Hi again everyone, starting a new thread as I was able to find some
things... I had sent an email earlier on about domain members not
synchronizing time, and instead using the CMOS time.
I tried to understand why machines in my domain don't react to the group
policy I've set up that tells them to get the time from some nice NTP
server somewhere. So I've realized that newly joined computers don't get
any GPO rules from the DC at all.
The DC is fairly new, and took over the PDC role in the domain instead
of an old broken one running Samba 4 with Zentyal, that in its own turn
replaced a Samba 3 server that was not a DC.
I downloaded the script recommended in the wiki, and got results exactly
like in this thread:
http://samba.2283325.n4.nabble.com/BUILTIN-Administrators-failed-to-call-wbcSidToUid-WBC-ERR-DOMAIN-NOT-FOUND-td4723614.html
Or, in short:
# bash samba-check-set-sysvol.sh INFO 2021-03-15 16:52:29,860 pid:20629
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb
config files from /etc/samba/smb.conf INFO 2021-03-15 16:52:29,861
pid:20629 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97:
Loaded services file OK. failed to call wbcSidToUid:
WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-32-544 to uid
Error, UID2SID and GID2SID are not matching, exiting now.
What do I do now? If I run `wbinfo -g`, BUILTIN\Administrators is not
listed there. I don't mind recreating my existing GPOs from scratch.
Note: I can edit existing Group Policies, but when I try to create a new
one, I simply get "Access is denied".
Not sure where to even begin here (I've read quite a lot on the thread
mentioned above, got stuck directly on "Check your AD and remove any
gidNumber or uidNumber attributes from any users or groups that appear
on that page except for 'Domain Users'"), so any help is very
appreciated.
Oleg