Marco Shmerykowsky
2021-Jan-28 21:13 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On 1/28/2021 3:57 PM, Rowland penny via samba wrote:> On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote: >> >> On 1/28/2021 2:02 PM, Rowland penny via samba wrote: >>> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote: >>>> >>>> >>>> Just to add to this: >>>> >>>> If I run 'samba-tool ntacl sysvolcheck' on either server I get the >>>> following: >>> >>> I know you are syncing sysvol between the two DC's, but are you also >>> syncing idmap.ldb from the first DC to the second ? >>> >>> If you aren't, then you will probably have different xidNumbers on >>> each DC. >>> >>> Rowland >> >> I did the sync once when I setup the server.? The docs on the >> wiki seem to imply this is a one time step and not something >> that needs to be done continuously. >> >> I did find a configuration error on the new DC that may >> have effected the was DNS was working, however after >> correcting that the user still is reporting that after >> logon, the GPO's are not being applied. >> >> I can not replicate the problem on my end. >> >> The results of the drive map according to gpresult >> from the user's computer produce (Error Code: 0x80070035). >> > I believe that error code means? that the directory cannot be found, > though it could be a permissions problem. It could be something as > simple as giving Domain Admins a gidNumber attribute. > > idmap.ldb works by giving domain users & groups an xidNumber attribute > (not to be confused with uidNumber & gidNumber attributes), these are > allocated on a first come basis, so you may have to sync idmap.ldb a few > times to ensure they match, without doing this, the wrong user or group > may be used. > > Windows has the concept of groups owning files & folders, on Unix a > group cannot own anything, so, in idmap.ldb, you find groups marked as > 'ID_TYPE_BOTH'. If you give such a group a gidNumber, it becomes just a > group and cannot own anything, Domain Admins is such a group. > > RowlandBut why would the policy work on one computer and not another with the same login credentials?
Rowland penny
2021-Jan-28 21:21 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On 28/01/2021 21:13, Marco Shmerykowsky via samba wrote:> > On 1/28/2021 3:57 PM, Rowland penny via samba wrote: >> On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote: >>> >>> On 1/28/2021 2:02 PM, Rowland penny via samba wrote: >>>> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote: >>>>> >>>>> >>>>> Just to add to this: >>>>> >>>>> If I run 'samba-tool ntacl sysvolcheck' on either server I get the >>>>> following: >>>> >>>> I know you are syncing sysvol between the two DC's, but are you >>>> also syncing idmap.ldb from the first DC to the second ? >>>> >>>> If you aren't, then you will probably have different xidNumbers on >>>> each DC. >>>> >>>> Rowland >>> >>> I did the sync once when I setup the server.? The docs on the >>> wiki seem to imply this is a one time step and not something >>> that needs to be done continuously. >>> >>> I did find a configuration error on the new DC that may >>> have effected the was DNS was working, however after >>> correcting that the user still is reporting that after >>> logon, the GPO's are not being applied. >>> >>> I can not replicate the problem on my end. >>> >>> The results of the drive map according to gpresult >>> from the user's computer produce (Error Code: 0x80070035). >>> >> I believe that error code means? that the directory cannot be found, >> though it could be a permissions problem. It could be something as >> simple as giving Domain Admins a gidNumber attribute. >> >> idmap.ldb works by giving domain users & groups an xidNumber >> attribute (not to be confused with uidNumber & gidNumber attributes), >> these are allocated on a first come basis, so you may have to sync >> idmap.ldb a few times to ensure they match, without doing this, the >> wrong user or group may be used. >> >> Windows has the concept of groups owning files & folders, on Unix a >> group cannot own anything, so, in idmap.ldb, you find groups marked >> as 'ID_TYPE_BOTH'. If you give such a group a gidNumber, it becomes >> just a group and cannot own anything, Domain Admins is such a group. >> >> Rowland > > But why would the policy work on one computer and not another with > the same login credentials? >Good question ? Run 'ls -laR /var/lib/samba/sysvol > perms.txt' on both DC's Compare the outputs, do the owner & groups match ? This could be a dns problem, so check resolving. Rowland