Hi, We have 4 Domain Controllers all on CentOS 7.5 and Samba Version 4.7.5. We are using iNotify to watch the folder and pushing any changes made to GPO from our first Domain Controller. Off late, we started observing that, unless the client is reading the Group Policies from the first Domain Controller, none of the Group Policies gets applied. On the Windows Clients, we have observed that clients are reporting "Access Denied" error to Group Policy Objects on other Domain Controllers. "samba-tool ntacl sysvolcheck" reports no errors on the GPO on any Domain Controllers. Yet, the clients report "Access Denied" on all other DCs except first one. What could have gone wrong? Any clues? -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees.
On Thu, 12 Jul 2018 18:13:47 +0530 Anantha Raghava via samba <samba at lists.samba.org> wrote:> Hi, > > We have 4 Domain Controllers all on CentOS 7.5 and Samba Version > 4.7.5. > > We are using iNotify to watch the folder and pushing any changes made > to GPO from our first Domain Controller. > > Off late, we started observing that, unless the client is reading the > Group Policies from the first Domain Controller, none of the Group > Policies gets applied. On the Windows Clients, we have observed that > clients are reporting "Access Denied" error to Group Policy Objects > on other Domain Controllers. > > "samba-tool ntacl sysvolcheck" reports no errors on the GPO on any > Domain Controllers. Yet, the clients report "Access Denied" on all > other DCs except first one. > > What could have gone wrong? Any clues? >I take it you are syncing 'sysvol' to the DC's from the first DC, but are you also syncing idmap.ldb as well ? Rowland
Hello Rowland, Thanks for your quick response. We are syncing only sysvol from first Domain Controller, but not idmap.ldb. Do we need to sync idmap.ldb as well? -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees. On 12/07/18 6:20 PM, Rowland Penny via samba wrote:> On Thu, 12 Jul 2018 18:13:47 +0530 > Anantha Raghava via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> We have 4 Domain Controllers all on CentOS 7.5 and Samba Version >> 4.7.5. >> >> We are using iNotify to watch the folder and pushing any changes made >> to GPO from our first Domain Controller. >> >> Off late, we started observing that, unless the client is reading the >> Group Policies from the first Domain Controller, none of the Group >> Policies gets applied. On the Windows Clients, we have observed that >> clients are reporting "Access Denied" error to Group Policy Objects >> on other Domain Controllers. >> >> "samba-tool ntacl sysvolcheck" reports no errors on the GPO on any >> Domain Controllers. Yet, the clients report "Access Denied" on all >> other DCs except first one. >> >> What could have gone wrong? Any clues? >> > I take it you are syncing 'sysvol' to the DC's from the first DC, but > are you also syncing idmap.ldb as well ? > > Rowland > >