Good morning Chris> -----Oorspronkelijk bericht----- > Van: Sonic [mailto:sonicsmith at gmail.com] > Verzonden: dinsdag 27 oktober 2020 21:07 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] GPO fail and sysvol perm errors > > On Tue, Oct 27, 2020 at 4:01 AM L.P.H. van Belle via samba > <samba at lists.samba.org> wrote: > > Ok, so thats correct. > However gpupdate fails. And I know you said not to run sysvolreset, > but after running it gpupdate works. > > > > Can you tell the windows event id and description? > I get different errors depending upon the system, whether it's a local > system or a remote one connected via vpn. > The remote system is Event ID 1058: > The processing of Group Policy failed. Windows attempted to > read the file > \\my.example.com\sysvol\my.example.com\Policies\{31B2F340-016D > -11D2-945F > -00C04FB984F9}\gpt.ini from a domain controller and was not > successful. Group > Policy settings may not be applied until this event is resolvedOk, im guessing you can open the gpt.ini file fine, if you click that link, correct? Have you enable the "Always wait for network" GPO setting. Enable this one. https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsLogon::SyncForegroundPolicy> > The local system is Event ID 1096: > The processing of Group Policy failed. Windows could not apply the > registry-based policy settings for the Group Policy object > LDAP://CN=Machine,cn={E2BC0255-64C8-42CF-A27A-59A7D3DCD2DC},cn > =policies,cn> system,DC=my,DC=example,DC=com. Group Policy settings will > not be resolved until this event is resolved.https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc727302(v=ws.10)?redirectedfrom=MSDN So here they say, delete and recreate, i dont think thats needed.. I think your solution is in this link. https://docs.microsoft.com/nl-nl/troubleshoot/windows-server/group-policy/permissions-this-gpo-inconsistent> > After running sysvolreset the systems update fine. Problem is once I > add or edit a GPO (from Windows 10 20H2) everything fails until I run > sysvolreset again.Thats because there is something off in the rights or,.. due to, its trying to read it but the networks isnt ready yet.> > > And which group is set on sysvol in general on the share tab.> This is the current info (I did run sysvolreset to get the GPO's > working again, so this is not with your settings, I can look into this > again later) > Owner is ADDOM\Administrator > Allow Everyone Full Control >That should be sufficient. And.. its not "my" settings.. ;-) al can be found in : https://docs.microsoft.com/ I also recommend you to read, since you also having remote location: https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview First, lets see how far above gets you. Greetz, Louis
Good day Loius, On Wed, Oct 28, 2020 at 3:46 AM L.P.H. van Belle <belle at bazuin.nl> wrote:> Ok, im guessing you can open the gpt.ini file fine, if you click that link, correct?Yes, could open, read, edit, and save that file.> Have you enable the "Always wait for network" GPO setting.No, but I'm testing from clients with 'gpupdate /force' in powershell, and not logon time.> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc727302(v=ws.10)?redirectedfrom=MSDN > So here they say, delete and recreate, i dont think thats needed..Just sysvolreset was all that was needed, if it was corrupt then changing the perms shouldn't matter.> I think your solution is in this link. > https://docs.microsoft.com/nl-nl/troubleshoot/windows-server/group-policy/permissions-this-gpo-inconsistentI get no errors running GPMC.> > After running sysvolreset the systems update fine. Problem is once I > > add or edit a GPO (from Windows 10 20H2) everything fails until I run > > sysvolreset again. > Thats because there is something off in the rights or,.. due to, > its trying to read it but the networks isnt ready yet.Not a network ready issue (testing with up and running systems manually running gpupdate).> > > And which group is set on sysvol in general on the share tab. > > > This is the current info (I did run sysvolreset to get the GPO's > > working again, so this is not with your settings, I can look into this > > again later) > > Owner is ADDOM\Administrator > > Allow Everyone Full Control > > > That should be sufficient. > And.. its not "my" settings.. ;-) al can be found in : https://docs.microsoft.com/ > > I also recommend you to read, since you also having remote location: > https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overviewJust one Windows 10 Pro 20H2 (QEMU/KVM) system. There's a site-to-site vpn between my network and the target network (wireguard on OpenBSD) which works quite well; can easily join systems to the domain, read and write files, print etc. Not using folder redirection, offline files, or roaming profiles. Testing being done with very minimal GPO's - Chrome home page, no autorun, etc. Chris
> -----Oorspronkelijk bericht----- > Van: Sonic [mailto:sonicsmith at gmail.com] > Verzonden: woensdag 28 oktober 2020 14:24 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] GPO fail and sysvol perm errors > > Good day Louis, > > On Wed, Oct 28, 2020 at 3:46 AM L.P.H. van Belle > <belle at bazuin.nl> wrote: > > Ok, im guessing you can open the gpt.ini file fine, if you > click that link, correct? > Yes, could open, read, edit, and save that file.As i expected, but what if i tell you, the user your testing this with. Is not the user/computer that reads the file.> > > Have you enable the "Always wait for network" GPO setting. > No, but I'm testing from clients with 'gpupdate /force' in powershell, > and not logon time.Ah, ok, well, reboot the compter after the join, 2 times. After 1st reboot clear all logs, you will see things quicker. And not all policies are applied when your logged in.> > > > https://docs.microsoft.com/en-us/previous-versions/windows/it- > pro/windows-server-2008-R2-and-2008/cc727302(v=ws.10)?redirect > edfrom=MSDN > > So here they say, delete and recreate, i dont think thats needed.. > Just sysvolreset was all that was needed, if it was corrupt then > changing the perms shouldn't matter. > > > I think your solution is in this link. > > > https://docs.microsoft.com/nl-nl/troubleshoot/windows-server/g > roup-policy/permissions-this-gpo-inconsistent > I get no errors running GPMC.Ah, great, so then i asumme its fixed now?? ( but i think not )> > > > After running sysvolreset the systems update fine. > Problem is once I > > > add or edit a GPO (from Windows 10 20H2) everything fails > until I run > > > sysvolreset again. > > Thats because there is something off in the rights or,.. due to, > > its trying to read it but the networks isnt ready yet. > Not a network ready issue (testing with up and running systems > manually running gpupdate).No, this is not a network issue. There are 2 things here. 1) the computer starts up and applies the computer policies, (as SYSTEM). 2) the fast computers these these days show there desktop before network is started fully on windows. When im testing, im rebooting the computer every time..> > > > > And which group is set on sysvol in general on the share tab. > > > > > This is the current info (I did run sysvolreset to get the GPO's > > > working again, so this is not with your settings, I can look into this again later) > > > Owner is ADDOM\Administrator > > > Allow Everyone Full Control > > > > > That should be sufficient. > > And.. its not "my" settings.. ;-) al can be found in : > https://docs.microsoft.com/ > > > > I also recommend you to read, since you also having remote location: > > > https://docs.microsoft.com/en-us/windows-server/storage/folder > -redirection/folder-redirection-rup-overview > Just one Windows 10 Pro 20H2 (QEMU/KVM) system. There's a site-to-site > vpn between my network and the target network (wireguard on OpenBSD) > which works quite well; can easily join systems to the domain, read > and write files, print etc. > Not using folder redirection, offline files, or roaming profiles. > Testing being done with very minimal GPO's - Chrome home > page, no autorun, etc.I also have 2 locations login in over a strongswan VPN setup here. but with folder redirection, offline files, and roaming profiles. Now, re-apply these. ( long lines, make sure you didnt miss a part. samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" /var/lib/samba/sysvol/ Next line: samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" /var/lib/samba/sysvol/$(hostname -d) samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)" /var/lib/samba/sysvol/$(hostname -d)/Policies/ Now test, create a new policy and test it, if that works, which should, because this is coming from my production servers. Then compair it with the not working. run getfacl on both folders. Greetz, Louis
Hi Louis, On Wed, Oct 28, 2020 at 10:04 AM L.P.H. van Belle via samba <samba at lists.samba.org> wrote:> Now, re-apply these. ( long lines, make sure you didnt miss a part. > > samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" /var/lib/samba/sysvol/ > samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" /var/lib/samba/sysvol/$(hostname -d) > samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)" > /var/lib/samba/sysvol/$(hostname -d)/Policies/ > > Now test, create a new policy and test it, if that works, which should, because this is coming from my production servers. > Then compair it with the not working. run getfacl on both folders.Re-applied those acl's and it appears to be working. There is a difference in the unix perms for the newly created GPO vs one that existed during the application of the acls. Existing GPO (all of them actually): root at srvr01:/usr/local/samba/var/locks/sysvol/my.addom.com/Policies# ls -al \{07AF723D-5FFD-4807-B3C6-DFCE911B922A\}/ total 40 drwxrwx---+ 4 ADDOM\domain admins ADDOM\domain admins 4096 Oct 25 16:48 . drwxrwx---+ 7 root BUILTIN\administrators 4096 Oct 25 16:48 .. -rwxrwx---+ 1 ADDOM\domain admins ADDOM\domain admins 59 Oct 26 11:52 GPT.INI drwxrwx---+ 2 ADDOM\domain admins ADDOM\domain admins 4096 Oct 26 11:52 Machine drwxrwx---+ 2 ADDOM\domain admins ADDOM\domain admins 4096 Oct 25 16:48 User New GPO: root at srvr01:/usr/local/samba/var/locks/sysvol/my.addom.com/Policies# ls -al \{0C0B713E-EE65-4ACE-88AE-25125E2AAE00\}/ total 40 drwxrwx---+ 4 ADDOM\domain admins ADDOM\domain admins 4096 Oct 28 10:50 . drwxrwx---+ 8 root BUILTIN\administrators 4096 Oct 28 10:50 .. -rwxrwx---+ 1 BUILTIN\administrators users 59 Oct 28 11:00 GPT.INI drwxrwx---+ 2 BUILTIN\administrators users 4096 Oct 28 11:00 Machine drwxrwx---+ 2 BUILTIN\administrators users 4096 Oct 28 10:50 User However the acls via getfacl for the two GPO's are identical. I don't know if that will be problematic down the road or not. Thanks, Chris
> > However the acls via getfacl for the two GPO's are identical.Your sure?> I don't know if that will be problematic down the road or not.No, thats fine. But run on the 2 folders : samba-tool ntacl get --as-sddl FOLDERHERE Compair the 2 outputs. There must be a difference. Well, at least it works now for you.. Greetz, Louis