Hi! I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04. All is ok, but GPO in DC3, with erro the permission, with dont load in windows(gpresult /force). My smb.conf all samba server DC. [global] netbios name = SAMBA-DC103 realm = <DOMAIN> server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = XXXXXXX ldap server require strong auth = no [netlogon] path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts read only = No [sysvol] path = /opt/samba/var/locks/sysvol read only = No For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a not good ideia..( https://lists.samba.org/archive/samba/2017-March/207236.html) Any ? Regards;
Hi More information: DC to DC2/DC3 -> /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol root at samba-dc102:/opt/samba/var/locks/ /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol root at samba-dc102:/opt/samba/var/locks/ Regards On 10-01-2018 11:59, Carlos wrote:> Hi! > > I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04. > > All is ok, but GPO in DC3, with erro the permission, with dont load in > windows(gpresult /force). > > > My smb.conf all samba server DC. > > > [global] > netbios name = SAMBA-DC103 > realm = <DOMAIN> > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = XXXXXXX > > ldap server require strong auth = no > > [netlogon] > path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts > read only = No > > [sysvol] > path = /opt/samba/var/locks/sysvol > read only = No > > > > > For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a > not good ideia..( > https://lists.samba.org/archive/samba/2017-March/207236.html) > > > Any ? > > > Regards; > > >
On 1/10/2018 8:59 AM, Carlos via samba wrote:> Hi! > > I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04. > > All is ok, but GPO in DC3, with erro the permission, with dont load in > windows(gpresult /force). > > > My smb.conf all samba server DC. > > > [global] > netbios name = SAMBA-DC103 > realm = <DOMAIN> > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = XXXXXXX > > ldap server require strong auth = no > > [netlogon] > path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts > read only = No > > [sysvol] > path = /opt/samba/var/locks/sysvol > read only = No > > > > > For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a > not good ideia..( > https://lists.samba.org/archive/samba/2017-March/207236.html) > > > Any ? > > > Regards; > > > >Will need more information. How are you replicating sysvol? What is the exact message from gpupdate /force? Is it just one GPO not working? -- -- James
HI Rsync DC1 to DC2 / DC3 root / usr / bin / rsync -XAaz --delete-after / opt / samba / var / locks / sysvol root @ DCXX: / opt / samba / var / Run Windows "gpupdate / force", information error permission (show ID GPO, any gpos ...). Yes, the only gpo, with errors. Regards; On 10-01-2018 14:29, lingpanda101 via samba wrote:> On 1/10/2018 8:59 AM, Carlos via samba wrote: >> Hi! >> >> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04. >> >> All is ok, but GPO in DC3, with erro the permission, with dont load >> in windows(gpresult /force). >> >> >> My smb.conf all samba server DC. >> >> >> [global] >> netbios name = SAMBA-DC103 >> realm = <DOMAIN> >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> workgroup = XXXXXXX >> >> ldap server require strong auth = no >> >> [netlogon] >> path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts >> read only = No >> >> [sysvol] >> path = /opt/samba/var/locks/sysvol >> read only = No >> >> >> >> >> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a >> not good ideia..( >> https://lists.samba.org/archive/samba/2017-March/207236.html) >> >> >> Any ? >> >> >> Regards; >> >> >> >> > Will need more information. How are you replicating sysvol? What is > the exact message from gpupdate /force? Is it just one GPO not working? >
Hi Carlos,> > DC to DC2/DC3 -> > > /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol > root at samba-dc102:/opt/samba/var/locks/ > > /usr/bin/rsync -XAaz --delete-after /opt/samba/var/locks/sysvol > root at samba-dc102:/opt/samba/var/locks/looking at your smb.conf file, you are using tdb idmap (default on DC). So the UID/SID mapping will be different on the different DC, and your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol are very important, otherwise GPO won't be applied. So it is logic for you to have to apply sysvolreset after your rsync. One way to avoid that would be to copy idmap.ldb from your first DC to the other two DCs. The other way would be to configure rfc2307, but I'd say it is too much of a hassle. Cheers, Denis> > Regards > > > On 10-01-2018 11:59, Carlos wrote: >> Hi! >> >> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04. >> >> All is ok, but GPO in DC3, with erro the permission, with dont load in >> windows(gpresult /force). >> >> >> My smb.conf all samba server DC. >> >> >> [global] >> netbios name = SAMBA-DC103 >> realm = <DOMAIN> >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> workgroup = XXXXXXX >> >> ldap server require strong auth = no >> >> [netlogon] >> path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts >> read only = No >> >> [sysvol] >> path = /opt/samba/var/locks/sysvol >> read only = No >> >> >> >> >> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a >> not good ideia..( >> https://lists.samba.org/archive/samba/2017-March/207236.html) >> >> >> Any ? >> >> >> Regards; >> >> >> > >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr