[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
Marco Shmerykowsky
marco at sce-engineers.com
Thu Jan 28 22:11:45 UTC 2021
On 2021-01-28 4:21 pm, Rowland penny via samba wrote:
> On 28/01/2021 21:13, Marco Shmerykowsky via samba wrote:
>>
>> On 1/28/2021 3:57 PM, Rowland penny via samba wrote:
>>> On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote:
>>>>
>>>> On 1/28/2021 2:02 PM, Rowland penny via samba wrote:
>>>>> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote:
>>>>>>
>>>>>>
>>>>>> Just to add to this:
>>>>>>
>>>>>> If I run 'samba-tool ntacl sysvolcheck' on either server I get the
>>>>>> following:
>>>>>
>>>>> I know you are syncing sysvol between the two DC's, but are you
>>>>> also syncing idmap.ldb from the first DC to the second ?
>>>>>
>>>>> If you aren't, then you will probably have different xidNumbers on
>>>>> each DC.
>>>>>
>>>>> Rowland
>>>>
>>>> I did the sync once when I setup the server. The docs on the
>>>> wiki seem to imply this is a one time step and not something
>>>> that needs to be done continuously.
>>>>
>>>> I did find a configuration error on the new DC that may
>>>> have effected the was DNS was working, however after
>>>> correcting that the user still is reporting that after
>>>> logon, the GPO's are not being applied.
>>>>
>>>> I can not replicate the problem on my end.
>>>>
>>>> The results of the drive map according to gpresult
>>>> from the user's computer produce (Error Code: 0x80070035).
>>>>
>>> I believe that error code means that the directory cannot be found,
>>> though it could be a permissions problem. It could be something as
>>> simple as giving Domain Admins a gidNumber attribute.
>>>
>>> idmap.ldb works by giving domain users & groups an xidNumber
>>> attribute (not to be confused with uidNumber & gidNumber attributes),
>>> these are allocated on a first come basis, so you may have to sync
>>> idmap.ldb a few times to ensure they match, without doing this, the
>>> wrong user or group may be used.
>>>
>>> Windows has the concept of groups owning files & folders, on Unix a
>>> group cannot own anything, so, in idmap.ldb, you find groups marked
>>> as 'ID_TYPE_BOTH'. If you give such a group a gidNumber, it becomes
>>> just a group and cannot own anything, Domain Admins is such a group.
>>>
>>> Rowland
>>
>> But why would the policy work on one computer and not another with
>> the same login credentials?
>>
> Good question 😂
>
> Run 'ls -laR /var/lib/samba/sysvol > perms.txt' on both DC's
>
> Compare the outputs, do the owner & groups match ?
>
> This could be a dns problem, so check resolving.
>
> Rowland
Everything looks somewhat the same except for user and group.
On the First DC I have entries such as 'BUILTIN\administrators'
on the secondary DC I have numbers such as '3000002'
More information about the samba
mailing list