[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)

Marco Shmerykowsky marco at sce-engineers.com
Thu Jan 28 22:11:45 UTC 2021


On 2021-01-28 4:21 pm, Rowland penny via samba wrote:
> On 28/01/2021 21:13, Marco Shmerykowsky via samba wrote:
>> 
>> On 1/28/2021 3:57 PM, Rowland penny via samba wrote:
>>> On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote:
>>>> 
>>>> On 1/28/2021 2:02 PM, Rowland penny via samba wrote:
>>>>> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote:
>>>>>> 
>>>>>> 
>>>>>> Just to add to this:
>>>>>> 
>>>>>> If I run 'samba-tool ntacl sysvolcheck' on either server I get the 
>>>>>> following:
>>>>> 
>>>>> I know you are syncing sysvol between the two DC's, but are you 
>>>>> also syncing idmap.ldb from the first DC to the second ?
>>>>> 
>>>>> If you aren't, then you will probably have different xidNumbers on 
>>>>> each DC.
>>>>> 
>>>>> Rowland
>>>> 
>>>> I did the sync once when I setup the server.  The docs on the
>>>> wiki seem to imply this is a one time step and not something
>>>> that needs to be done continuously.
>>>> 
>>>> I did find a configuration error on the new DC that may
>>>> have effected the was DNS was working, however after
>>>> correcting that the user still is reporting that after
>>>> logon, the GPO's are not being applied.
>>>> 
>>>> I can not replicate the problem on my end.
>>>> 
>>>> The results of the drive map according to gpresult
>>>> from the user's computer produce (Error Code: 0x80070035).
>>>> 
>>> I believe that error code means  that the directory cannot be found, 
>>> though it could be a permissions problem. It could be something as 
>>> simple as giving Domain Admins a gidNumber attribute.
>>> 
>>> idmap.ldb works by giving domain users & groups an xidNumber 
>>> attribute (not to be confused with uidNumber & gidNumber attributes), 
>>> these are allocated on a first come basis, so you may have to sync 
>>> idmap.ldb a few times to ensure they match, without doing this, the 
>>> wrong user or group may be used.
>>> 
>>> Windows has the concept of groups owning files & folders, on Unix a 
>>> group cannot own anything, so, in idmap.ldb, you find groups marked 
>>> as 'ID_TYPE_BOTH'. If you give such a group a gidNumber, it becomes 
>>> just a group and cannot own anything, Domain Admins is such a group.
>>> 
>>> Rowland
>> 
>> But why would the policy work on one computer and not another with
>> the same login credentials?
>> 
> Good question 😂
> 
> Run 'ls -laR /var/lib/samba/sysvol > perms.txt' on both DC's
> 
> Compare the outputs, do the owner & groups match ?
> 
> This could be a dns problem, so check resolving.
> 
> Rowland

Everything looks somewhat the same except for user and group.

On the First DC I have entries such as 'BUILTIN\administrators'
on the secondary DC I have numbers such as '3000002'



More information about the samba mailing list