[Samba] GPO fail and sysvol perm errors

L.P.H. van Belle belle at bazuin.nl
Wed Oct 28 14:02:58 UTC 2020


> -----Oorspronkelijk bericht-----
> Van: Sonic [mailto:sonicsmith at gmail.com] 
> Verzonden: woensdag 28 oktober 2020 14:24
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO fail and sysvol perm errors
> Good day Louis,
> On Wed, Oct 28, 2020 at 3:46 AM L.P.H. van Belle 
> <belle at bazuin.nl> wrote:
> > Ok, im guessing you can open the gpt.ini file fine, if you 
> click that link, correct?
> Yes, could open, read, edit, and save that file.

As i expected, but what if i tell you, the user your testing this with.
Is not the user/computer that reads the file. 

> > Have you enable the "Always wait for network" GPO setting.
> No, but I'm testing from clients with 'gpupdate /force' in powershell,
> and not logon time.

Ah, ok, well, reboot the compter after the join, 2 times. 
After 1st reboot clear all logs, you will see things quicker. 
And not all policies are applied when your logged in. 

> > 
> https://docs.microsoft.com/en-us/previous-versions/windows/it-
> pro/windows-server-2008-R2-and-2008/cc727302(v=ws.10)?redirect
> edfrom=MSDN
> > So here they say, delete and recreate, i dont think thats needed..
> Just sysvolreset was all that was needed, if it was corrupt then
> changing the perms shouldn't matter.
> > I think  your solution is in this link.
> > 
> https://docs.microsoft.com/nl-nl/troubleshoot/windows-server/g
> roup-policy/permissions-this-gpo-inconsistent
> I get no errors running GPMC.

Ah, great, so then i asumme its fixed now?? 
( but i think not ) 

> > > After running sysvolreset the systems update fine. 
> Problem is once I
> > > add or edit a GPO (from Windows 10 20H2) everything fails 
> until I run
> > > sysvolreset again.
> > Thats because there is something off in the rights or,.. due to,
> > its trying to read it but the networks isnt ready yet.
> Not a network ready issue (testing with up and running systems
> manually running gpupdate).
No, this is not a network issue. 
There are 2 things here.
1) the computer starts up and applies the computer policies, (as SYSTEM). 
2) the fast computers these these days show there desktop before network is started fully on windows. 

When im testing, im rebooting the computer every time.. 
> > > > And which group is set on sysvol in general on the share tab.
> >
> > > This is the current info (I did run sysvolreset to get the GPO's
> > > working again, so this is not with your settings, I can look into this again later)
> > > Owner is ADDOM\Administrator
> > > Allow Everyone Full Control
> > >
> > That should be sufficient.
> > And.. its not "my" settings.. ;-)  al can be found in : 
> https://docs.microsoft.com/
> >
> > I also recommend you to read, since you also having remote location:
> > 
> https://docs.microsoft.com/en-us/windows-server/storage/folder
> -redirection/folder-redirection-rup-overview
> Just one Windows 10 Pro 20H2 (QEMU/KVM) system. There's a site-to-site
> vpn between my network and the target network (wireguard on OpenBSD)
> which works quite well; can easily join systems to the domain, read
> and write files, print etc.
> Not using folder redirection, offline files, or roaming profiles.
> Testing being done with very minimal GPO's - Chrome home 
> page, no autorun, etc.

I also have 2 locations login in over a strongswan VPN setup here.
but with folder redirection, offline files, and roaming profiles. 

Now, re-apply these.  ( long lines, make sure you didnt miss a part. 

samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" /var/lib/samba/sysvol/ 

Next line: 

samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" /var/lib/samba/sysvol/$(hostname -d) 

samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)" 
/var/lib/samba/sysvol/$(hostname -d)/Policies/ 

Now test, create a new policy and test it, if that works, which should, because this is coming from my production servers. 
Then compair it with the not working. run getfacl on both folders.



More information about the samba mailing list