Am 09.02.22 um 16:32 schrieb Victor Rodriguez via samba:> > On 2/9/22 14:32, Matthias Leopold via samba wrote: >> Hi, >> >> is there a way to determine from which DC a GPO is applied in Windows >> when running "gpupdate" or from the automatic(?) updates? >> For reasons I don't understand GPO updates on my Windows 2019 members >> only work from the PDC Emulator DC. On the other DC I get errors about >> "Permission denied" (although sysvol permissions are the same in both >> DCs and "samba-tool ntacl sysvolcheck" is happy). "Group Policy >> Management" in Windows points to the PDC Emulator DC, but the updates >> seem to randomly choose a DC (which is annoying when updates only work >> from one DC). >> >> thx for advice >> Matthias > > > The GPO client will try to read GPO from domain.local\sysvol\Policies. > In DNS, your A record for domain.local will probably resolve to every > DC, son the DNS client will use one of them randomly. Use the client > host file to fix the IP to resolve to when using the name domain.local. > You have to fix those "permission denied" errors. > > Meanwhile, change your DNS and leave just domain.local A record pointing > to the working DC. You will have to flush DNS client cache too. > > How are you testing access to sysvol on every DC? > > Regards. > >My GPO client is connecting to the full domain name for some reason, this resolves to both DCs. I'm not testing access to sysvol on every DC, but I'm watching smbd logfiles on both DCs and see when the computer connects for the GPO update. The "permission denied" errors are a different story again. The UID/GID numbers I see in the log line for the connecting computer are completely strange. They are from the 3000000 range and when I resolve them with wbinfo, they would be user groups(?) or can't be resolved at all. This is the same strange behaviour on both DCs, although on one DC access is OK, on the other it isn't. File system permissions on sysvol folder are OK (when using getfacl) and comparing it to recommendations from https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh, also when reading them from Windows. Matthias
On Thu, 2022-02-10 at 17:30 +0100, Matthias Leopold via samba wrote:> > > > My GPO client is connecting to the full domain name for some reason,That is what it is supposed to do.> this resolves to both DCs.It should and if you add any further DC's, it would resolve to them as well.> I'm not testing access to sysvol on every DC, but I'm watching smbd > logfiles on both DCs and see when the computer connects for the GPO > update. > The "permission denied" errors are a different story again. The > UID/GID > numbers I see in the log line for the connecting computer are > completely > strange. They are from the 3000000 rangeAs is expected, Samba DC's use 'xidNumber' attributes (to be found in idmap.ldb, not AD) and these start from '3000000', they can be 'ID_TYPE_BOTH', this means that they are both a user and a group. There is one problem though, they are allocated on an 'as connected' basis, this means that they can (and probably will be) different on each DC. To fix this, you need to sync idmap from the DC with the PDC_Emulator FSMO role to all other DC's> and when I resolve them with > wbinfo, they would be user groups(?) or can't be resolved at all. > This > is the same strange behaviour on both DCs, although on one DC access > is > OK, on the other it isn't. File system permissions on sysvol folder > are > OK (when using getfacl) and comparing it to recommendations from > https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh, > also when reading them from Windows.This is probably an 'idmap.ldb' problem. Rowland