Yes, I performed tests on both DC's. 2 DC's working normally. The sysvolreset works in both DC's after I disabled full_audit. The gpupdate / force works perfectly. And also through the RSAT, I do not get more permission error when I edit any GPO. If this is a bug, who can inform / report? What I find strange in DC's, is when I view the sysvol permissions. The DC2 appears the name of the domain / group or User. But DC1 appears only the UID of the object: DC2: # getfacl /usr/local/samba/var/locks/sysvol/ getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol/ # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx group::r-x group:root:r-x group:DOMAIN\134domain\040admins:rwx mask::rwx other::r-x default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:group:DOMAIN\134domain\040admins:rwx default:mask::rwx default:other::--- DC1: # getfacl /usr/local/samba/var/locks/sysvol/ getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol/ # owner: root # group: 3000000 user::rwx user:root:rwx group::r-x group:root:r-x group:3000010:rwx mask::rwx other::r-x default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:group:3000010:rwx default:mask::rwx default:other::---> And you did test agains both DC's sysvol's ? > If not, set preffered server in GPO and test agains all DC's > If it keeps working you found a bug.
On 10/5/2016 11:20 AM, Ricardo Pardim Claus via samba wrote:> Yes, I performed tests on both DC's. 2 DC's working normally. The sysvolreset works in both DC's after I disabled full_audit. The gpupdate / force works perfectly. > And also through the RSAT, I do not get more permission error when I edit any GPO. > > If this is a bug, who can inform / report? > > What I find strange in DC's, is when I view the sysvol permissions. The DC2 appears the name of the domain / group or User. But DC1 appears only the UID of the object: > > DC2: > # getfacl /usr/local/samba/var/locks/sysvol/ > getfacl: Removing leading '/' from absolute path names > # file: usr/local/samba/var/locks/sysvol/ > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > group::r-x > group:root:r-x > group:DOMAIN\134domain\040admins:rwx > mask::rwx > other::r-x > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:root:--- > default:group:DOMAIN\134domain\040admins:rwx > default:mask::rwx > default:other::--- > > > DC1: > > # getfacl /usr/local/samba/var/locks/sysvol/ > getfacl: Removing leading '/' from absolute path names > # file: usr/local/samba/var/locks/sysvol/ > # owner: root > # group: 3000000 > user::rwx > user:root:rwx > group::r-x > group:root:r-x > group:3000010:rwx > mask::rwx > other::r-x > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:root:--- > default:group:3000010:rwx > default:mask::rwx > default:other::--- > > > > > >> And you did test agains both DC's sysvol's ? >> If not, set preffered server in GPO and test agains all DC's >> If it keeps working you found a bug.Did you specify winbind in /etc/nsswitch.conf on DC2? passwd: files winbind group: files winbind -- -James
Dear James, The settings of the /etc/nsswitch.conf file: DC1: passwd: files sss group: files sss DC2: passwd: files winbind group: files winbind Which of DC's are on the correct setting?>Did you specify winbind in /etc/nsswitch.conf on DC2?>passwd: files winbind>group: files winbind>-- >-James
On 10/5/2016 12:52 PM, Ricardo Pardim Claus wrote:> Dear James, > > The settings of the /etc/nsswitch.conf file: > > > DC1: > > passwd: files sss > group: files sss > > > DC2: > > passwd: files winbind > group: files winbind > > > > Which of DC's are on the correct setting? > > >> Did you specify winbind in /etc/nsswitch.conf on DC2? >> passwd: files winbind >> group: files winbind >> -- >> -JamesThere isn't necessarily a right or wrong setting. It looks as if DC1 is using SSSD and DC2 is using winbind. Did you setup both of these DC's or did you inherit them? -- -James