samba - Jan 2021 - GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)

Run this one on the DC with FSMO roles. 

https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh

By default it does not apply the rights yet! 

So i would do the following in this case. 

1) run the script on both servers and compair it.  (dc1)
2) samba-tool sysvol reset on dc with FSMO. (dc1) 
3) rerun the script and apply the right.  (dc1)
4) stop samba on the first DC, get the IDMAP.LDB and copy it to DC2 
5) start samba DC1. 
6) stop samba on DC2, now copy idmap.ldb to the correct location. 
7) start samba on DC2 
8) sync sysvol DC1 to DC2 
9) run : dig ns $(hostname -d)
   And verify if BOTH the DC's there NS records are there. 

Reboot DC1, wait for it to be up again. 
Reboot DC2, wait for it to be up again.

Run the script again ( on both server ) and verify it. 

last, now goto GPO Editor, and klik a few policies. 
if one needs correction, it will complain about incorrect rights, klik on the
message. And its done.

Still not working. 
run getfacl on both servers and compair that. 

Still not working.. 
run this one on both servers and post the output so we can compair both servers.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh



Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marco
> Shmerykowsky via samba
> Verzonden: donderdag 28 januari 2021 23:12
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO Issue after adding second DC -> winning gpo
> Result: Failure (Error Code: 0x80070035)
> 
> 
> On 2021-01-28 4:21 pm, Rowland penny via samba wrote:
> > On 28/01/2021 21:13, Marco Shmerykowsky via samba wrote:
> >>
> >> On 1/28/2021 3:57 PM, Rowland penny via samba wrote:
> >>> On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote:
> >>>>
> >>>> On 1/28/2021 2:02 PM, Rowland penny via samba wrote:
> >>>>> On 28/01/2021 18:54, Marco Shmerykowsky via samba
wrote:
> >>>>>>
> >>>>>>
> >>>>>> Just to add to this:
> >>>>>>
> >>>>>> If I run 'samba-tool ntacl sysvolcheck' on
either server I get the
> >>>>>> following:
> >>>>>
> >>>>> I know you are syncing sysvol between the two
DC's, but are you
> >>>>> also syncing idmap.ldb from the first DC to the second
?
> >>>>>
> >>>>> If you aren't, then you will probably have
different xidNumbers on
> >>>>> each DC.
> >>>>>
> >>>>> Rowland
> >>>>
> >>>> I did the sync once when I setup the server.? The docs on
the
> >>>> wiki seem to imply this is a one time step and not
something
> >>>> that needs to be done continuously.
> >>>>
> >>>> I did find a configuration error on the new DC that may
> >>>> have effected the was DNS was working, however after
> >>>> correcting that the user still is reporting that after
> >>>> logon, the GPO's are not being applied.
> >>>>
> >>>> I can not replicate the problem on my end.
> >>>>
> >>>> The results of the drive map according to gpresult
> >>>> from the user's computer produce (Error Code:
0x80070035).
> >>>>
> >>> I believe that error code means? that the directory cannot be
found,
> >>> though it could be a permissions problem. It could be
something as
> >>> simple as giving Domain Admins a gidNumber attribute.
> >>>
> >>> idmap.ldb works by giving domain users & groups an
xidNumber
> >>> attribute (not to be confused with uidNumber & gidNumber
attributes),
> >>> these are allocated on a first come basis, so you may have to
sync
> >>> idmap.ldb a few times to ensure they match, without doing
this, the
> >>> wrong user or group may be used.
> >>>
> >>> Windows has the concept of groups owning files & folders,
on Unix a
> >>> group cannot own anything, so, in idmap.ldb, you find groups
marked
> >>> as 'ID_TYPE_BOTH'. If you give such a group a
gidNumber, it becomes
> >>> just a group and cannot own anything, Domain Admins is such a
group.
> >>>
> >>> Rowland
> >>
> >> But why would the policy work on one computer and not another with
> >> the same login credentials?
> >>
> > Good question ????
> >
> > Run 'ls -laR /var/lib/samba/sysvol > perms.txt' on both
DC's
> >
> > Compare the outputs, do the owner & groups match ?
> >
> > This could be a dns problem, so check resolving.
> >
> > Rowland
> 
> Everything looks somewhat the same except for user and group.
> 
> On the First DC I have entries such as 'BUILTIN\administrators'
> on the secondary DC I have numbers such as '3000002'
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote:
> 2) samba-tool sysvol reset on dc with FSMO. (dc1)
On the SambaWiki for Sysvolreset it states:

	Advice via mailing list (as of May 2018)

	(courtesy of Rowland Penny)

	If you have added any custom GPOs, never ever use
	sysvolcheck or sysvolreset

I have GPO's for drive mapping and screen background.
I'd assume they qualify as "custom"

Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'?

On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote:
> Run this one on the DC with FSMO roles.
> 
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
> 
> By default it does not apply the rights yet!
> 
> So i would do the following in this case.
> 
> 1) run the script on both servers and compair it.  (dc1)
> 2) samba-tool sysvol reset on dc with FSMO. (dc1)
> 3) rerun the script and apply the right.  (dc1)
> 4) stop samba on the first DC, get the IDMAP.LDB and copy it to DC2
> 5) start samba DC1.
> 6) stop samba on DC2, now copy idmap.ldb to the correct location.
> 7) start samba on DC2
> 8) sync sysvol DC1 to DC2
> 9) run : dig ns $(hostname -d)
>     And verify if BOTH the DC's there NS records are there.
> 
> Reboot DC1, wait for it to be up again.
> Reboot DC2, wait for it to be up again.
> 
> Run the script again ( on both server ) and verify it.
> 
> last, now goto GPO Editor, and klik a few policies.
> if one needs correction, it will complain about incorrect rights, klik on
the message. And its done.
> 
> Still not working.
> run getfacl on both servers and compair that.
> 
> Still not working..
> run this one on both servers and post the output so we can compair both
servers.
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
I've been looping thru the issue and think It's some sort of DNS issue.
The machines are running NetworkManager (even though the wiki says don't
likely for this very reason), but I finally have dig ns $(hostname -d)
returning the same results on both servers.

When the user logs in on his local machine, the user seems to
get wonky ping results:

ping www.google.com -> Returns a reply
ping ad-domain.company.com -> Returns a reply
ping server.ad-domain.company.com -> no reply
ping server -> No reply

It seems the GPO's are not applying on his machine due to a DNS
error, but I can't reproduce it on my end.