[Samba] samba-tool gpo admxload loads into the wrong server

bd730c5053df9efb bd730c5053df9efb at proton.me
Wed Dec 6 15:06:25 UTC 2023 

Hi!

Thank you botho for your answers! I ran into some problems with the FSMO migration caused by the "kdc default domain supported enctypes" and "kdc supported enctypes" so after correcting that and verifying that DC2 was working again I shut down DC1 just to make sure that the domain was working correctly again. During this downtime I tried installing the admx templates again and as DC1 was off they correctly installed in DC2 and now DC1 is up and running again and both DC's have the policies installed correctly. I'm trying to get a user created for me to be able to edit the page https://wiki.samba.org/index.php/Group_Policy according to this information.

Thanks again to both!
Best regards,
Dave.



Sent with Proton Mail secure email.

On Wednesday, December 6th, 2023 at 10:54, Rowland Penny via samba <samba at lists.samba.org> wrote:


> On Wed, 6 Dec 2023 06:40:09 -0700
> David Mulder via samba samba at lists.samba.org wrote:
> 
> > On 12/5/23 8:45 PM, bd730c5053df9efb via samba wrote:
> > 
> > > Hi!
> > > 
> > > I had a samba 4.10.8 (DC1) AD DC which was holding all the FSMO
> > > roles and a samba 4.18.9 (DC2) AD DC with one way sysvol
> > > replication using rsync from DC1 to DC2. Since I'm trying to get
> > > the admx files for group policy editor into de DC I succesfully
> > > transfered the FSMO roles from DC1 to DC2 with "samba-tool fsmo
> > > transfer role=all -U SAMDOM\\Administrator" which I can confirm
> > > with "samba-tool fsmo show" and I reversed the one way
> > > synchronization with rsync from DC2 to DC1.
> > > 
> > > Now when I try to load admx files into DC2 with the command
> > > "samba-tool gpo admxload -H dc2.samdom.example.com -U
> > > SAMDOM\\Administrator" I couldn't find the PolicyDefinitions in
> > > DC2's sysvol path but I was able to see it briefly in DC1's sysvol
> > > path, I assume it disappears on the next run of rsync. Does anybody
> > > know why the admx templates would be uploaded to DC1 instead of DC2
> > > even when I specify the -H parameter with DC2's hostname and what
> > > could I do differently to get the templates into the correct DC's
> > > sysvol share.
> > 
> > I just skimmed the code, and I think specifying `samba-tool gpo admxload -H ldap://dc2.samdom.example.com -U SAMDOM\\\\Administrator`
> > may fix this (note that I added `ldap://` to the front of your target
> > server). If you explicitly specify that this is an ldap server, the
> > code chooses that url, otherwise it sends a request to that server to
> > find a writable directory server (which doesn't make a lot of sense
> > here, since we're just writing to the sysvol share).
> 
> 
> I seem to remember we have been here before. Unless you specify which
> DC to use with 'ldap://' at the start, the code will use any DC it can
> find and that DC might not be the one you want. Of course once sysvol
> is replicated it shouldn't matter, but if you think the code is going
> to one DC and it ends up on another, this can be confusing.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list