thr3ads.net - samba - [Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035) [Jan 2021]

If this information is useful, please help other people find it:
Share via:

Marco Shmerykowsky

2021-Jan-28 18:54 UTC

[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)

On 1/28/2021 10:46 AM, Marco Shmerykowsky via samba
wrote:> I'm currently running Debian 10 & Samba 4.13.2.
> 
> Users can connect remotely via OpenVPN with the
> authentication being handled by samba.
> 
> I created a second DC, joined it to the domain following
> "Joining a Samba DC to an Existing Active Directory"
> from the SambaWiki.
> 
> I also implemented the "Rsync based SysVol replication
workaround"
> also listed in the SambaWiki.
> 
> After adding in the second DC as described above users
> started having issues with the GPO's not being applied.
> Running gpresult shows that the failed drive maps have
> the error -> winning gpo Result: Failure (Error Code: 0x80070035)
> 
> What is odd is that it doesn't appear consistent. I've
> logged in using the user's credentials on two computers
> and have no issues.? The user, however, still seems to
> have issues even after deleting the local profile,
> running 'gpudate /force' and rebooting.
> 
> Ideas?? Thank you.
> 
Just to add to this:

If I run 'samba-tool ntacl sysvolcheck' on either server I get the 
following:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory 
/var/lib/samba/sysvol/sce-internal.sce-engineers.com/Policies/{51902A58-DF2B-440B-B85B-41E156D631EA}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-816939725-271653577-1537739732-1119)(A;OICI;0x001200a9;;;DU)
does not match expected value 
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-816939725-271653577-1537739732-1119)
from GPO object
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
446, in run
     lp)
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1894, in checksysvolacl
     direct_db_access)
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1844, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1786, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl)

Running 'samba-tool ntacl sysvolreset' seem to clear the error
for a bit before it started appearing again.

Rowland penny

2021-Jan-28 19:02 UTC

head link

[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)

On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote:>
>
> Just to add to this:
>
> If I run 'samba-tool ntacl sysvolcheck' on either server I get the 
> following:
I know you are syncing sysvol between the two DC's, but are you also 
syncing idmap.ldb from the first DC to the second ?

If you aren't, then you will probably have different xidNumbers on each DC.

Rowland

samba - Jan 2021 - GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)

[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)

[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)