[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
Marco Shmerykowsky
marco at sce-engineers.com
Thu Jan 28 18:54:00 UTC 2021
On 1/28/2021 10:46 AM, Marco Shmerykowsky via samba wrote:
> I'm currently running Debian 10 & Samba 4.13.2.
>
> Users can connect remotely via OpenVPN with the
> authentication being handled by samba.
>
> I created a second DC, joined it to the domain following
> "Joining a Samba DC to an Existing Active Directory"
> from the SambaWiki.
>
> I also implemented the "Rsync based SysVol replication workaround"
> also listed in the SambaWiki.
>
> After adding in the second DC as described above users
> started having issues with the GPO's not being applied.
> Running gpresult shows that the failed drive maps have
> the error -> winning gpo Result: Failure (Error Code: 0x80070035)
>
> What is odd is that it doesn't appear consistent. I've
> logged in using the user's credentials on two computers
> and have no issues. The user, however, still seems to
> have issues even after deleting the local profile,
> running 'gpudate /force' and rebooting.
>
> Ideas? Thank you.
>
Just to add to this:
If I run 'samba-tool ntacl sysvolcheck' on either server I get the
following:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/sce-internal.sce-engineers.com/Policies/{51902A58-DF2B-440B-B85B-41E156D631EA}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-816939725-271653577-1537739732-1119)(A;OICI;0x001200a9;;;DU)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-816939725-271653577-1537739732-1119)
from GPO object
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
446, in run
lp)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1894, in checksysvolacl
direct_db_access)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1844, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1786, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl)
Running 'samba-tool ntacl sysvolreset' seem to clear the error
for a bit before it started appearing again.
More information about the samba
mailing list