I have a small AD forest of two Windows 2008 R2 domain controllers. I would like to add a Samba 4 DC to this forest. After running into some problems with group policies, I realized that Samba 4 does not currently implement file replication. I would like to have the Samba 4 domain controller replicate user/computer schema with the Windows machines, but I would like for DNS and group policy administration to happen strictly on the Windows Machines. Is this possible? If I don't do any manual replication to the Samba 4 machine, will client machines occasionally pick the S4 box when logging in and attempt to mount the SYSVOL share from it? Because that would come up empty and fail. Is it possible to restrict logins to only certain DC's? Thanks! -- View this message in context: http://samba.2283325.n4.nabble.com/Restricting-DC-Roles-tp4639427.html Sent from the Samba - General mailing list archive at Nabble.com.
On Thu, 2012-10-25 at 07:19 -0700, zbethel wrote:> I have a small AD forest of two Windows 2008 R2 domain controllers. I would > like to add a Samba 4 DC to this forest. After running into some problems > with group policies, I realized that Samba 4 does not currently implement > file replication. I would like to have the Samba 4 domain controller > replicate user/computer schema with the Windows machines, but I would like > for DNS and group policy administration to happen strictly on the Windows > Machines. Is this possible? > > If I don't do any manual replication to the Samba 4 machine, will client > machines occasionally pick the S4 box when logging in and attempt to mount > the SYSVOL share from it? Because that would come up empty and fail. Is it > possible to restrict logins to only certain DC's?No, it's not possible to do this. We know this is a major limitation, and our only suggestion is to manually replicate the sysvol share. Sadly we don't have a tool for that either. We know this is not a great situation, but it just hasn't been possible to handle yet. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Okay, I copied the files over and ran those two commands. Both of them returned
nothing (which I assume is a good thing?) and the file permissions appear to
have extended ACLs in the sysvol folder. So I'm assuming that worked.
However, when my Windows client attempts to `gpupdate /force` (as the domain
admin) from the samba machine, I get the following error message for the
computer policy:
"The processing of Group Policy failed. Windows attempted to read the file
\\csetest.taylor.edu\sysvol\csetest.taylor.edu\Policies\{GUID}\gpt.ini from a
domain controller and was not successful. Group Policy settings may not be
applied until this event is resolved. This issue may be transient and could be
caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled."
The user policy gets applied just fine.
When I look in the event viewer, I get error code 5 with "Access is
Denied" as the description. The same event has a DCName field which points
at the samba machine, so I know that it's trying to talk to samba. I can
mount the sysvol share manually as the domain administrator and see all the
files just fine.
Any idea what might be going on?
Thanks,
Zach.
________________________________________
From: Andrew Bartlett [abartlet at samba.org]
Sent: Thursday, October 25, 2012 7:18 PM
To: Bethel, Zach
Subject: Re: [Samba] Restricting DC Roles?
On Thu, 2012-10-25 at 23:16 +0000, Bethel, Zach wrote:> Fair enough, are there special permissions needed for that data on the
samba side, or can I mount the sysvol share on my Windows DC as the Domain
Administrator and copy/paste those files directly? (or through a script,
obviously).
Copy the files, then run 'samba-tool ntacl sysvolreset'.
That will (modulo bugs) fix the ACLs back to be correct. If your script
on the windows side uses an ACL-preserving copy, that should be good
too. 'samba-tool ntacl sysvolcheck' will tell you if it worked.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
The information in this communication is intended solely for the individual or
entity to whom it is addressed. It may contain confidential or legally
privileged information. If you are not the intended recipient, any disclosure,
copying, distribution or reliance on the contents of this information is
strictly prohibited, and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to the sender
of this email, and then delete it from your system. Taylor University is not
liable for the inaccurate or improper transmission of the information contained
in this communication or for any delay in its receipt.
On Fri, 2012-10-26 at 16:56 +0000, Bethel, Zach wrote:> Okay, I copied the files over and ran those two commands. Both of them returned nothing (which I assume is a good thing?) and the file permissions appear to have extended ACLs in the sysvol folder. So I'm assuming that worked. > > However, when my Windows client attempts to `gpupdate /force` (as the domain admin) from the samba machine, I get the following error message for the computer policy: > > "The processing of Group Policy failed. Windows attempted to read the file \\csetest.taylor.edu\sysvol\csetest.taylor.edu\Policies\{GUID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: > > a) Name Resolution/Network Connectivity to the current domain controller. > b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). > c) The Distributed File System (DFS) client has been disabled." > > The user policy gets applied just fine. > When I look in the event viewer, I get error code 5 with "Access is Denied" as the description. The same event has a DCName field which points at the samba machine, so I know that it's trying to talk to samba. I can mount the sysvol share manually as the domain administrator and see all the files just fine. > > Any idea what might be going on?This fix I just put in master is almost certainly for this problem. If it doesn't apply, then just run 'sh -c 'umask 0 && samba-tool ntacl sysvolreset' to remove the umask for the duration of this operation. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-pysmbd-Set-umask-to-0-during-smbd-operations.patch Type: text/x-patch Size: 3679 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20121027/0d4e2fab/attachment.bin>