[Samba] Apply GPO in Windows from which DC?

Rowland Penny rpenny at samba.org
Thu Feb 10 16:53:47 UTC 2022

On Thu, 2022-02-10 at 17:30 +0100, Matthias Leopold via samba wrote:
> My GPO client is connecting to the full domain name for some reason, 

That is what it is supposed to do.

> this resolves to both DCs.

It should and if you add any further DC's, it would resolve to them as

> I'm not testing access to sysvol on every DC, but I'm watching smbd 
> logfiles on both DCs and see when the computer connects for the GPO
> update.
> The "permission denied" errors are a different story again. The
> numbers I see in the log line for the connecting computer are
> completely 
> strange. They are from the 3000000 range

As is expected, Samba DC's use 'xidNumber' attributes (to be found in
idmap.ldb, not AD) and these start from '3000000', they can be
'ID_TYPE_BOTH', this means that they are both a user and a group.
There is one problem though, they are allocated on an 'as connected'
basis, this means that they can (and probably will be) different on
each DC. To fix this, you need to sync idmap from the DC with the
PDC_Emulator FSMO role to all other DC's

>  and when I resolve them with 
> wbinfo, they would be user groups(?) or can't be resolved at all.
> This 
> is the same strange behaviour on both DCs, although on one DC access
> is 
> OK, on the other it isn't. File system permissions on sysvol folder
> are 
> OK (when using getfacl) and comparing it to recommendations from 
> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh, 
> also when reading them from Windows.

This is probably an 'idmap.ldb' problem.


More information about the samba mailing list