[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)

Rowland penny rpenny at samba.org
Thu Jan 28 21:21:44 UTC 2021

On 28/01/2021 21:13, Marco Shmerykowsky via samba wrote:
> On 1/28/2021 3:57 PM, Rowland penny via samba wrote:
>> On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote:
>>> On 1/28/2021 2:02 PM, Rowland penny via samba wrote:
>>>> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote:
>>>>> Just to add to this:
>>>>> If I run 'samba-tool ntacl sysvolcheck' on either server I get the 
>>>>> following:
>>>> I know you are syncing sysvol between the two DC's, but are you 
>>>> also syncing idmap.ldb from the first DC to the second ?
>>>> If you aren't, then you will probably have different xidNumbers on 
>>>> each DC.
>>>> Rowland
>>> I did the sync once when I setup the server.  The docs on the
>>> wiki seem to imply this is a one time step and not something
>>> that needs to be done continuously.
>>> I did find a configuration error on the new DC that may
>>> have effected the was DNS was working, however after
>>> correcting that the user still is reporting that after
>>> logon, the GPO's are not being applied.
>>> I can not replicate the problem on my end.
>>> The results of the drive map according to gpresult
>>> from the user's computer produce (Error Code: 0x80070035).
>> I believe that error code means  that the directory cannot be found, 
>> though it could be a permissions problem. It could be something as 
>> simple as giving Domain Admins a gidNumber attribute.
>> idmap.ldb works by giving domain users & groups an xidNumber 
>> attribute (not to be confused with uidNumber & gidNumber attributes), 
>> these are allocated on a first come basis, so you may have to sync 
>> idmap.ldb a few times to ensure they match, without doing this, the 
>> wrong user or group may be used.
>> Windows has the concept of groups owning files & folders, on Unix a 
>> group cannot own anything, so, in idmap.ldb, you find groups marked 
>> as 'ID_TYPE_BOTH'. If you give such a group a gidNumber, it becomes 
>> just a group and cannot own anything, Domain Admins is such a group.
>> Rowland
> But why would the policy work on one computer and not another with
> the same login credentials?
Good question 😂

Run 'ls -laR /var/lib/samba/sysvol > perms.txt' on both DC's

Compare the outputs, do the owner & groups match ?

This could be a dns problem, so check resolving.


More information about the samba mailing list