Richard
2017-Jan-12 12:07 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
I have Samba 4.5.3 working fine as an AD DC and DNS provider. I now need to set up a group policy on the DC but I am having problems with the internal sysvol and netlogon shares. Via the Windows Group Policy Manager snap-in I successfully created a GPO specifying the DC as the primary time source for all clients, using the Administrator user ...but my windows domain test client "ignores" the new policy completely and in the event log on the client I see the following: The processing of Group Policy failed. Windows attempted to read the file \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB 984F9}\gpt.ini <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D2-945F -00C04FB984F9%7d/gpt.ini> from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. On further investigation on the domain controller itself: smbclient //localhost/sysvol -UAdministrator -c 'ls' returns a valid directory listing, but running the same command for any other valid domain account returns: Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3] NT_STATUS_ACCESS_DENIED listing \* .so it appears that normal domain accounts are unable to access the sysvol share, which would explain the error returned by the windows client. (the same applies to the netlogon share) Among other things, I have run: samba-tool ntacl sysvolreset but the problem persists. So it appears there is something wrong with the permissions on these shares but I am at my wits end trying to correct the issue. Any help would be greatly appreciated! Thanks in advance Richard
Ryan Ashley
2017-Jan-12 15:19 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
I just want to throw my hat into the ring here. I have been having this problem for two years or more on some domains. Using a sysvolreset does not work and using sysvolcheck reports no issues, but the gpt.ini claims to be unreadable according to the event log. However, as a normal or admin user I can read the log. The "domain computers" group does have read access to the sysvol. The only fix I have EVER found was to completely remove Samba and configuration files, rebuild, join as a DC to the existing domain, and after it syncs up, do the same on the other DC. If you only have one DC, good luck! I will be following this thread. Lead IT/IS Specialist Reach Technology FP, Inc On 01/12/2017 07:07 AM, Richard via samba wrote:> I have Samba 4.5.3 working fine as an AD DC and DNS provider. > > I now need to set up a group policy on the DC but I am having problems with > the internal sysvol and netlogon shares. > > Via the Windows Group Policy Manager snap-in I successfully created a GPO > specifying the DC as the primary time source for all clients, using the > Administrator user > > ...but my windows domain test client "ignores" the new policy completely and > in the event log on the client I see the following: > > > > The processing of Group Policy failed. Windows attempted to read the file > \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB > 984F9}\gpt.ini > <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D2-945F > -00C04FB984F9%7d/gpt.ini> from a domain controller and was not successful. > Group Policy settings may not be applied until this event is resolved. This > issue may be transient and could be caused by one or more of the following: > > a) Name Resolution/Network Connectivity to the current domain controller. > > b) File Replication Service Latency (a file created on another domain > controller has not replicated to the current domain controller). > > c) The Distributed File System (DFS) client has been disabled. > > > > > > On further investigation on the domain controller itself: > > > > smbclient //localhost/sysvol -UAdministrator -c 'ls' > > > > returns a valid directory listing, but running the same command for any > other valid domain account returns: > > > > Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3] > > NT_STATUS_ACCESS_DENIED listing \* > > > > .so it appears that normal domain accounts are unable to access the sysvol > share, which would explain the error returned by the windows client. (the > same applies to the netlogon share) > > > > Among other things, I have run: > > > > samba-tool ntacl sysvolreset > > > > but the problem persists. > > > > So it appears there is something wrong with the permissions on these shares > but I am at my wits end trying to correct the issue. > > > > Any help would be greatly appreciated! > > > > Thanks in advance > > > > Richard > > > > > > >
lingpanda101
2017-Jan-12 16:07 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
On 1/12/2017 7:07 AM, Richard via samba wrote:> I have Samba 4.5.3 working fine as an AD DC and DNS provider. > > I now need to set up a group policy on the DC but I am having problems with > the internal sysvol and netlogon shares. > > Via the Windows Group Policy Manager snap-in I successfully created a GPO > specifying the DC as the primary time source for all clients, using the > Administrator user > > ...but my windows domain test client "ignores" the new policy completely and > in the event log on the client I see the following: > > > > The processing of Group Policy failed. Windows attempted to read the file > \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB > 984F9}\gpt.ini > <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D2-945F > -00C04FB984F9%7d/gpt.ini> from a domain controller and was not successful. > Group Policy settings may not be applied until this event is resolved. This > issue may be transient and could be caused by one or more of the following: > > a) Name Resolution/Network Connectivity to the current domain controller. > > b) File Replication Service Latency (a file created on another domain > controller has not replicated to the current domain controller). > > c) The Distributed File System (DFS) client has been disabled. > > > > > > On further investigation on the domain controller itself: > > > > smbclient //localhost/sysvol -UAdministrator -c 'ls' > > > > returns a valid directory listing, but running the same command for any > other valid domain account returns: > > > > Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3] > > NT_STATUS_ACCESS_DENIED listing \* > > > > .so it appears that normal domain accounts are unable to access the sysvol > share, which would explain the error returned by the windows client. (the > same applies to the netlogon share) > > > > Among other things, I have run: > > > > samba-tool ntacl sysvolreset > > > > but the problem persists. > > > > So it appears there is something wrong with the permissions on these shares > but I am at my wits end trying to correct the issue. > > > > Any help would be greatly appreciated! > > > > Thanks in advance > > > > Richard > > > > > > >It looks as if you are trying to modify the default domain policy GPO? I normally don't touch that policy but create additional ones. What is the output of getfacl /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/ Can you create a new GPO with your settings and check the permissions again? -- - James
Richard
2017-Jan-12 16:41 UTC
[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
Hi Andrew, thanks so much for the feedback. Yes, you're 100% right. I'm new at this and originally changed the default GPO, however subsequently reset the default and created a new GPO. (so this getfacl output is post creation of a new GPO) The getfacl output is shown here: # getfacl /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} # owner: root # group: 10013 user::rwx user:root:rwx user:3000002:rwx user:3000003:r-x user:3000006:rwx user:3000010:r-x group::rwx group:10013:rwx group:10014:r-x group:3000002:rwx group:3000003:r-x group:3000006:rwx group:3000010:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000006:rwx default:user:3000010:r-x default:group::--- default:group:10013:rwx default:group:10014:r-x default:group:3000002:rwx default:group:3000003:r-x default:group:3000006:rwx default:group:3000010:r-x default:mask::rwx default:other::--- -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba Sent: 12 January 2017 18:07 To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies On 1/12/2017 7:07 AM, Richard via samba wrote:> I have Samba 4.5.3 working fine as an AD DC and DNS provider. > > I now need to set up a group policy on the DC but I am having problems > with the internal sysvol and netlogon shares. > > Via the Windows Group Policy Manager snap-in I successfully created a > GPO specifying the DC as the primary time source for all clients, > using the Administrator user > > ...but my windows domain test client "ignores" the new policy > completely and in the event log on the client I see the following: > > > > The processing of Group Policy failed. Windows attempted to read the > file > \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-0 > 0C04FB > 984F9}\gpt.ini > <file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D > 2-945F -00C04FB984F9%7d/gpt.ini> from a domain controller and was not > successful. > Group Policy settings may not be applied until this event is resolved. > This issue may be transient and could be caused by one or more of the following: > > a) Name Resolution/Network Connectivity to the current domain controller. > > b) File Replication Service Latency (a file created on another domain > controller has not replicated to the current domain controller). > > c) The Distributed File System (DFS) client has been disabled. > > > > > > On further investigation on the domain controller itself: > > > > smbclient //localhost/sysvol -UAdministrator -c 'ls' > > > > returns a valid directory listing, but running the same command for > any other valid domain account returns: > > > > Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3] > > NT_STATUS_ACCESS_DENIED listing \* > > > > .so it appears that normal domain accounts are unable to access the > sysvol share, which would explain the error returned by the windows > client. (the same applies to the netlogon share) > > > > Among other things, I have run: > > > > samba-tool ntacl sysvolreset > > > > but the problem persists. > > > > So it appears there is something wrong with the permissions on these > shares but I am at my wits end trying to correct the issue. > > > > Any help would be greatly appreciated! > > > > Thanks in advance > > > > Richard > > > > > > >It looks as if you are trying to modify the default domain policy GPO? I normally don't touch that policy but create additional ones. What is the output of getfacl /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/ Can you create a new GPO with your settings and check the permissions again? -- - James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies