So, I'm seeing some very odd behavior. I may have multiple issues - so I'm simply starting holding the thread of the problem and working my way back. So, the root symptom I'm having is that a GPO isn't applying correctly. [Roaming profiles namely.] I have two DC's. I change the GPO on one DC and rsync the update to the other DC. I can see that the files get updated. Yet when I login to the domain from a test Windows workstation, it's not seeing the updated GPO data. [I'm changing the directory where the roaming profiles are to be stored.] I see numerous queries about GPO's and NTACL's etc. I pulled down Rowland/Louis script to check sysvol. [v 0.2] Yet the output doesn't seem to show me anything. --- # ./samba-check-set-sysvol.sh Review the file : default-rights-sysvol.acl, these contains the defaults for sysvol. The sysvol ACLS info..... Please check your share rights for sysvol from within windows. If these are incorrect, correct them and run this script again. Set your sysvol SHARE permissions as followed. EVERYONE: READ Authenticated Users: FULL CONTROL (BUILTIN or NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL User/Group system is added compaired to a win2008R2 sysvol, you need this for some GPO settings. Set your sysvol FOLDER permissions as followed. Authenticated Users: Read & Exec, Show folder content, Read (BUILTIN or NTDOM)\Administrators: FULL CONTROL (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL --- ~# cat default-rights-sysvol.acl # file: /var/lib/samba/sysvol # owner: root # group: root user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- --- When I check the file/directory permissions they appear correct. The computer/user is actually seeing the GPO, just an "old" version of it. So, where to look to see what's causing the issue - what are the likely causes? TIA -Greg
On Wed, 23 Jan 2019 08:40:55 -0800 Gregory Sloop via samba <samba at lists.samba.org> wrote:> So, I'm seeing some very odd behavior. > I may have multiple issues - so I'm simply starting holding the > thread of the problem and working my way back. > > So, the root symptom I'm having is that a GPO isn't applying > correctly. [Roaming profiles namely.] I have two DC's. I change the > GPO on one DC and rsync the update to the other DC. I can see that > the files get updated.How are you setting the GPO ? by computer or user ? Are you modifying either of the two default policies, or creating a new policy ?> > Yet when I login to the domain from a test Windows workstation, it's > not seeing the updated GPO data. [I'm changing the directory where > the roaming profiles are to be stored.] >Where are the roaming policies stored / Rowland
So, some updates. I started that email a couple of hours ago - but suddenly, without changing a thing, the test client/station is suddenly now getting the correct GPO details. Yet, I've not synced the sysvol or done anything to change or update the GPO on either DC. See inline... RPvs> On Wed, 23 Jan 2019 08:40:55 -0800 RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:>> So, I'm seeing some very odd behavior. >> I may have multiple issues - so I'm simply starting holding the >> thread of the problem and working my way back.>> So, the root symptom I'm having is that a GPO isn't applying >> correctly. [Roaming profiles namely.] I have two DC's. I change the >> GPO on one DC and rsync the update to the other DC. I can see that >> the files get updated.RPvs> How are you setting the GPO ? by computer or user ? RPvs> Are you modifying either of the two default policies, or creating a new RPvs> policy ? I've got some policies that are computer based and some user based. [Roaming profiles is a computer policy.] I'm creating new policies/GPO's.>> Yet when I login to the domain from a test Windows workstation, it's >> not seeing the updated GPO data. [I'm changing the directory where >> the roaming profiles are to be stored.]RPvs> Where are the roaming policies stored / The GPO is stored on the Samba DC's. [Your terminology is super vague, IMO. I'm not sure if you're asking where the GPO (the actual "policy") is, or if you're asking where the roaming profile for the computer/user is stored. I'm not at all sure what a "roaming policy" is supposed to be. --- I'll follow this up with a new message - because while this latency in GPO/policy application/availability is a problem, I've now run into a problem that's been cropping up and I'm lost as how to deal with it. RPvs> Rowland -- Gregory Sloop, Principal: Sloop Network & Computer Consulting Voice: 503.251.0452 x82 EMail: gregs at sloop.net http://www.sloop.net ---