[Samba] GPO Editor says "Access denied" for Group Policy Objects
Jakob Curdes
jc at info-systems.de
Thu Apr 25 16:19:20 UTC 2024
Hi Rowland, all,
Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba:
> On Thu, 25 Apr 2024 16:55:55 +0200
> Jakob Curdes via samba<samba at lists.samba.org> wrote:
>
>> .. we setup 2 new DCs replacing older DCs and joined them to the
>> domain, then decommissioned the old DCs. I now discover that I cannot
>> edit the GPO objects anymore.
>> "sysvolcheck" shows no errors. I read through some documentation but
>> it sounds outdated to me. Any hints where I would start looking? Who
>> should normally be the owner of the sysvol directory itself?
>>
>> What I find strange is that on a domain member, getent group shows me
>> all Domain groups, while on the DC these are not shown.
>> But that might be totally unrelated.
>>
>> Any hints?
>>
> Without more info, Anything would be guess work, but a guess in the
> dark would be to ask if you are using rfc2307 attributes and if so,
> does Domain Admins have a gidNumber attribute ?
>
> Rowland
Yes, we are using rfc2307 attributes, and I do not see a gidNumber
attribute in the properties of the "Domain Admins" group.
To be honest, I never understood this gid / rfc2307 problem completely,
although there are descriptions out there.
The group ID of the sysvol entry is "3000000", while on the domain
member, the Domain Admin group has the group ID "300512".
The relevant portion of the DC config is:
[global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active
directory domain controller dns forwarder = X,Y workgroup = ZZ
idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use
default domain = true winbind offline logon = false winbind nss info =
rfc2307 winbind enum users = yes winbind enum groups = yes winbind
nested groups = Yes server schannel = yes [sysvol] path =
/var/lib/samba/sysvol read only = No
So what do I need to change?
Regards, Jakob
More information about the samba
mailing list