[Samba] GPO / Sysvol problems

Gregory Sloop gregs at sloop.net
Wed Jan 23 16:40:55 UTC 2019 

So, I'm seeing some very odd behavior.
I may have multiple issues - so I'm simply starting holding the thread of the problem and working my way back.

So, the root symptom I'm having is that a GPO isn't applying correctly. [Roaming profiles namely.]
I have two DC's. I change the GPO on one DC and rsync the update to the other DC.
I can see that the files get updated.

Yet when I login to the domain from a test Windows workstation, it's not seeing the updated GPO data. [I'm changing the directory where the roaming profiles are to be stored.]

I see numerous queries about GPO's and NTACL's etc.
I pulled down Rowland/Louis script to check sysvol. [v 0.2]
Yet the output doesn't seem to show me anything.

---
# ./samba-check-set-sysvol.sh
Review the file : default-rights-sysvol.acl, these contains the defaults for sysvol.
The sysvol ACLS info.....

Please check your share rights for sysvol from within windows.
If these are incorrect, correct them and run this script again.
Set your sysvol SHARE permissions as followed.
EVERYONE: READ
Authenticated Users: FULL CONTROL
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
User/Group system is added compaired to a win2008R2 sysvol, you need this for some GPO settings.

Set your sysvol FOLDER permissions as followed.
Authenticated Users: Read & Exec, Show folder content, Read
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL

---


~# cat default-rights-sysvol.acl
# file: /var/lib/samba/sysvol
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

---
When I check the file/directory permissions they appear correct.
The computer/user is actually seeing the GPO, just an "old" version of it.

So, where to look to see what's causing the issue - what are the likely causes?

TIA
-Greg

More information about the samba mailing list