp           4,0K jul 30 10:03 ntp_signd
drwxr-xr-x  10 root root          4,0K nov  8  2017 printers
drwxr-xr-x   8 root root          4,0K jul 30 10:12 private
-rw-------   1 root root          516K nov 23  2017 registry.tdb
-rw-------   1 root root          412K jul 30 09:29 share_info.tdb
drwxrwx---+  3 root       3000000 4,0K jul 30 09:37 sysvol
drwxrwx--T   2 root sambashare    4,0K nov  8  2017 usershares
-rw-------   1 root root           32K jul 30 10:11 winbindd_cache.tdb
drwxr-x---   2 root winbindd_priv 4,0K jul 30 10:03 winbindd_privileged

samba-tool ntacl sysvolreset (sysvolcheck appears an error, but I believe
that is normal)
root at dc3:/var/lib/samba# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
does not match expected value
from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270,
in run
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1723, in checksysvolacl
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

samba-tool ntacl sysvolreset OK

samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes  OK

samba_dnsupdate --verbose --all-names OK

Louis script (samba-check-set-sysvol.sh) for sysvol check return this

root at dc3:/etc/samba/scripts# ./samba-check-set-sysvol.sh

The sysvol ACLS info.....

Please check your share rights for sysvol from within windows.
If these are incorrect, correct them and run this script again.
Set your sysvol SHARE permissions as followed.
Authenticated Users: FULL CONTROL
User/Group system is added compaired to a win2008R2 sysvol, you need this
for some GPO settings.

Set your sysvol FOLDER permissions as followed.
Authenticated Users: Read & Exec, Show folder content, Read


I also checked the link above and made the suggested changes, but even then
the initial gpoupdate error still occurs.

Any idea?

Elias Pereira

More information about the samba mailing list