[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
Marco Shmerykowsky
marco at sce-engineers.com
Thu Jan 28 21:13:04 UTC 2021
On 1/28/2021 3:57 PM, Rowland penny via samba wrote:
> On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote:
>>
>> On 1/28/2021 2:02 PM, Rowland penny via samba wrote:
>>> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote:
>>>>
>>>>
>>>> Just to add to this:
>>>>
>>>> If I run 'samba-tool ntacl sysvolcheck' on either server I get the
>>>> following:
>>>
>>> I know you are syncing sysvol between the two DC's, but are you also
>>> syncing idmap.ldb from the first DC to the second ?
>>>
>>> If you aren't, then you will probably have different xidNumbers on
>>> each DC.
>>>
>>> Rowland
>>
>> I did the sync once when I setup the server. The docs on the
>> wiki seem to imply this is a one time step and not something
>> that needs to be done continuously.
>>
>> I did find a configuration error on the new DC that may
>> have effected the was DNS was working, however after
>> correcting that the user still is reporting that after
>> logon, the GPO's are not being applied.
>>
>> I can not replicate the problem on my end.
>>
>> The results of the drive map according to gpresult
>> from the user's computer produce (Error Code: 0x80070035).
>>
> I believe that error code means that the directory cannot be found,
> though it could be a permissions problem. It could be something as
> simple as giving Domain Admins a gidNumber attribute.
>
> idmap.ldb works by giving domain users & groups an xidNumber attribute
> (not to be confused with uidNumber & gidNumber attributes), these are
> allocated on a first come basis, so you may have to sync idmap.ldb a few
> times to ensure they match, without doing this, the wrong user or group
> may be used.
>
> Windows has the concept of groups owning files & folders, on Unix a
> group cannot own anything, so, in idmap.ldb, you find groups marked as
> 'ID_TYPE_BOTH'. If you give such a group a gidNumber, it becomes just a
> group and cannot own anything, Domain Admins is such a group.
>
> Rowland
But why would the policy work on one computer and not another with
the same login credentials?
More information about the samba
mailing list