[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)

Marco Shmerykowsky marco at sce-engineers.com
Thu Jan 28 18:54:00 UTC 2021

On 1/28/2021 10:46 AM, Marco Shmerykowsky via samba wrote:
> I'm currently running Debian 10 & Samba 4.13.2.
> Users can connect remotely via OpenVPN with the
> authentication being handled by samba.
> I created a second DC, joined it to the domain following
> "Joining a Samba DC to an Existing Active Directory"
> from the SambaWiki.
> I also implemented the "Rsync based SysVol replication workaround"
> also listed in the SambaWiki.
> After adding in the second DC as described above users
> started having issues with the GPO's not being applied.
> Running gpresult shows that the failed drive maps have
> the error -> winning gpo Result: Failure (Error Code: 0x80070035)
> What is odd is that it doesn't appear consistent. I've
> logged in using the user's credentials on two computers
> and have no issues.  The user, however, still seems to
> have issues even after deleting the local profile,
> running 'gpudate /force' and rebooting.
> Ideas?  Thank you.

Just to add to this:

If I run 'samba-tool ntacl sysvolcheck' on either server I get the 

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
does not match expected value 
from GPO object
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
446, in run
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1894, in checksysvolacl
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1844, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1786, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl)

Running 'samba-tool ntacl sysvolreset' seem to clear the error
for a bit before it started appearing again.

More information about the samba mailing list