GPO's fail to apply on Windows clients and sysvol permission errors are
logged.
DC is Samba 4.13.0 created via a classic upgrade.
Logged sysvol errors (uid 5025 is the system I ran gpupdate on, don't
know what uid 3000011 refers to):
==================================Oct 25 12:17:09 srvr01 smbd[3762]: [2020/10/25
12:17:09.695062, 0]
../../source3/smbd/service.c:169(chdir_current_service)
Oct 25 12:17:09 srvr01 smbd[3762]: chdir_current_service:
vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission denied. Current
token: uid=3000011
Oct 25 12:17:41 srvr01 smbd[3762]: [2020/10/25 12:17:41.927671, 0]
../../source3/smbd/service.c:169(chdir_current_service)
Oct 25 12:17:41 srvr01 smbd[3762]: chdir_current_service:
vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission denied. Current
token: uid=3000011
Oct 25 12:19:40 srvr01 smbd[3780]: [2020/10/25 12:19:40.865699, 0]
../../source3/smbd/service.c:169(chdir_current_service)
Oct 25 12:19:40 srvr01 smbd[3780]: chdir_current_service:
vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission denied. Current
token: uid=5035, g
Oct 25 12:19:51 srvr01 smbd[3780]: [2020/10/25 12:19:51.767427, 0]
../../source3/smbd/service.c:169(chdir_current_service)
Oct 25 12:19:51 srvr01 smbd[3780]: chdir_current_service:
vfs_ChDir(/usr/local/samba/var/locks/sysvol) failed: Permission denied. Current
token: uid=5035, g
Oct 25 12:31:01 srvr01 smbd[3842]: [2020/10/25 12:31:01.462208, 0]
../../source3/rpc_server/rpc_server.c:1086(dcesrv_auth_gensec_prepare)
Oct 25 12:31:01 srvr01 smbd[3842]: dcesrv_auth_gensec_prepare: Failed to
prepare gensec: NT_STATUS_INVALID_SERVER_STATE
==================================Windows system log provides:
==================================The processing of Group Policy failed. Windows
could not apply the
registry-based policy settings for the Group Policy object
LDAP://CN=Machine,cn={E2BC0255-64C8-42CF-A27A-59A7D3DCD2DC},cn=policies,cnsystem,DC=my,DC=example,DC=com.
Group Policy settings will not be resolved
until this event is resolved. View the event details for more information on the
file name and path that caused the failure.
==================================
How to solve?
Thanks,
Chris
On 25/10/2020 17:31, Sonic via samba wrote:> GPO's fail to apply on Windows clients and sysvol permission errors are logged. > DC is Samba 4.13.0 created via a classic upgrade. > > Logged sysvol errors (uid 5025 is the system I ran gpupdate on, don't > know what uid 3000011 refers to):So '5035' is a computer, but what is '3000011' ? You can find out by running this on the DC: ldbsearch -H /path/to/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000011))' You just need to ensure you use the correct path to 'idmap.ldb' Once you find out that, you should then be able to find out why the two are being denied access, by examining the permissions on sysvol. Rowland
On Sun, Oct 25, 2020 at 2:38 PM Rowland penny via samba <samba at lists.samba.org> wrote:> So '5035' is a computer, but what is '3000011' ? > You can find out by running this on the DC: > ldbsearch -H /path/to/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000011))'==================================# ldbsearch -H /usr/local/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000011))' # record 1 dn: CN=S-1-5-21-546846319-217595157-9522986-1328 cn: S-1-5-21-546846319-217595157-9522986-1328 objectClass: sidMap objectSid: S-1-5-21-546846319-217595157-9522986-1328 type: ID_TYPE_BOTH xidNumber: 3000011 distinguishedName: CN=S-1-5-21-546846319-217595157-9522986-1328 # returned 1 records # 1 entries # 0 referrals ==================================S-1-5-21-546846319-217595157-9522986-1328 is the sid of the Windows 10 pro client I'm using to manage the domain. ==================================> Once you find out that, you should then be able to find out why the two> are being denied access, by examining the permissions on sysvol.Permissions on sysvol are: drwxrwx---+ 4 root 3000000 Compared with another domains DC (which has no GPO issues): drwxrws---+ 1 root 3000000 Looks like sgid is set on one and not the other. I have not touched those permissions. If sgid is needed shouldn't the classic upgrade have handled that? Should I add the sgid to sysvol and it's subdirectories (that's how it is on the working domain) or is this just a difference in the two releases (the working domain is running 4.10.16)? Chris