[Samba] Apply GPO in Windows from which DC?

Matthias Leopold matthias.leopold at meduniwien.ac.at
Fri Feb 11 09:53:35 UTC 2022

Am 11.02.22 um 10:39 schrieb L. van Belle via samba:
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Rowland Penny via samba
>> Verzonden: donderdag 10 februari 2022 17:54
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Apply GPO in Windows from which DC?
>> On Thu, 2022-02-10 at 17:30 +0100, Matthias Leopold via samba wrote:
>>> My GPO client is connecting to the full domain name for
>> some reason,
>> That is what it is supposed to do.
>>> this resolves to both DCs.
>> It should and if you add any further DC's, it would resolve to them as
>> well.
> There where few samba releases that didnt add the extra DC's in NS,
> This "can" be a problem..
> A simple check can be : dig NS $(hostname -d)
> Are all the AD-DCs in that output? If not, fix it.
>>> I'm not testing access to sysvol on every DC, but I'm watching smbd
>>> logfiles on both DCs and see when the computer connects for the GPO
>>> update.
>>> The "permission denied" errors are a different story again. The
>>> numbers I see in the log line for the connecting computer are
>>> completely
>>> strange. They are from the 3000000 range
>> As is expected, Samba DC's use 'xidNumber' attributes (to be found in
>> idmap.ldb, not AD) and these start from '3000000', they can be
>> 'ID_TYPE_BOTH', this means that they are both a user and a group.
>> There is one problem though, they are allocated on an 'as connected'
>> basis, this means that they can (and probably will be) different on
>> each DC. To fix this, you need to sync idmap from the DC with the
>> PDC_Emulator FSMO role to all other DC's
>>>   and when I resolve them with
>>> wbinfo, they would be user groups(?) or can't be resolved at all.
>>> This
>>> is the same strange behaviour on both DCs, although on one DC access
>>> is
>>> OK, on the other it isn't. File system permissions on sysvol folder
>>> are
>>> OK (when using getfacl) and comparing it to recommendations from
>> https://github.com/thctlo/samba4/blob/master/samba-check-set-s
>> ysvol.sh,
>>> also when reading them from Windows.
>> This is probably an 'idmap.ldb' problem.
> Yes, looks very much a missed copy of idmap.ldb..
> @Matthias, dont forget to stop samba before you copy it.
> Greetz,
> Louis

Thanks a lot to everybody. That was indeed the problem, I seem to have 
missed this step when setting up the 2nd DC (although I did it with the 
DEV domain...). Luckily I stopped samba on the 2nd DC when copying, 
although this is not 100% clear from the docs.


More information about the samba mailing list