[Samba] How to sort out GPO problems
Rommel Rodriguez Toirac
rommelrt at nauta.cu
Mon Feb 15 15:43:52 UTC 2021
Hello;
A few months ago I installed an additional domain controller on my network, directory replication worked fine and then I transferred all roles to this new AD DC. I never shut down or discontinued the other server.
Old Active Directory Domain Controller - gtmad.gtm.onat.gob.cu - 192.168.41.17 - CentOS 7
New Active Directory Domain Controller - gtmad1.gtm.onat.gob.cu - 192.168.41.18 - CentOS 8
Recently I have realized that in this new server there are no GPOs
When I look at the content of this directory (sysvol/gtm.onat.gob.cu/Policies/), there is nothing while on the old domain controller there is something
[root at gtmad1 locks]# ls /usr/local/samba/var/locks/sysvol/gtm.onat.gob.cu/Policies/
[root at gtmad1 locks]# ls /usr/local/samba/var/locks/sysvol/gtm.onat.gob.cu/scripts/
[root at gtmad gtm.onat.gob.cu]# ls /var/lib/samba/sysvol/gtm.onat.gob.cu/Policies/
{31B2F340-016D-11D2-945F-00C04FB984F9} {6AC1786C-016F-11D2-945F-00C04FB984F9} {E7C5A149-6347-4716-AD04-DB6B050F1EFE}
Using samba-tool gpo listall the same policies are listed on both domain controllers:
[root at gtmad1 locks]# samba-tool gpo listall
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.GTM.ONAT.GOB.CU<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name gtmad1.gtm.onat.gob.cu<0x20>
GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path : \\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn : CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version : 0
flags : NONE
GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path : \\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
dn : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version : 1835101
flags : NONE
[root at gtmad gtm.onat.gob.cu]# samba-tool gpo listall
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.GTM.ONAT.GOB.CU<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name gtmad.gtm.onat.gob.cu<0x20>
GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path : \\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn : CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version : 0
flags : NONE
GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path : \\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
dn : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version : 1835101
flags : NONE
I have noticed that the permissions of the directory where the GPOs are are different:
[root at gtmad1 locks]# ls -l /usr/local/samba/var/locks/sysvol/
total 4
drwxr-xr-x 4 root root 4096 feb 12 09:53 gtm.onat.gob.cu
[root at gtmad gtm.onat.gob.cu]# ls -l /var/lib/samba/sysvol/
total 8
drwxrwx---+ 4 root BUILTIN\administrators 4096 nov 13 2015 gtm.onat.gob.cu
Would changing the permissions of this directory solve the problem?
How can I change the permissions to that directory and what would be the correct permissions?
Any other suggestions or tests before shutting down or discontinuing the old domain controller?
--
Rommel Rodriguez Toirac
rommelrt at nauta.cu
More information about the samba
mailing list