[Samba] samba-tool gpo admxload loads into the wrong server

Rowland Penny rpenny at samba.org
Wed Dec 6 13:54:47 UTC 2023 

On Wed, 6 Dec 2023 06:40:09 -0700
David Mulder via samba <samba at lists.samba.org> wrote:

> 
> On 12/5/23 8:45 PM, bd730c5053df9efb via samba wrote:
> > Hi!
> >
> > I had a samba 4.10.8 (DC1) AD DC which was holding all the FSMO
> > roles and a samba 4.18.9 (DC2) AD DC with one way sysvol
> > replication using rsync from DC1 to DC2. Since I'm trying to get
> > the admx files for group policy editor into de DC I succesfully
> > transfered the FSMO roles from DC1 to DC2 with "samba-tool fsmo
> > transfer role=all -U SAMDOM\\Administrator" which I can confirm
> > with "samba-tool fsmo show" and I reversed the one way
> > synchronization with rsync from DC2 to DC1.
> >
> > Now when I try to load admx files into DC2 with the command
> > "samba-tool gpo admxload -H dc2.samdom.example.com -U
> > SAMDOM\\Administrator" I couldn't find the PolicyDefinitions in
> > DC2's sysvol path but I was able to see it briefly in DC1's sysvol
> > path, I assume it disappears on the next run of rsync. Does anybody
> > know why the admx templates would be uploaded to DC1 instead of DC2
> > even when I specify the -H parameter with DC2's hostname and what
> > could I do differently to get the templates into the correct DC's
> > sysvol share.
> 
> I just skimmed the code, and I think specifying `samba-tool gpo
> admxload -H ldap://dc2.samdom.example.com -U SAMDOM\\Administrator`
> may fix this (note that I added `ldap://` to the front of your target
> server). If you explicitly specify that this is an ldap server, the
> code chooses that url, otherwise it sends a request to that server to
> find a writable directory server (which doesn't make a lot of sense
> here, since we're just writing to the sysvol share).
> 

I seem to remember we have been here before. Unless you specify which
DC to use with 'ldap://' at the start, the code will use any DC it can
find and that DC might not be the one you want. Of course once sysvol
is replicated it shouldn't matter, but if you think the code is going
to one DC and it ends up on another, this can be confusing.

Rowland

More information about the samba mailing list