[Samba] How to sort out GPO problems

Rommel Rodriguez Toirac rommelrt at nauta.cu
Mon Feb 15 15:43:52 UTC 2021


Hello;
A few months ago I installed an additional domain controller on my network, directory replication worked fine and then I transferred all roles to this new AD DC. I never shut down or discontinued the other server. 
  
  Old Active Directory Domain Controller - gtmad.gtm.onat.gob.cu -  192.168.41.17 - CentOS 7
  New Active Directory Domain Controller - gtmad1.gtm.onat.gob.cu - 192.168.41.18 - CentOS 8 
  
 Recently I have realized that in this new server there are no GPOs
 
 When I look at the content of this directory (sysvol/gtm.onat.gob.cu/Policies/), there is nothing while on the old domain controller there is something

[root at gtmad1 locks]# ls /usr/local/samba/var/locks/sysvol/gtm.onat.gob.cu/Policies/
[root at gtmad1 locks]# ls /usr/local/samba/var/locks/sysvol/gtm.onat.gob.cu/scripts/


[root at gtmad gtm.onat.gob.cu]# ls /var/lib/samba/sysvol/gtm.onat.gob.cu/Policies/
{31B2F340-016D-11D2-945F-00C04FB984F9}  {6AC1786C-016F-11D2-945F-00C04FB984F9}  {E7C5A149-6347-4716-AD04-DB6B050F1EFE}


 Using samba-tool gpo listall the same policies are listed on both domain controllers:

[root at gtmad1 locks]# samba-tool gpo listall
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.GTM.ONAT.GOB.CU<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name gtmad1.gtm.onat.gob.cu<0x20>
GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path         : \\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn           : CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version      : 0
flags        : NONE

GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path         : \\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
dn           : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version      : 1835101
flags        : NONE


[root at gtmad gtm.onat.gob.cu]# samba-tool gpo listall
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.GTM.ONAT.GOB.CU<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name gtmad.gtm.onat.gob.cu<0x20>
GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path         : \\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn           : CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version      : 0
flags        : NONE

GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path         : \\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
dn           : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version      : 1835101
flags        : NONE




 I have noticed that the permissions of the directory where the GPOs are are different:

[root at gtmad1 locks]# ls -l /usr/local/samba/var/locks/sysvol/
total 4
drwxr-xr-x 4 root root 4096 feb 12 09:53 gtm.onat.gob.cu
 
 
[root at gtmad gtm.onat.gob.cu]# ls -l /var/lib/samba/sysvol/
total 8
drwxrwx---+ 4 root BUILTIN\administrators 4096 nov 13  2015 gtm.onat.gob.cu


 Would changing the permissions of this directory solve the problem?
 How can I change the permissions to that directory and what would be the correct permissions?

 Any other suggestions or tests before shutting down or discontinuing the old domain controller?

-- 
Rommel Rodriguez Toirac
rommelrt at nauta.cu



More information about the samba mailing list