[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)

Marco Shmerykowsky marco at sce-engineers.com
Thu Jan 28 21:13:04 UTC 2021

On 1/28/2021 3:57 PM, Rowland penny via samba wrote:
> On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote:
>> On 1/28/2021 2:02 PM, Rowland penny via samba wrote:
>>> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote:
>>>> Just to add to this:
>>>> If I run 'samba-tool ntacl sysvolcheck' on either server I get the 
>>>> following:
>>> I know you are syncing sysvol between the two DC's, but are you also 
>>> syncing idmap.ldb from the first DC to the second ?
>>> If you aren't, then you will probably have different xidNumbers on 
>>> each DC.
>>> Rowland
>> I did the sync once when I setup the server.  The docs on the
>> wiki seem to imply this is a one time step and not something
>> that needs to be done continuously.
>> I did find a configuration error on the new DC that may
>> have effected the was DNS was working, however after
>> correcting that the user still is reporting that after
>> logon, the GPO's are not being applied.
>> I can not replicate the problem on my end.
>> The results of the drive map according to gpresult
>> from the user's computer produce (Error Code: 0x80070035).
> I believe that error code means  that the directory cannot be found, 
> though it could be a permissions problem. It could be something as 
> simple as giving Domain Admins a gidNumber attribute.
> idmap.ldb works by giving domain users & groups an xidNumber attribute 
> (not to be confused with uidNumber & gidNumber attributes), these are 
> allocated on a first come basis, so you may have to sync idmap.ldb a few 
> times to ensure they match, without doing this, the wrong user or group 
> may be used.
> Windows has the concept of groups owning files & folders, on Unix a 
> group cannot own anything, so, in idmap.ldb, you find groups marked as 
> 'ID_TYPE_BOTH'. If you give such a group a gidNumber, it becomes just a 
> group and cannot own anything, Domain Admins is such a group.
> Rowland

But why would the policy work on one computer and not another with
the same login credentials?

More information about the samba mailing list