samba - May 2015 - After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore

Thanks Luis

I've changed the smb.conf as you said, now it looks like this:


root at ccdc-samba4:~# cat /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = CCDC
        realm = CCDC.LAN
        netbios name = CCDC-SAMBA4
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 9.0.138.50
        auth methods = sam, winbind

[netlogon]
        path = /var/lib/samba/sysvol/ccdc.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
root at ccdc-samba4:~#


however from the windows machine when i try to update the group policies, I
am now getting this errors:



Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.CCDC>gpupdate /force
Updating Policy...

User policy could not be updated successfully. The following errors were
encount
ered:

The processing of Group Policy failed. Windows attempted to read the file
\\ccdc
.lan\sysvol\ccdc.lan\Policies
\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
m a domain controller and was not successful. Group Policy settings may not
be a
pplied until this event is resolved. This issue may be transient and could
be ca
used by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain
controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors
were enc
ountered:

The processing of Group Policy failed. Windows attempted to read the file
\\ccdc
.lan\sysvol\ccdc.lan\Policies
\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
m a domain controller and was not successful. Group Policy settings may not
be a
pplied until this event is resolved. This issue may be transient and could
be ca
used by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain
controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html f
rom the command line to access information about Group Policy results.

C:\Users\Administrator.CCDC>





I'm still unable to login with normal users via RDP


___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic16312.gif)



From:	"L.P.H. van Belle" <belle at bazuin.nl>
To:	"samba at lists.samba.org" <samba at lists.samba.org>
Cc:	Mario Pio Russo/Ireland/IBM at IBMIE
Date:	01/05/2015 13:55
Subject:	RE: [Samba] After the classicupgrade from samba3 to
            sernet-samba-4.2.1 , users are not able to remote desktop
            anymore



correct.

bug still exists, just tested also on latest git master.
see : https://bugzilla.samba.org/show_bug.cgi?id=11061


temp solution.

try adding :
auth methods = sam, winbind
to smb.conf on the dc and restart the DC.


Greetz,

Louis

>-----Oorspronkelijk bericht-----
>Van: mariopiorusso at ie.ibm.com
>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>Verzonden: vrijdag 1 mei 2015 14:51
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] After the classicupgrade from samba3 to
>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>
>
>Good Day All
>
>I have a current working configuration of sernet-samba-4.2.1,
>created by
>upgrading from a samba3 PDC using the classic upgrade.
>
>Now, I have added a windows 2008 machine to the domain and I'm
>using the AD
>snap in tools in order to browse the domain.
>
>I can see all the users and groups and they have been imported
>correctly.
>However I am able to remote desktop to the domain machines
>only with the
>user "Administrator at ccdc.lan"; no other user is able to RDP.
>Furthermore I am able to add machines to the domain only form the users
>Administrator, and not from any other user. I have been using the Group
>Policy Manager from the window  administrative tool in order
>to grant logon
>rights to all the users belonging to the Domain User group;
>furthermore I
>have added the users to the group Remote Desktop users, but
>still I have no
>success at all. at the moment the group policies looks like this:
>
>root at ccdc-samba4:/# samba-tool gpo listall
>GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
>display name : Default Domain Policy
>path         : \\ccdc.lan\sysvol\ccdc.lan\Policies
>\{31B2F340-016D-11D2-945F-00C04FB984F9}
>dn           :
CN>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>=ccdc,DC=lan
>version      : 3
>flags        : NONE
>
>GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>display name : Default Domain Controllers Policy
>path         : \\ccdc.lan\sysvol\ccdc.lan\Policies
>\{6AC1786C-016F-11D2-945F-00C04FB984F9}
>dn           :
CN>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>=ccdc,DC=lan
>version      : 7
>flags        : NONE
>
>
>while from the GPM looks like this:
>
>(Embedded image moved to file: pic08924.gif)
>
>
>
>I have also run gpupdate /force from he windows machine and If I do
>samba-tool gpo fetch <Domain Policy> I am able to see the
>changes I have
>done from the windows snap in
>
>
>I am unsure now where the problem lies, are the GPO I have
>modified being
>applied correctly on samba 4 OR is the GPO itself that is not
>configured
>correctly in order to allow RDP (and add machine to domain)?
>Or any other
>issue?
>
>Note that all this was working correctly when I did the same
>test upgrade
>from samba 3 to samba 4.1.6
>
>also I am able to login to every machine in the domain using
>my domain user
>when logging in locally.
>
>Any idea / suggestion?
>
>
>thanks!
>
>_______________________________________________________________
>____________________________
>
>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>FAX: +353 1
>815 2236, eMail: mariopiorusso at ie.ibm.com
>IBM Ireland Product Distribution Limited registered in Ireland
>with number
>92815. Registered Office: IBM House, Shelbourne Road,
>Ballsbridge, Dublin 4
>
>(Embedded image moved to file: pic19418.gif)--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

2015-05-01 15:08 GMT+02:00 Mario Pio Russo <mariopiorusso at ie.ibm.com>:
> Thanks Luis
>
> I've changed the smb.conf as you said, now it looks like this:
>
>
> root at ccdc-samba4:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
>         workgroup = CCDC
>         realm = CCDC.LAN
>         netbios name = CCDC-SAMBA4
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         dns forwarder = 9.0.138.50
>         auth methods = sam, winbind
>
> [netlogon]
>         path = /var/lib/samba/sysvol/ccdc.lan/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> root at ccdc-samba4:~#
>
>
> however from the windows machine when i try to update the group policies, I
> am now getting this errors:
>
>
>
> Microsoft Windows [Version 6.1.7601]
> Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
>
> C:\Users\Administrator.CCDC>gpupdate /force
> Updating Policy...
>
> User policy could not be updated successfully. The following errors were
> encount
> ered:
>
> The processing of Group Policy failed. Windows attempted to read the file
> \\ccdc
> .lan\sysvol\ccdc.lan\Policies
> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
> m a domain controller and was not successful. Group Policy settings may not
> be a
> pplied until this event is resolved. This issue may be transient and could
> be ca
> used by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
> controller
>  has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled.
> Computer policy could not be updated successfully. The following errors
> were enc
> ountered:
>
> The processing of Group Policy failed. Windows attempted to read the file
> \\ccdc
> .lan\sysvol\ccdc.lan\Policies
> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
> m a domain controller and was not successful. Group Policy settings may not
> be a
> pplied until this event is resolved. This issue may be transient and could
> be ca
> used by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
> controller
>  has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled.
>
> To diagnose the failure, review the event log or run GPRESULT /H
> GPReport.html f
> rom the command line to access information about Group Policy results.
>
> C:\Users\Administrator.CCDC>
>
>
>
>
>
> I'm still unable to login with normal users via RDP
>
>
>
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic16312.gif)
>
>
>
> From:   "L.P.H. van Belle" <belle at bazuin.nl>
> To:     "samba at lists.samba.org" <samba at
lists.samba.org>
> Cc:     Mario Pio Russo/Ireland/IBM at IBMIE
> Date:   01/05/2015 13:55
> Subject:        RE: [Samba] After the classicupgrade from samba3 to
>             sernet-samba-4.2.1 , users are not able to remote desktop
>             anymore
>
>
>
> correct.
>
> bug still exists, just tested also on latest git master.
> see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>
>
> temp solution.
>
> try adding :
> auth methods = sam, winbind
> to smb.conf on the dc and restart the DC.
>
>
> Greetz,
>
> Louis
>
>
> >-----Oorspronkelijk bericht-----
> >Van: mariopiorusso at ie.ibm.com
> >[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
> >Verzonden: vrijdag 1 mei 2015 14:51
> >Aan: samba at lists.samba.org
> >Onderwerp: [Samba] After the classicupgrade from samba3 to
> >sernet-samba-4.2.1 , users are not able to remote desktop anymore
> >
> >
> >Good Day All
> >
> >I have a current working configuration of sernet-samba-4.2.1,
> >created by
> >upgrading from a samba3 PDC using the classic upgrade.
> >
> >Now, I have added a windows 2008 machine to the domain and I'm
> >using the AD
> >snap in tools in order to browse the domain.
> >
> >I can see all the users and groups and they have been imported
> >correctly.
> >However I am able to remote desktop to the domain machines
> >only with the
> >user "Administrator at ccdc.lan"; no other user is able to
RDP.
> >Furthermore I am able to add machines to the domain only form the users
> >Administrator, and not from any other user. I have been using the Group
> >Policy Manager from the window  administrative tool in order
> >to grant logon
> >rights to all the users belonging to the Domain User group;
> >furthermore I
> >have added the users to the group Remote Desktop users, but
> >still I have no
> >success at all. at the moment the group policies looks like this:
> >
> >root at ccdc-samba4:/# samba-tool gpo listall
> >GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
> >display name : Default Domain Policy
> >path         : \\ccdc.lan\sysvol\ccdc.lan\Policies
> >\{31B2F340-016D-11D2-945F-00C04FB984F9}
> >dn           : CN>
>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
> >=ccdc,DC=lan
> >version      : 3
> >flags        : NONE
> >
> >GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
> >display name : Default Domain Controllers Policy
> >path         : \\ccdc.lan\sysvol\ccdc.lan\Policies
> >\{6AC1786C-016F-11D2-945F-00C04FB984F9}
> >dn           : CN>
>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
> >=ccdc,DC=lan
> >version      : 7
> >flags        : NONE
> >
> >
> >while from the GPM looks like this:
> >
> >(Embedded image moved to file: pic08924.gif)
> >
> >
> >
> >I have also run gpupdate /force from he windows machine and If I do
> >samba-tool gpo fetch <Domain Policy> I am able to see the
> >changes I have
> >done from the windows snap in
> >
> >
> >I am unsure now where the problem lies, are the GPO I have
> >modified being
> >applied correctly on samba 4 OR is the GPO itself that is not
> >configured
> >correctly in order to allow RDP (and add machine to domain)?
> >Or any other
> >issue?
> >
> >Note that all this was working correctly when I did the same
> >test upgrade
> >from samba 3 to samba 4.1.6
> >
> >also I am able to login to every machine in the domain using
> >my domain user
> >when logging in locally.
> >
> >Any idea / suggestion?
> >
> >
> >thanks!
> >
> >_______________________________________________________________
> >____________________________
> >
> >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
> >FAX: +353 1
> >815 2236, eMail: mariopiorusso at ie.ibm.com
> >IBM Ireland Product Distribution Limited registered in Ireland
> >with number
> >92815. Registered Office: IBM House, Shelbourne Road,
> >Ballsbridge, Dublin 4
> >
> >(Embedded image moved to file: pic19418.gif)--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

What is the output of "getfacl /var/lib/samba/sysvol"?
mine is:
# file: sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

Greetings!!

Hi daniel

here mine:

root at ccdc-samba4:~# getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: 544
user::rwx
user:root:rwx
user:3000000:r-x
user:3000001:rwx
user:3000002:r-x
group::rwx
group:544:rwx
group:3000000:r-x
group:3000001:rwx
group:3000002:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:r-x
default:user:3000001:rwx
default:user:3000002:r-x
default:group::---
default:group:544:rwx
default:group:3000000:r-x
default:group:3000001:rwx
default:group:3000002:r-x
default:mask::rwx
default:other::---
___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic15993.gif)



From:	Daniel Carrasco Mar?n <danielmadrid19 at gmail.com>
To:	Mario Pio Russo/Ireland/IBM at IBMIE
Cc:	"L.P.H. van Belle" <belle at bazuin.nl>, "samba at
lists.samba.org"
            <samba at lists.samba.org>
Date:	01/05/2015 14:30
Subject:	Re: [Samba] After the classicupgrade from samba3 to
            sernet-samba-4.2.1 , users are not able to remote desktop
            anymore





2015-05-01 15:08 GMT+02:00 Mario Pio Russo <mariopiorusso at ie.ibm.com>:
  Thanks Luis

  I've changed the smb.conf as you said, now it looks like this:


  root at ccdc-samba4:~# cat /etc/samba/smb.conf
  # Global parameters
  [global]
  ? ? ? ? workgroup = CCDC
  ? ? ? ? realm = CCDC.LAN
  ? ? ? ? netbios name = CCDC-SAMBA4
  ? ? ? ? server role = active directory domain controller
  ? ? ? ? idmap_ldb:use rfc2307 = yes
  ? ? ? ? dns forwarder = 9.0.138.50
  ? ? ? ? auth methods = sam, winbind

  [netlogon]
  ? ? ? ? path = /var/lib/samba/sysvol/ccdc.lan/scripts
  ? ? ? ? read only = No

  [sysvol]
  ? ? ? ? path = /var/lib/samba/sysvol
  ? ? ? ? read only = No
  root at ccdc-samba4:~#


  however from the windows machine when i try to update the group policies,
  I
  am now getting this errors:



  Microsoft Windows [Version 6.1.7601]
  Copyright (c) 2009 Microsoft Corporation.? All rights reserved.

  C:\Users\Administrator.CCDC>gpupdate /force
  Updating Policy...

  User policy could not be updated successfully. The following errors were
  encount
  ered:

  The processing of Group Policy failed. Windows attempted to read the file
  \\ccdc
  .lan\sysvol\ccdc.lan\Policies
  \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
  m a domain controller and was not successful. Group Policy settings may
  not
  be a
  pplied until this event is resolved. This issue may be transient and
  could
  be ca
  used by one or more of the following:
  a) Name Resolution/Network Connectivity to the current domain controller.
  b) File Replication Service Latency (a file created on another domain
  controller
  ?has not replicated to the current domain controller).
  c) The Distributed File System (DFS) client has been disabled.
  Computer policy could not be updated successfully. The following errors
  were enc
  ountered:

  The processing of Group Policy failed. Windows attempted to read the file
  \\ccdc
  .lan\sysvol\ccdc.lan\Policies
  \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
  m a domain controller and was not successful. Group Policy settings may
  not
  be a
  pplied until this event is resolved. This issue may be transient and
  could
  be ca
  used by one or more of the following:
  a) Name Resolution/Network Connectivity to the current domain controller.
  b) File Replication Service Latency (a file created on another domain
  controller
  ?has not replicated to the current domain controller).
  c) The Distributed File System (DFS) client has been disabled.

  To diagnose the failure, review the event log or run GPRESULT /H
  GPReport.html f
  rom the command line to access information about Group Policy results.

  C:\Users\Administrator.CCDC>





  I'm still unable to login with normal users via RDP


 
___________________________________________________________________________________________


  Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
  815 2236, eMail: mariopiorusso at ie.ibm.com
  IBM Ireland Product Distribution Limited registered in Ireland with
  number
  92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
  4

  (Embedded image moved to file: pic16312.gif)



  From:? ?"L.P.H. van Belle" <belle at bazuin.nl>
  To:? ? ?"samba at lists.samba.org" <samba at lists.samba.org>
  Cc:? ? ?Mario Pio Russo/Ireland/IBM at IBMIE
  Date:? ?01/05/2015 13:55
  Subject:? ? ? ? RE: [Samba] After the classicupgrade from samba3 to
  ? ? ? ? ? ? sernet-samba-4.2.1 , users are not able to remote desktop
  ? ? ? ? ? ? anymore



  correct.

  bug still exists, just tested also on latest git master.
  see : https://bugzilla.samba.org/show_bug.cgi?id=11061


  temp solution.

  try adding :
  auth methods = sam, winbind
  to smb.conf on the dc and restart the DC.


  Greetz,

  Louis


  >-----Oorspronkelijk bericht-----
  >Van: mariopiorusso at ie.ibm.com
  >[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
  >Verzonden: vrijdag 1 mei 2015 14:51
  >Aan: samba at lists.samba.org
  >Onderwerp: [Samba] After the classicupgrade from samba3 to
  >sernet-samba-4.2.1 , users are not able to remote desktop anymore
  >
  >
  >Good Day All
  >
  >I have a current working configuration of sernet-samba-4.2.1,
  >created by
  >upgrading from a samba3 PDC using the classic upgrade.
  >
  >Now, I have added a windows 2008 machine to the domain and I'm
  >using the AD
  >snap in tools in order to browse the domain.
  >
  >I can see all the users and groups and they have been imported
  >correctly.
  >However I am able to remote desktop to the domain machines
  >only with the
  >user "Administrator at ccdc.lan"; no other user is able to RDP.
  >Furthermore I am able to add machines to the domain only form the users
  >Administrator, and not from any other user. I have been using the Group
  >Policy Manager from the window? administrative tool in order
  >to grant logon
  >rights to all the users belonging to the Domain User group;
  >furthermore I
  >have added the users to the group Remote Desktop users, but
  >still I have no
  >success at all. at the moment the group policies looks like this:
  >
  >root at ccdc-samba4:/# samba-tool gpo listall
  >GPO? ? ? ? ? : {31B2F340-016D-11D2-945F-00C04FB984F9}
  >display name : Default Domain Policy
  >path? ? ? ? ?: \\ccdc.lan\sysvol\ccdc.lan\Policies
  >\{31B2F340-016D-11D2-945F-00C04FB984F9}
  >dn? ? ? ? ? ?: CN 
>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
  >=ccdc,DC=lan
  >version? ? ? : 3
  >flags? ? ? ? : NONE
  >
  >GPO? ? ? ? ? : {6AC1786C-016F-11D2-945F-00C04FB984F9}
  >display name : Default Domain Controllers Policy
  >path? ? ? ? ?: \\ccdc.lan\sysvol\ccdc.lan\Policies
  >\{6AC1786C-016F-11D2-945F-00C04FB984F9}
  >dn? ? ? ? ? ?: CN 
>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
  >=ccdc,DC=lan
  >version? ? ? : 7
  >flags? ? ? ? : NONE
  >
  >
  >while from the GPM looks like this:
  >
  >(Embedded image moved to file: pic08924.gif)
  >
  >
  >
  >I have also run gpupdate /force from he windows machine and If I do
  >samba-tool gpo fetch <Domain Policy> I am able to see the
  >changes I have
  >done from the windows snap in
  >
  >
  >I am unsure now where the problem lies, are the GPO I have
  >modified being
  >applied correctly on samba 4 OR is the GPO itself that is not
  >configured
  >correctly in order to allow RDP (and add machine to domain)?
  >Or any other
  >issue?
  >
  >Note that all this was working correctly when I did the same
  >test upgrade
  >from samba 3 to samba 4.1.6
  >
  >also I am able to login to every machine in the domain using
  >my domain user
  >when logging in locally.
  >
  >Any idea / suggestion?
  >
  >
  >thanks!
  >
  >_______________________________________________________________
  >____________________________
  >
  >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
  >FAX: +353 1
  >815 2236, eMail: mariopiorusso at ie.ibm.com
  >IBM Ireland Product Distribution Limited registered in Ireland
  >with number
  >92815. Registered Office: IBM House, Shelbourne Road,
  >Ballsbridge, Dublin 4
  >
  >(Embedded image moved to file: pic19418.gif)--
  >To unsubscribe from this list go to the following URL and read the
  >instructions:? https://lists.samba.org/mailman/options/samba
  >




  --
  To unsubscribe from this list go to the following URL and read the
  instructions:? https://lists.samba.org/mailman/options/samba


What is the output of "getfacl /var/lib/samba/sysvol"?
mine is:
# file: sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

Greetings!!