[Samba] strange gpo behaviour

Rowland Penny rpenny at samba.org
Wed Apr 17 17:56:38 UTC 2019

On Wed, 17 Apr 2019 18:29:19 +0100
Sérgio Basto via samba <samba at lists.samba.org> wrote:

> My experience was :
> 1. Mit kbr doesn't support it, we need to use the old kbr system.

Do not use MIT, it is, at best, experimental.

> 2. We need disable selinux , selinux permissive is not enough to allow
> to write on shared folder sysvol. it cause crashes on windows.

Selinux is not part of Samba, perhaps asking Fedora about this.

> 3. When we have 2 or more DC(s) we need to force client tools like
> RAST only write in the first DC because "Samba in its current state
> doesn't support SysVol replication" [1], if RAST write randomly on
> DC(s) we may have errors like: samba-tool ntacl sysvolreset, - open:
> error=2 (No such file or directory) [2]

This is mis-configuration of your DC's. Yes, Sysvol isn't replicated
(yet) but there are ways around this.

> 4. With an efficient replication and writing POL(s) just in first DC ,
> seems that works well.

Provide you use some form of two way sync, you should be able to create
GPO's on any Samba AD DC, but it is probably best practice to just
create them on the PDC-Emulator DC.

More information about the samba mailing list