samba - Jan 2021 - GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)

On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote:
>
> On 1/28/2021 2:02 PM, Rowland penny via samba wrote:
>> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote:
>>>
>>>
>>> Just to add to this:
>>>
>>> If I run 'samba-tool ntacl sysvolcheck' on either server I
get the
>>> following:
>>
>> I know you are syncing sysvol between the two DC's, but are you
also
>> syncing idmap.ldb from the first DC to the second ?
>>
>> If you aren't, then you will probably have different xidNumbers on 
>> each DC.
>>
>> Rowland
>
> I did the sync once when I setup the server.? The docs on the
> wiki seem to imply this is a one time step and not something
> that needs to be done continuously.
>
> I did find a configuration error on the new DC that may
> have effected the was DNS was working, however after
> correcting that the user still is reporting that after
> logon, the GPO's are not being applied.
>
> I can not replicate the problem on my end.
>
> The results of the drive map according to gpresult
> from the user's computer produce (Error Code: 0x80070035).
>
I believe that error code means? that the directory cannot be found, 
though it could be a permissions problem. It could be something as 
simple as giving Domain Admins a gidNumber attribute.

idmap.ldb works by giving domain users & groups an xidNumber attribute 
(not to be confused with uidNumber & gidNumber attributes), these are 
allocated on a first come basis, so you may have to sync idmap.ldb a few 
times to ensure they match, without doing this, the wrong user or group 
may be used.

Windows has the concept of groups owning files & folders, on Unix a 
group cannot own anything, so, in idmap.ldb, you find groups marked as 
'ID_TYPE_BOTH'. If you give such a group a gidNumber, it becomes just a 
group and cannot own anything, Domain Admins is such a group.

Rowland

On 1/28/2021 3:57 PM, Rowland penny via samba wrote:
> On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote:
>>
>> On 1/28/2021 2:02 PM, Rowland penny via samba wrote:
>>> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote:
>>>>
>>>>
>>>> Just to add to this:
>>>>
>>>> If I run 'samba-tool ntacl sysvolcheck' on either
server I get the
>>>> following:
>>>
>>> I know you are syncing sysvol between the two DC's, but are you
also
>>> syncing idmap.ldb from the first DC to the second ?
>>>
>>> If you aren't, then you will probably have different xidNumbers
on
>>> each DC.
>>>
>>> Rowland
>>
>> I did the sync once when I setup the server.? The docs on the
>> wiki seem to imply this is a one time step and not something
>> that needs to be done continuously.
>>
>> I did find a configuration error on the new DC that may
>> have effected the was DNS was working, however after
>> correcting that the user still is reporting that after
>> logon, the GPO's are not being applied.
>>
>> I can not replicate the problem on my end.
>>
>> The results of the drive map according to gpresult
>> from the user's computer produce (Error Code: 0x80070035).
>>
> I believe that error code means? that the directory cannot be found, 
> though it could be a permissions problem. It could be something as 
> simple as giving Domain Admins a gidNumber attribute.
> 
> idmap.ldb works by giving domain users & groups an xidNumber attribute 
> (not to be confused with uidNumber & gidNumber attributes), these are 
> allocated on a first come basis, so you may have to sync idmap.ldb a few 
> times to ensure they match, without doing this, the wrong user or group 
> may be used.
> 
> Windows has the concept of groups owning files & folders, on Unix a 
> group cannot own anything, so, in idmap.ldb, you find groups marked as 
> 'ID_TYPE_BOTH'. If you give such a group a gidNumber, it becomes
just a
> group and cannot own anything, Domain Admins is such a group.
> 
> Rowland
But why would the policy work on one computer and not another with
the same login credentials?