Hi Louis, On Fri, 6 Sep 2019, L.P.H. van Belle via samba wrote:> Hai, > > Try the script, make backups of you sysvol first. > > The script shows the correct settings, these are duplicated from a windows 2008R2 server. > > But here you go, the ms link to verify your settings. > https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-thThanks for the link. I like pictures. :-)> > But i must also say, start with upgrading you samba-ad-dc's.I plan to upgrade but I was thinking I should fix the sysvol problems before making more changes. Are you saying I should upgrade first? Is there a compelling reason to upgrade past 4.9.latest at this time? Regards, -- Tom me at tdiehl.org> > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom >> Diehl via samba >> Verzonden: vrijdag 6 september 2019 16:09 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Sysvol reset >> >> Hi, >> >> I have a domain with 2 self compiled samba DCs one is running >> 4.7.12 and >> the other is running 4.8.12. The plan is to upgrade both DCs >> to at least 4.9 >> and at some point 4.10. >> >> I am having a problem with group policy not working. I >> suspect there is a >> permission problem with the sysvol (This was once a windows >> 2008 domain). In >> searching I found >> https://wiki.samba.org/index.php/Sysvolreset. Given that this >> was written more than year ago, I am wondering if the advice >> and script in >> that link are still valid or is there a better/different way to verify >> permissions on the sysvol? >> >> Based on the above article the permissions on the sysvol look >> really wrong. >> >> Regards, >> >> -- >> Tom me at tdiehl.org >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > >
On 06/09/2019 17:05, Tom Diehl via samba wrote:> Hi Louis, > > On Fri, 6 Sep 2019, L.P.H. van Belle via samba wrote: > >> Hai, >> >> Try the script, make backups of you sysvol first. >> >> The script shows the correct settings, these are duplicated from a >> windows 2008R2 server. >> >> But here you go, the ms link to verify your settings. >> https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th >> > > Thanks for the link. I like pictures. :-) > >> >> But i must also say, start with upgrading you samba-ad-dc's. > > I plan to upgrade but I was thinking I should fix the sysvol problems > before > making more changes. Are you saying I should upgrade first? Is there a > compelling reason to upgrade past 4.9.latest at this time? > > Regards, >Samba has three levels of support for each minor version, spread over 18 months: Fully supported for first six months Maintenance fixes for the next six months Security fixes only for the last six months 4.9.x is in maintenance mode at the moment, but 4.11.0 is fairly imminent and, when it is released, 4.9.x will drop into security fixes only (4.8.x will go EOL at this time) That is the reason to upgrade to the highest version possible, plus you will get numerous fixes that have been added to 4.10.x Rowland
On Fri, 6 Sep 2019, Rowland penny via samba wrote:> On 06/09/2019 17:05, Tom Diehl via samba wrote: >> Hi Louis, >> >> On Fri, 6 Sep 2019, L.P.H. van Belle via samba wrote: >> >>> Hai, >>> >>> Try the script, make backups of you sysvol first. >>> >>> The script shows the correct settings, these are duplicated from a >>> windows 2008R2 server. >>> >>> But here you go, the ms link to verify your settings. >>> https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th >>> >> >> Thanks for the link. I like pictures. :-) >> >>> >>> But i must also say, start with upgrading you samba-ad-dc's. >> >> I plan to upgrade but I was thinking I should fix the sysvol problems >> before >> making more changes. Are you saying I should upgrade first? Is there a >> compelling reason to upgrade past 4.9.latest at this time? >> >> Regards, >> > Samba has three levels of support for each minor version, spread over 18 > months: > > Fully supported for first six months > > Maintenance fixes for the next six months > > Security fixes only for the last six months > > 4.9.x is in maintenance mode at the moment, but 4.11.0 is fairly imminent > and, when it is released, 4.9.x will drop into security fixes only (4.8.x > will go EOL at this time) > > That is the reason to upgrade to the highest version possible, plus you will > get numerous fixes that have been added to 4.10.xRight I get that. The problem for me is that at this time, anything past 4.9.latest is going to require either switching to a distro I know nothing about (One of the Debian variants but which one?) or figuring out the python3 crap on Centos 7 or wait for Centos 8. Hopefully once Centos 8 is a real thing there will be a list of required packages to build samba like there is with Centos 7. Hence my hesitation with moving past 4.9.x at this time. I expect that will change in the next few weeks. Now if you said there was some bug fix in 4.10 that would get group policy working again, I would most likely bite the bullet and go for it since you are after all one of the samba gods. :-) One question I do have is, is it expected that if I try to run gpresult as administrator that I get an error that says "The user SAMDOM\Administrator does not have RSOP data? Also, In the gpmc if I try to run the "group policy modeling wizard" I get an error that says "The rpc server is unavailable" Is that also expected or do I have other issues? The server services in smb.conf is as follows: server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate If I read this correctly, rpc should be available. Is this correct? TBH, when it comes to windows tools I am never sure what is supposed to work with Samba and what is not. FWIW both DC's are now on 4.8.12. Tomorrow I will upgrade them to 4.9.latest. Regards, -- Tom me at tdiehl.org