[Samba] Apply GPO in Windows from which DC?

L. van Belle belle at samba.org
Fri Feb 11 09:39:04 UTC 2022


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: donderdag 10 februari 2022 17:54
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Apply GPO in Windows from which DC?
> On Thu, 2022-02-10 at 17:30 +0100, Matthias Leopold via samba wrote:
> > 
> > 
> > 
> > My GPO client is connecting to the full domain name for 
> some reason, 
> That is what it is supposed to do.
> > this resolves to both DCs.
> It should and if you add any further DC's, it would resolve to them as
> well.

There where few samba releases that didnt add the extra DC's in NS, 
This "can" be a problem.. 

A simple check can be : dig NS $(hostname -d)
Are all the AD-DCs in that output? If not, fix it. 

> > I'm not testing access to sysvol on every DC, but I'm watching smbd 
> > logfiles on both DCs and see when the computer connects for the GPO
> > update.
> > The "permission denied" errors are a different story again. The
> > UID/GID 
> > numbers I see in the log line for the connecting computer are
> > completely 
> > strange. They are from the 3000000 range
> As is expected, Samba DC's use 'xidNumber' attributes (to be found in
> idmap.ldb, not AD) and these start from '3000000', they can be
> 'ID_TYPE_BOTH', this means that they are both a user and a group.
> There is one problem though, they are allocated on an 'as connected'
> basis, this means that they can (and probably will be) different on
> each DC. To fix this, you need to sync idmap from the DC with the
> PDC_Emulator FSMO role to all other DC's
> >  and when I resolve them with 
> > wbinfo, they would be user groups(?) or can't be resolved at all.
> > This 
> > is the same strange behaviour on both DCs, although on one DC access
> > is 
> > OK, on the other it isn't. File system permissions on sysvol folder
> > are 
> > OK (when using getfacl) and comparing it to recommendations from 
> > 
> https://github.com/thctlo/samba4/blob/master/samba-check-set-s
> ysvol.sh, 
> > also when reading them from Windows.
> This is probably an 'idmap.ldb' problem.

Yes, looks very much a missed copy of idmap.ldb.. 
@Matthias, dont forget to stop samba before you copy it. 



More information about the samba mailing list