[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)

L.P.H. van Belle belle at bazuin.nl
Fri Jan 29 07:58:28 UTC 2021 

Run this one on the DC with FSMO roles. 

https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh 

By default it does not apply the rights yet! 

So i would do the following in this case. 

1) run the script on both servers and compair it.  (dc1)
2) samba-tool sysvol reset on dc with FSMO. (dc1) 
3) rerun the script and apply the right.  (dc1)
4) stop samba on the first DC, get the IDMAP.LDB and copy it to DC2 
5) start samba DC1. 
6) stop samba on DC2, now copy idmap.ldb to the correct location. 
7) start samba on DC2 
8) sync sysvol DC1 to DC2 
9) run : dig ns $(hostname -d)
   And verify if BOTH the DC's there NS records are there. 

Reboot DC1, wait for it to be up again. 
Reboot DC2, wait for it to be up again.

Run the script again ( on both server ) and verify it. 

last, now goto GPO Editor, and klik a few policies. 
if one needs correction, it will complain about incorrect rights, klik on the message. And its done. 

Still not working. 
run getfacl on both servers and compair that. 

Still not working.. 
run this one on both servers and post the output so we can compair both servers. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh 



Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marco
> Shmerykowsky via samba
> Verzonden: donderdag 28 januari 2021 23:12
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO Issue after adding second DC -> winning gpo
> Result: Failure (Error Code: 0x80070035)
> 
> 
> On 2021-01-28 4:21 pm, Rowland penny via samba wrote:
> > On 28/01/2021 21:13, Marco Shmerykowsky via samba wrote:
> >>
> >> On 1/28/2021 3:57 PM, Rowland penny via samba wrote:
> >>> On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote:
> >>>>
> >>>> On 1/28/2021 2:02 PM, Rowland penny via samba wrote:
> >>>>> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote:
> >>>>>>
> >>>>>>
> >>>>>> Just to add to this:
> >>>>>>
> >>>>>> If I run 'samba-tool ntacl sysvolcheck' on either server I get the
> >>>>>> following:
> >>>>>
> >>>>> I know you are syncing sysvol between the two DC's, but are you
> >>>>> also syncing idmap.ldb from the first DC to the second ?
> >>>>>
> >>>>> If you aren't, then you will probably have different xidNumbers on
> >>>>> each DC.
> >>>>>
> >>>>> Rowland
> >>>>
> >>>> I did the sync once when I setup the server.  The docs on the
> >>>> wiki seem to imply this is a one time step and not something
> >>>> that needs to be done continuously.
> >>>>
> >>>> I did find a configuration error on the new DC that may
> >>>> have effected the was DNS was working, however after
> >>>> correcting that the user still is reporting that after
> >>>> logon, the GPO's are not being applied.
> >>>>
> >>>> I can not replicate the problem on my end.
> >>>>
> >>>> The results of the drive map according to gpresult
> >>>> from the user's computer produce (Error Code: 0x80070035).
> >>>>
> >>> I believe that error code means  that the directory cannot be found,
> >>> though it could be a permissions problem. It could be something as
> >>> simple as giving Domain Admins a gidNumber attribute.
> >>>
> >>> idmap.ldb works by giving domain users & groups an xidNumber
> >>> attribute (not to be confused with uidNumber & gidNumber attributes),
> >>> these are allocated on a first come basis, so you may have to sync
> >>> idmap.ldb a few times to ensure they match, without doing this, the
> >>> wrong user or group may be used.
> >>>
> >>> Windows has the concept of groups owning files & folders, on Unix a
> >>> group cannot own anything, so, in idmap.ldb, you find groups marked
> >>> as 'ID_TYPE_BOTH'. If you give such a group a gidNumber, it becomes
> >>> just a group and cannot own anything, Domain Admins is such a group.
> >>>
> >>> Rowland
> >>
> >> But why would the policy work on one computer and not another with
> >> the same login credentials?
> >>
> > Good question ????
> >
> > Run 'ls -laR /var/lib/samba/sysvol > perms.txt' on both DC's
> >
> > Compare the outputs, do the owner & groups match ?
> >
> > This could be a dns problem, so check resolving.
> >
> > Rowland
> 
> Everything looks somewhat the same except for user and group.
> 
> On the First DC I have entries such as 'BUILTIN\administrators'
> on the secondary DC I have numbers such as '3000002'
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list