Have you tried samba-tool ntacl sysvolreset yet?
Ricky
On Mar 29, 2013 2:16 PM, "Pavel Valach" <valach.pavel at
outlook.com> wrote:
> Hello,
> I'm having one strange issue with latest stable Samba 4.0.4. I'm
testing
> it as a domain controller for two virtual machines.
> The Samba AD DC is Debian stable, with two domain members - Windows XP Pro
> and trial Windows 8 Enterprise.
> User configuration using GPOs is working as expected. However, Computer
> configuration is never applied properly. Event logs show this entry:
> ------
> Source: GroupPolicy (Microsoft-Windows-GroupPolicy)
> Event ID: 1058
> EventData
> SupportInfo1 4
> SupportInfo2 820
> ProcessingMode 0
> ProcessingTimeInMilliseconds 516
> ErrorCode 5
> ErrorDescription Access is denied.
> DCName debian-server.gym.internal
> GPOCNName
>
cn={CE7B09A1-D85A-4A40-9C2F-3DD0DA013345},cn=policies,cn=system,DC=gym,DC=internal
> FilePath
>
\\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini
> The processing of Group Policy failed. Windows attempted to read the file
>
\\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini
> from a domain controller and was not successful. Group Policy settings may
> not be applied until this event is resolved. This issue may be transient
> and could be caused by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
> controller has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled.
> ------
> a) Name resolution works, gym.internal is accessible and DNS query for
> gym.internal returns correct result.
> b) File gpt.ini is readable with following content:
> ------
> [General]
> Version=3
> displayName=Nov? objekt z?sad skupiny
> ------
> c) Distributed File System is not enabled on my VMs.
> I'm suspecting a possible problem with permissions. I have already
tried
> to:
> 1) link GPO to the proper domain / OU
> 2) reboot computer several times
> 3) set various permissions for various people
> Currently I have two GPOs which modify computer settings. "Default
Domain
> Policy" and "Nejaka nastaveni pro ucebnu". Neither of them
show up in the
> GPRESULT report. "Default Domain Policy" modify both user and
computer
> configuration, "Nejaka nastaveni pro ucebnu" modify only computer
> configuration.
> Permissions for "Nejaka nastaveni pro ucebnu":
> - Authenticated Users - Read (from Security Filtering) - Not Inherited
> - Domain Admins - Edit settings, delete, modify security - Not Inherited
> - Enterprise Admins - Edit settings, delete, modify security - Not
> Inherited
> - ServerLogon - Read - Not Inherited
> - SYSTEM - Edit settings, delete, modify security - Not Inherited
> Here is result of GPRESULT /R command that ran on the Win8 VM. On Windows
> XP, Computer Settings had N/A security groups - which is weird.
> ====> RSOP data for GYM\valachp on UC01-TEST : Logging Mode
> ------------------------------------------------------
> OS Configuration: Member Workstation
> OS Version: 6.2.9200
> Site Name: N/A
> Roaming Profile: N/A
> Local Profile: C:\Users\valachp
> Connected over a slow link?: No
> COMPUTER SETTINGS
> ------------------
> CN=UC01-TEST,OU=Ucebny,DC=gym,DC=internal
> Last time Group Policy was applied: 29. 3. 2013 at 19:35:17
> Group Policy was applied from: debian-server.gym.internal
> Group Policy slow link threshold: 500 kbps
> Domain Name: WINDOWS-UJ49S6B
> Domain Type: WindowsNT 4
> Applied Group Policy Objects
> -----------------------------
> N/A
> The following GPOs were not applied because they were filtered out
> -------------------------------------------------------------------
> Local Group Policy
> Filtering: Not Applied (Empty)
> The computer is a part of the following security groups
> -------------------------------------------------------
> System Mandatory Level
> Everyone
> BUILTIN\Users
> NT AUTHORITY\SERVICE
> CONSOLE LOGON
> NT AUTHORITY\Authenticated Users
> This Organization
> BDESVC
> BITS
> CertPropSvc
> DsmSvc
> Eaphost
> hkmsvc
> IKEEXT
> iphlpsvc
> LanmanServer
> MMCSS
> MSiSCSI
> NcaSvc
> RasAuto
> RasMan
> RemoteAccess
> Schedule
> SCPolicySvc
> SENS
> SessionEnv
> SharedAccess
> ShellHWDetection
> SystemEventsBroker
> wercplsupport
> Winmgmt
> wlidsvc
> wuauserv
> LOCAL
> BUILTIN\Administrators
> USER SETTINGS
> --------------
> CN=Pavel Valach,CN=Users,DC=gym,DC=internal
> Last time Group Policy was applied: 29. 3. 2013 at 19:35:17
> Group Policy was applied from: debian-server.gym.internal
> Group Policy slow link threshold: 500 kbps
> Domain Name: GYM
> Domain Type: Windows 2000
> Applied Group Policy Objects
> -----------------------------
> Default Domain Policy
> Z?sady pro studenty
> The following GPOs were not applied because they were filtered out
> -------------------------------------------------------------------
> Local Group Policy
> Filtering: Not Applied (Empty)
> The user is a part of the following security groups
> ---------------------------------------------------
> Domain Users
> Everyone
> BUILTIN\Users
> NT AUTHORITY\INTERACTIVE
> CONSOLE LOGON
> NT AUTHORITY\Authenticated Users
> This Organization
> LOCAL
> Studenti
> Medium Mandatory Level
> ====> Well, I think that's enough for now... I'd very appreciate
if someone
> could take a look at this. I hope it's just me overlooking something so
> simple.
> If you need any other information, please let me know.
> Thanks and best regards
> -Pavel
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>