[Samba] Apply GPO in Windows from which DC?
L. van Belle
belle at samba.org
Fri Feb 11 09:39:04 UTC 2022
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: donderdag 10 februari 2022 17:54
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Apply GPO in Windows from which DC?
> On Thu, 2022-02-10 at 17:30 +0100, Matthias Leopold via samba wrote:
> > My GPO client is connecting to the full domain name for
> some reason,
> That is what it is supposed to do.
> > this resolves to both DCs.
> It should and if you add any further DC's, it would resolve to them as
There where few samba releases that didnt add the extra DC's in NS,
This "can" be a problem..
A simple check can be : dig NS $(hostname -d)
Are all the AD-DCs in that output? If not, fix it.
> > I'm not testing access to sysvol on every DC, but I'm watching smbd
> > logfiles on both DCs and see when the computer connects for the GPO
> > update.
> > The "permission denied" errors are a different story again. The
> > UID/GID
> > numbers I see in the log line for the connecting computer are
> > completely
> > strange. They are from the 3000000 range
> As is expected, Samba DC's use 'xidNumber' attributes (to be found in
> idmap.ldb, not AD) and these start from '3000000', they can be
> 'ID_TYPE_BOTH', this means that they are both a user and a group.
> There is one problem though, they are allocated on an 'as connected'
> basis, this means that they can (and probably will be) different on
> each DC. To fix this, you need to sync idmap from the DC with the
> PDC_Emulator FSMO role to all other DC's
> > and when I resolve them with
> > wbinfo, they would be user groups(?) or can't be resolved at all.
> > This
> > is the same strange behaviour on both DCs, although on one DC access
> > is
> > OK, on the other it isn't. File system permissions on sysvol folder
> > are
> > OK (when using getfacl) and comparing it to recommendations from
> > also when reading them from Windows.
> This is probably an 'idmap.ldb' problem.
Yes, looks very much a missed copy of idmap.ldb..
@Matthias, dont forget to stop samba before you copy it.
More information about the samba