similar to: GPO Editor says "Access denied" for Group Policy Objects

On Thu, 25 Apr 2024 16:55:55 +0200 Jakob Curdes via samba <samba at lists.samba.org> wrote: > .. we setup 2 new DCs replacing older DCs and joined them to the > domain, then decommissioned the old DCs. I now discover that I cannot > edit the GPO objects anymore. > "sysvolcheck" shows no errors. I read through some documentation but > it sounds outdated to me. Any

Hi Rowland, all, Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba: > On Thu, 25 Apr 2024 16:55:55 +0200 > Jakob Curdes via samba<samba at lists.samba.org> wrote: > >> .. we setup 2 new DCs replacing older DCs and joined them to the >> domain, then decommissioned the old DCs. I now discover that I cannot >> edit the GPO objects anymore. >>

On Thu, 25 Apr 2024 18:19:20 +0200 Jakob Curdes via samba <samba at lists.samba.org> wrote: > Hi Rowland, all, > > Am 25.04.2024 um 17:24 schrieb Rowland Penny via samba: > > On Thu, 25 Apr 2024 16:55:55 +0200 > > Jakob Curdes via samba<samba at lists.samba.org> wrote: > > > >> .. we setup 2 new DCs replacing older DCs and joined them to the >

I don?t think you need winbind on a DC as user mapping is done by its own databases. I think you have mixed up member server configs into DC configs. A smb.conf like this should be enough: [global] dns forwarder = 1.1.1.1 netbios name = AAA realm = XXXT server role = active directory domain controller workgroup = MAD idmap_ldb:use rfc2307??= yes #Allow this for free radius to work ntlm

Hello all, to return to the original topic: My original problem was that I could not edit GP objects with the GP Editor, even as Domain admin. I always got "access denied". A sysvolcheck returned no errors and the Windows "Security" tab for the object in question on the sysvol share looked correct. I now found out that the group id of the sysvol folder (and everything

On Thu, 2 May 2024 12:07:13 +0200 Jakob Curdes via samba <samba at lists.samba.org> wrote: > Hello all, to return to the original topic: > > My original problem was that I could not edit GP objects with the GP > Editor, even as Domain admin. I always got "access denied". A > sysvolcheck returned no errors and the Windows "Security" tab for the >

Am 25.04.2024 um 19:59 schrieb Rowland Penny via samba: > I suspect that I forgot to set the idmap config on the DC(s) > accordingly? > Do not set idmap config lines on a Samba DC, they do not work, you must > use the 3000000 numbers or use rfc2307 attributes (uidNumber, > gidNumber, etc) > > Have you read this: > >

Hello Rowland, Luis, all, Am 25.04.2024 um 18:56 schrieb Rowland Penny via samba: >> The group ID of the sysvol entry is "3000000", while on the domain >> member, the Domain Admin group has the group ID "300512". > Hmm, If you are using rfc2307 attributes, how can the group have the ID > 3000000 on a DC (which I would expect), but 300512 on a Unix domain

On Thu, 25 Apr 2024 19:32:26 +0200 Jakob Curdes via samba <samba at lists.samba.org> wrote: > Hello Rowland, Luis, all, > > Am 25.04.2024 um 18:56 schrieb Rowland Penny via samba: > > > > > [global] > > netbios name = XXX > > realm = XXXX.yyyy.ZZ > > server role = active directory domain controller > > dns forwarder = X,Y > >

Hi Andrew and Louis, Found the issue: after rsync-ing the sysvol from our old decommissioned DCs, the sysvolreset/sysvolcheck DO work out. I tried to keep the things simple first, by NOT immediately importing our old sysvol contents, but first check with a default sysvol... I thought that the sysvolreset would just reset whatever is located under samba/sysvol, but I guess that it reads the

Try: http://samba.bigbird.es/doku.php?id=samba:sync-sysvol I would recommend one way sync always from PDC FSMO owner, as this is the machine the GPOs get created in by default. And of course : http://samba.bigbird.es/doku.php?id=samba:sync-idmap.ldb Regards. LP On 5 Dec 2023 at 13:47 +0100, Jakob Curdes via samba <samba at lists.samba.org>, wrote: > Hello, > > I am wondering

Hai Sam, Try the following, 1 ) ignore these messages : > If I create a new GPO The "samba-tool ntacl sysvolcheck" command return > this error : >root at S4:~# samba-tool ntacl sysvolcheck > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - > ..... 2) add this line to you sysvol share acl_xattr:ignore system acls =

Hi all, We'er running a classicupgraded samba4 AD 4.1.6 sernet for a month or two now, and all is very well. :-) It has been classicupgraded using the same 4.1.6. Today I wanted to try GPO's and they are not applied. GPUpdate /force tells me: "Windows attempted to read the file blahblah\gpt.ini from a domain controller and was not successful". Taken from the mailinglist, I

Dear All, I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that GPO are having issue Specifically when I'm adding new using they *never *got the gpupdate success fully. When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset But don't seem to got it fix.. Any suggestion? Thank in advance. #samba-tool ntacl sysvolcheck Processing section

On Sun, Oct 25, 2020 at 4:02 PM Rowland penny via samba <samba at lists.samba.org> wrote: > What do you mean by 'working domain' and 'non-working domain' ? > Do you have two domains ? Different sites, different companies, not related. The working one was also a classic upgrade but earlier on, pre 4.6.x. Just using it to compare. > I am also trying to understand why

Hi! Sorry my late answer. I did run the sysvolcheck/reset commands and everything seems fine. On my server I use the following rpm packages, installed from the tranquil.it repository. ldb-tools.x86_64 2.0.10-1.el7?????????????????? @samba_custom libldb.x86_64?????????????????????? 2.0.10-1.el7 @samba_custom libldb-devel.x86_64???????????????? 2.0.10-1.el7 @samba_custom

I have upgraded Samba from a NT PDC to an AD DC about a week ago. Everything went pretty well until today. I've already configured about 25 GPO's (through RSAT on a Windows 10 machine) - but when I came to add more GPO's - it wouldn't let me with the above error message. My specs are: Samba 4.5.0 Slackware -current 64bit Kernel 4.4.20 The client machine is a Windows 10 Pro.

Hi, We just upgraded the Samba-AD from version 4.6.5 to 4.7.5. The upgrade threw many challenges and I will write a separate mail explaining the workaround that we adapted to get over them. One of the main challenges is GPO. While the user policy applies properly, the computer policies are not getting applied, rather they are erratic, On some PCs within the same LAN, it works, while on some,

Hello, we have a strange problem with the "Default Domain Policy". Sometimes on different PC the drivmappings are not working. When we do a "gpupdate /force" we get an errormessage that the "default domain policy" is not working for both the user-GPOs and the machine-GPOs. We checked the permissions with "samba-tool ntacl sysvolcheck" and with

Hi Louis, Many many thanks for your very quick and comprehensive reply. I also found this thread here <https://lists.samba.org/archive/samba/2016-July/201471.html> Unfortunately none of the suggestions seem to entirely resolve the issue. As a first work-around I have inserted ldap server require strong auth = no to my smb.conf and re-started Samba. Unfortunately this didn't