samba - Apr 2024 - GPO Editor says "Access denied" for Group Policy Objects

On Thu, 25 Apr 2024 16:55:55 +0200
Jakob Curdes via samba <samba at lists.samba.org> wrote:
> .. we setup 2 new DCs replacing older DCs and joined them to the
> domain, then decommissioned the old DCs. I now discover that I cannot
> edit the GPO objects anymore.
> "sysvolcheck" shows no errors. I read through some documentation
but
> it sounds outdated to me. Any hints where I would start looking? Who
> should normally be the owner of the sysvol directory itself?
> 
> What I find strange is that on a domain member, getent group shows me 
> all Domain groups, while on the DC these are not shown.
> But that might be totally unrelated.
> 
> Any hints?
> 
Without more info, Anything would be guess work, but a guess in the
dark would be to ask if you are using rfc2307 attributes and if so,
does Domain Admins have a gidNumber attribute ?

Rowland

Hi Rowland, all,

Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba:
> On Thu, 25 Apr 2024 16:55:55 +0200
> Jakob Curdes via samba<samba at lists.samba.org>  wrote:
>
>> .. we setup 2 new DCs replacing older DCs and joined them to the
>> domain, then decommissioned the old DCs. I now discover that I cannot
>> edit the GPO objects anymore.
>> "sysvolcheck" shows no errors. I read through some
documentation but
>> it sounds outdated to me. Any hints where I would start looking? Who
>> should normally be the owner of the sysvol directory itself?
>>
>> What I find strange is that on a domain member, getent group shows me
>> all Domain groups, while on the DC these are not shown.
>> But that might be totally unrelated.
>>
>> Any hints?
>>
> Without more info, Anything would be guess work, but a guess in the
> dark would be to ask if you are using rfc2307 attributes and if so,
> does Domain Admins have a gidNumber attribute ?
>
> Rowland
Yes, we are using rfc2307 attributes, and I do not see a gidNumber 
attribute in the properties of the "Domain Admins" group.
To be honest, I never understood this gid / rfc2307 problem completely, 
although there are descriptions out there.

The group ID of the sysvol entry is "3000000", while on the domain 
member, the Domain Admin group has the group ID "300512".

The relevant portion of the DC config is:

[global] netbios name = XXX realm = XXXX.yyyy.ZZ server role = active 
directory domain controller dns forwarder = X,Y workgroup = ZZ 
idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind use 
default domain = true winbind offline logon = false winbind nss info = 
rfc2307 winbind enum users = yes winbind enum groups = yes winbind 
nested groups = Yes server schannel = yes [sysvol] path = 
/var/lib/samba/sysvol read only = No

So what do I need to change?

Regards, Jakob