Marco Shmerykowsky
2021-Jan-28 15:46 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
I'm currently running Debian 10 & Samba 4.13.2. Users can connect remotely via OpenVPN with the authentication being handled by samba. I created a second DC, joined it to the domain following "Joining a Samba DC to an Existing Active Directory" from the SambaWiki. I also implemented the "Rsync based SysVol replication workaround" also listed in the SambaWiki. After adding in the second DC as described above users started having issues with the GPO's not being applied. Running gpresult shows that the failed drive maps have the error -> winning gpo Result: Failure (Error Code: 0x80070035) What is odd is that it doesn't appear consistent. I've logged in using the user's credentials on two computers and have no issues. The user, however, still seems to have issues even after deleting the local profile, running 'gpudate /force' and rebooting. Ideas? Thank you.
Marco Shmerykowsky
2021-Jan-28 18:54 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On 1/28/2021 10:46 AM, Marco Shmerykowsky via samba wrote:> I'm currently running Debian 10 & Samba 4.13.2. > > Users can connect remotely via OpenVPN with the > authentication being handled by samba. > > I created a second DC, joined it to the domain following > "Joining a Samba DC to an Existing Active Directory" > from the SambaWiki. > > I also implemented the "Rsync based SysVol replication workaround" > also listed in the SambaWiki. > > After adding in the second DC as described above users > started having issues with the GPO's not being applied. > Running gpresult shows that the failed drive maps have > the error -> winning gpo Result: Failure (Error Code: 0x80070035) > > What is odd is that it doesn't appear consistent. I've > logged in using the user's credentials on two computers > and have no issues.? The user, however, still seems to > have issues even after deleting the local profile, > running 'gpudate /force' and rebooting. > > Ideas?? Thank you. >Just to add to this: If I run 'samba-tool ntacl sysvolcheck' on either server I get the following: ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/sce-internal.sce-engineers.com/Policies/{51902A58-DF2B-440B-B85B-41E156D631EA} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-816939725-271653577-1537739732-1119)(A;OICI;0x001200a9;;;DU) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-816939725-271653577-1537739732-1119) from GPO object File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 446, in run lp) File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1894, in checksysvolacl direct_db_access) File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1844, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1786, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl) Running 'samba-tool ntacl sysvolreset' seem to clear the error for a bit before it started appearing again.