Sysvolreset

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Sysvolreset

Samba - General mailing list
Hi!

I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.

All is ok, but GPO in DC3, with erro the permission, with dont load in
windows(gpresult /force).


My smb.conf all samba server DC.


[global]
         netbios name = SAMBA-DC103
         realm = <DOMAIN>
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = XXXXXXX

         ldap server require strong auth = no

[netlogon]
         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
         read only = No

[sysvol]
         path = /opt/samba/var/locks/sysvol
         read only = No




For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a
not good ideia..(
https://lists.samba.org/archive/samba/2017-March/207236.html)


Any ?


Regards;




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
Hi

More information:


DC to DC2/DC3 ->

  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
root@samba-dc102:/opt/samba/var/locks/

  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
root@samba-dc102:/opt/samba/var/locks/

Regards


On 10-01-2018 11:59, Carlos wrote:

> Hi!
>
> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>
> All is ok, but GPO in DC3, with erro the permission, with dont load in
> windows(gpresult /force).
>
>
> My smb.conf all samba server DC.
>
>
> [global]
>         netbios name = SAMBA-DC103
>         realm = <DOMAIN>
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = XXXXXXX
>
>         ldap server require strong auth = no
>
> [netlogon]
>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>         read only = No
>
> [sysvol]
>         path = /opt/samba/var/locks/sysvol
>         read only = No
>
>
>
>
> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a
> not good ideia..(
> https://lists.samba.org/archive/samba/2017-March/207236.html)
>
>
> Any ?
>
>
> Regards;
>
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 1/10/2018 8:59 AM, Carlos via samba wrote:

> Hi!
>
> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>
> All is ok, but GPO in DC3, with erro the permission, with dont load in
> windows(gpresult /force).
>
>
> My smb.conf all samba server DC.
>
>
> [global]
>         netbios name = SAMBA-DC103
>         realm = <DOMAIN>
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = XXXXXXX
>
>         ldap server require strong auth = no
>
> [netlogon]
>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>         read only = No
>
> [sysvol]
>         path = /opt/samba/var/locks/sysvol
>         read only = No
>
>
>
>
> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a
> not good ideia..(
> https://lists.samba.org/archive/samba/2017-March/207236.html)
>
>
> Any ?
>
>
> Regards;
>
>
>
>
Will need more information. How are you replicating sysvol? What is the
exact message from gpupdate /force? Is it just one GPO not working?

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
HI

Rsync

DC1 to DC2 / DC3

root / usr / bin / rsync -XAaz --delete-after / opt / samba / var /
locks / sysvol root @ DCXX: / opt / samba / var /


Run Windows "gpupdate / force", information error permission (show ID
GPO, any gpos ...).

Yes, the only gpo, with errors.

Regards;



On 10-01-2018 14:29, lingpanda101 via samba wrote:

> On 1/10/2018 8:59 AM, Carlos via samba wrote:
>> Hi!
>>
>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>
>> All is ok, but GPO in DC3, with erro the permission, with dont load
>> in windows(gpresult /force).
>>
>>
>> My smb.conf all samba server DC.
>>
>>
>> [global]
>>         netbios name = SAMBA-DC103
>>         realm = <DOMAIN>
>>         server role = active directory domain controller
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>         workgroup = XXXXXXX
>>
>>         ldap server require strong auth = no
>>
>> [netlogon]
>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /opt/samba/var/locks/sysvol
>>         read only = No
>>
>>
>>
>>
>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a
>> not good ideia..(
>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>
>>
>> Any ?
>>
>>
>> Regards;
>>
>>
>>
>>
> Will need more information. How are you replicating sysvol? What is
> the exact message from gpupdate /force? Is it just one GPO not working?
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
On 1/10/2018 11:42 AM, Carlos via samba wrote:

> HI
>
> Rsync
>
> DC1 to DC2 / DC3
>
> root / usr / bin / rsync -XAaz --delete-after / opt / samba / var /
> locks / sysvol root @ DCXX: / opt / samba / var /
>
>
> Run Windows "gpupdate / force", information error permission (show ID
> GPO, any gpos ...).
>
> Yes, the only gpo, with errors.
>
> Regards;
>
>
>
> On 10-01-2018 14:29, lingpanda101 via samba wrote:
>> On 1/10/2018 8:59 AM, Carlos via samba wrote:
>>> Hi!
>>>
>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>>
>>> All is ok, but GPO in DC3, with erro the permission, with dont load
>>> in windows(gpresult /force).
>>>
>>>
>>> My smb.conf all samba server DC.
>>>
>>>
>>> [global]
>>>         netbios name = SAMBA-DC103
>>>         realm = <DOMAIN>
>>>         server role = active directory domain controller
>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>         workgroup = XXXXXXX
>>>
>>>         ldap server require strong auth = no
>>>
>>> [netlogon]
>>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>>         read only = No
>>>
>>> [sysvol]
>>>         path = /opt/samba/var/locks/sysvol
>>>         read only = No
>>>
>>>
>>>
>>>
>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see
>>> a not good ideia..(
>>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>>
>>>
>>> Any ?
>>>
>>>
>>> Regards;
>>>
>>>
>>>
>>>
>> Will need more information. How are you replicating sysvol? What is
>> the exact message from gpupdate /force? Is it just one GPO not working?
>>
>
>
How often is sysvol replicating? Can you run on the target machine from
cmd window "GPRESULT /H GPReport.html"?

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
Every 5 minutes.

This moment(before sysvolreset,) machine is ok . This comend is valid now ?

*In DC01 Problem does not exist with sysvol.

Regards;



On 10-01-2018 14:51, lingpanda101 via samba wrote:

> On 1/10/2018 11:42 AM, Carlos via samba wrote:
>> HI
>>
>> Rsync
>>
>> DC1 to DC2 / DC3
>>
>> root / usr / bin / rsync -XAaz --delete-after / opt / samba / var /
>> locks / sysvol root @ DCXX: / opt / samba / var /
>>
>>
>> Run Windows "gpupdate / force", information error permission (show ID
>> GPO, any gpos ...).
>>
>> Yes, the only gpo, with errors.
>>
>> Regards;
>>
>>
>>
>> On 10-01-2018 14:29, lingpanda101 via samba wrote:
>>> On 1/10/2018 8:59 AM, Carlos via samba wrote:
>>>> Hi!
>>>>
>>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>>>
>>>> All is ok, but GPO in DC3, with erro the permission, with dont load
>>>> in windows(gpresult /force).
>>>>
>>>>
>>>> My smb.conf all samba server DC.
>>>>
>>>>
>>>> [global]
>>>>         netbios name = SAMBA-DC103
>>>>         realm = <DOMAIN>
>>>>         server role = active directory domain controller
>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>         workgroup = XXXXXXX
>>>>
>>>>         ldap server require strong auth = no
>>>>
>>>> [netlogon]
>>>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>>>         read only = No
>>>>
>>>> [sysvol]
>>>>         path = /opt/samba/var/locks/sysvol
>>>>         read only = No
>>>>
>>>>
>>>>
>>>>
>>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see
>>>> a not good ideia..(
>>>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>>>
>>>>
>>>> Any ?
>>>>
>>>>
>>>> Regards;
>>>>
>>>>
>>>>
>>>>
>>> Will need more information. How are you replicating sysvol? What is
>>> the exact message from gpupdate /force? Is it just one GPO not working?
>>>
>>
>>
> How often is sysvol replicating? Can you run on the target machine
> from cmd window "GPRESULT /H GPReport.html"?
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
Hi

Any ?

Regards;


On 10-01-2018 15:11, Carlos wrote:

>
> Every 5 minutes.
>
> This moment(before sysvolreset,) machine is ok . This comend is valid
> now ?
>
> *In DC01 Problem does not exist with sysvol.
>
> Regards;
>
>
>
> On 10-01-2018 14:51, lingpanda101 via samba wrote:
>> On 1/10/2018 11:42 AM, Carlos via samba wrote:
>>> HI
>>>
>>> Rsync
>>>
>>> DC1 to DC2 / DC3
>>>
>>> root / usr / bin / rsync -XAaz --delete-after / opt / samba / var /
>>> locks / sysvol root @ DCXX: / opt / samba / var /
>>>
>>>
>>> Run Windows "gpupdate / force", information error permission (show
>>> ID GPO, any gpos ...).
>>>
>>> Yes, the only gpo, with errors.
>>>
>>> Regards;
>>>
>>>
>>>
>>> On 10-01-2018 14:29, lingpanda101 via samba wrote:
>>>> On 1/10/2018 8:59 AM, Carlos via samba wrote:
>>>>> Hi!
>>>>>
>>>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>>>>
>>>>> All is ok, but GPO in DC3, with erro the permission, with dont
>>>>> load in windows(gpresult /force).
>>>>>
>>>>>
>>>>> My smb.conf all samba server DC.
>>>>>
>>>>>
>>>>> [global]
>>>>>         netbios name = SAMBA-DC103
>>>>>         realm = <DOMAIN>
>>>>>         server role = active directory domain controller
>>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>>         workgroup = XXXXXXX
>>>>>
>>>>>         ldap server require strong auth = no
>>>>>
>>>>> [netlogon]
>>>>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>>>>         read only = No
>>>>>
>>>>> [sysvol]
>>>>>         path = /opt/samba/var/locks/sysvol
>>>>>         read only = No
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i
>>>>> see a not good ideia..(
>>>>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>>>>
>>>>>
>>>>> Any ?
>>>>>
>>>>>
>>>>> Regards;
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Will need more information. How are you replicating sysvol? What is
>>>> the exact message from gpupdate /force? Is it just one GPO not
>>>> working?
>>>>
>>>
>>>
>> How often is sysvol replicating? Can you run on the target machine
>> from cmd window "GPRESULT /H GPReport.html"?
>>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
On 1/11/2018 10:45 AM, Carlos via samba wrote:

> Hi
>
> Any ?
>
> Regards;
>
>
> On 10-01-2018 15:11, Carlos wrote:
>>
>> Every 5 minutes.
>>
>> This moment(before sysvolreset,) machine is ok . This comend is valid
>> now ?
>>
>> *In DC01 Problem does not exist with sysvol.
>>
>> Regards;
>>
>>
>>
>> On 10-01-2018 14:51, lingpanda101 via samba wrote:
>>> On 1/10/2018 11:42 AM, Carlos via samba wrote:
>>>> HI
>>>>
>>>> Rsync
>>>>
>>>> DC1 to DC2 / DC3
>>>>
>>>> root / usr / bin / rsync -XAaz --delete-after / opt / samba / var /
>>>> locks / sysvol root @ DCXX: / opt / samba / var /
>>>>
>>>>
>>>> Run Windows "gpupdate / force", information error permission (show
>>>> ID GPO, any gpos ...).
>>>>
>>>> Yes, the only gpo, with errors.
>>>>
>>>> Regards;
>>>>
>>>>
>>>>
>>>> On 10-01-2018 14:29, lingpanda101 via samba wrote:
>>>>> On 1/10/2018 8:59 AM, Carlos via samba wrote:
>>>>>> Hi!
>>>>>>
>>>>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>>>>>
>>>>>> All is ok, but GPO in DC3, with erro the permission, with dont
>>>>>> load in windows(gpresult /force).
>>>>>>
>>>>>>
>>>>>> My smb.conf all samba server DC.
>>>>>>
>>>>>>
>>>>>> [global]
>>>>>>         netbios name = SAMBA-DC103
>>>>>>         realm = <DOMAIN>
>>>>>>         server role = active directory domain controller
>>>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>>>>>> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>>>         workgroup = XXXXXXX
>>>>>>
>>>>>>         ldap server require strong auth = no
>>>>>>
>>>>>> [netlogon]
>>>>>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>>>>>         read only = No
>>>>>>
>>>>>> [sysvol]
>>>>>>         path = /opt/samba/var/locks/sysvol
>>>>>>         read only = No
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i
>>>>>> see a not good ideia..(
>>>>>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>>>>>
>>>>>>
>>>>>> Any ?
>>>>>>
>>>>>>
>>>>>> Regards;
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Will need more information. How are you replicating sysvol? What
>>>>> is the exact message from gpupdate /force? Is it just one GPO not
>>>>> working?
>>>>>
>>>>
>>>>
>>> How often is sysvol replicating? Can you run on the target machine
>>> from cmd window "GPRESULT /H GPReport.html"?
>>>
>>
>
Hello Carlos,

     I'm having trouble helping due to the language barrier. Are you
still having problems running 'gpupdate /force' on the client workstation?

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Carlos,
>
> DC to DC2/DC3 ->
>
>  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
> root@samba-dc102:/opt/samba/var/locks/
>
>  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
> root@samba-dc102:/opt/samba/var/locks/

looking at your smb.conf file, you are using tdb idmap (default on DC).
So the UID/SID mapping will be different on the different DC, and your
rsync will thus mess up the ACLs of sysvol. ACLs on sysvol are very
important, otherwise GPO won't be applied.

So it is logic for you to have to apply sysvolreset after your rsync.

One way to avoid that would be to copy idmap.ldb from your first DC to
the other two DCs. The other way would be to configure rfc2307, but I'd
say it is too much of a hassle.

Cheers,

Denis

>
> Regards
>
>
> On 10-01-2018 11:59, Carlos wrote:
>> Hi!
>>
>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>
>> All is ok, but GPO in DC3, with erro the permission, with dont load in
>> windows(gpresult /force).
>>
>>
>> My smb.conf all samba server DC.
>>
>>
>> [global]
>>         netbios name = SAMBA-DC103
>>         realm = <DOMAIN>
>>         server role = active directory domain controller
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>         workgroup = XXXXXXX
>>
>>         ldap server require strong auth = no
>>
>> [netlogon]
>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /opt/samba/var/locks/sysvol
>>         read only = No
>>
>>
>>
>>
>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a
>> not good ideia..(
>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>
>>
>> Any ?
>>
>>
>> Regards;
>>
>>
>>
>
>

--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
In reply to this post by Samba - General mailing list
Sorry, my english is not very good !!!

'gpupdate /force'
Before sysvolreset permission error occurs in loading some gpo, after
running sysvolreset the problem has not occurred anymore, but every
rsync I run sysvolreset.


Regards;


On 11-01-2018 13:51, lingpanda101 via samba wrote:

> On 1/11/2018 10:45 AM, Carlos via samba wrote:
>> Hi
>>
>> Any ?
>>
>> Regards;
>>
>>
>> On 10-01-2018 15:11, Carlos wrote:
>>>
>>> Every 5 minutes.
>>>
>>> This moment(before sysvolreset,) machine is ok . This comend is
>>> valid now ?
>>>
>>> *In DC01 Problem does not exist with sysvol.
>>>
>>> Regards;
>>>
>>>
>>>
>>> On 10-01-2018 14:51, lingpanda101 via samba wrote:
>>>> On 1/10/2018 11:42 AM, Carlos via samba wrote:
>>>>> HI
>>>>>
>>>>> Rsync
>>>>>
>>>>> DC1 to DC2 / DC3
>>>>>
>>>>> root / usr / bin / rsync -XAaz --delete-after / opt / samba / var
>>>>> / locks / sysvol root @ DCXX: / opt / samba / var /
>>>>>
>>>>>
>>>>> Run Windows "gpupdate / force", information error permission (show
>>>>> ID GPO, any gpos ...).
>>>>>
>>>>> Yes, the only gpo, with errors.
>>>>>
>>>>> Regards;
>>>>>
>>>>>
>>>>>
>>>>> On 10-01-2018 14:29, lingpanda101 via samba wrote:
>>>>>> On 1/10/2018 8:59 AM, Carlos via samba wrote:
>>>>>>> Hi!
>>>>>>>
>>>>>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>>>>>>
>>>>>>> All is ok, but GPO in DC3, with erro the permission, with dont
>>>>>>> load in windows(gpresult /force).
>>>>>>>
>>>>>>>
>>>>>>> My smb.conf all samba server DC.
>>>>>>>
>>>>>>>
>>>>>>> [global]
>>>>>>>         netbios name = SAMBA-DC103
>>>>>>>         realm = <DOMAIN>
>>>>>>>         server role = active directory domain controller
>>>>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>>>>>>> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>>>>         workgroup = XXXXXXX
>>>>>>>
>>>>>>>         ldap server require strong auth = no
>>>>>>>
>>>>>>> [netlogon]
>>>>>>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>>>>>>         read only = No
>>>>>>>
>>>>>>> [sysvol]
>>>>>>>         path = /opt/samba/var/locks/sysvol
>>>>>>>         read only = No
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i
>>>>>>> see a not good ideia..(
>>>>>>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>>>>>>
>>>>>>>
>>>>>>> Any ?
>>>>>>>
>>>>>>>
>>>>>>> Regards;
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Will need more information. How are you replicating sysvol? What
>>>>>> is the exact message from gpupdate /force? Is it just one GPO not
>>>>>> working?
>>>>>>
>>>>>
>>>>>
>>>> How often is sysvol replicating? Can you run on the target machine
>>>> from cmd window "GPRESULT /H GPReport.html"?
>>>>
>>>
>>
> Hello Carlos,
>
>     I'm having trouble helping due to the language barrier. Are you
> still having problems running 'gpupdate /force' on the client
> workstation?
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,

how do I do that ?
And what would be the possible problems? (Both are in production)

"One way to avoid that would be to copy idmap.ldb from your first DC to
the other two DCs."

Regards;


On 11-01-2018 14:42, Denis Cardon wrote:

> Hi Carlos,
>>
>> DC to DC2/DC3 ->
>>
>>  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
>> root@samba-dc102:/opt/samba/var/locks/
>>
>>  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
>> root@samba-dc102:/opt/samba/var/locks/
>
> looking at your smb.conf file, you are using tdb idmap (default on
> DC). So the UID/SID mapping will be different on the different DC, and
> your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol are
> very important, otherwise GPO won't be applied.
>
> So it is logic for you to have to apply sysvolreset after your rsync.
>
> One way to avoid that would be to copy idmap.ldb from your first DC to
> the other two DCs. The other way would be to configure rfc2307, but
> I'd say it is too much of a hassle.
>
> Cheers,
>
> Denis
>
>>
>> Regards
>>
>>
>> On 10-01-2018 11:59, Carlos wrote:
>>> Hi!
>>>
>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>>
>>> All is ok, but GPO in DC3, with erro the permission, with dont load in
>>> windows(gpresult /force).
>>>
>>>
>>> My smb.conf all samba server DC.
>>>
>>>
>>> [global]
>>>         netbios name = SAMBA-DC103
>>>         realm = <DOMAIN>
>>>         server role = active directory domain controller
>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>         workgroup = XXXXXXX
>>>
>>>         ldap server require strong auth = no
>>>
>>> [netlogon]
>>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>>         read only = No
>>>
>>> [sysvol]
>>>         path = /opt/samba/var/locks/sysvol
>>>         read only = No
>>>
>>>
>>>
>>>
>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a
>>> not good ideia..(
>>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>>
>>>
>>> Any ?
>>>
>>>
>>> Regards;
>>>
>>>
>>>
>>
>>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 1/11/2018 12:48 PM, Carlos wrote:

>
> Sorry, my english is not very good !!!
>
> 'gpupdate /force'
> Before sysvolreset permission error occurs in loading some gpo, after
> running sysvolreset the problem has not occurred anymore, but every
> rsync I run sysvolreset.
>
>
> Regards;
>
>
> On 11-01-2018 13:51, lingpanda101 via samba wrote:
>> On 1/11/2018 10:45 AM, Carlos via samba wrote:
>>> Hi
>>>
>>> Any ?
>>>
>>> Regards;
>>>
>>>
>>> On 10-01-2018 15:11, Carlos wrote:
>>>>
>>>> Every 5 minutes.
>>>>
>>>> This moment(before sysvolreset,) machine is ok . This comend is
>>>> valid now ?
>>>>
>>>> *In DC01 Problem does not exist with sysvol.
>>>>
>>>> Regards;
>>>>
>>>>
>>>>
>>>> On 10-01-2018 14:51, lingpanda101 via samba wrote:
>>>>> On 1/10/2018 11:42 AM, Carlos via samba wrote:
>>>>>> HI
>>>>>>
>>>>>> Rsync
>>>>>>
>>>>>> DC1 to DC2 / DC3
>>>>>>
>>>>>> root / usr / bin / rsync -XAaz --delete-after / opt / samba / var
>>>>>> / locks / sysvol root @ DCXX: / opt / samba / var /
>>>>>>
>>>>>>
>>>>>> Run Windows "gpupdate / force", information error permission
>>>>>> (show ID GPO, any gpos ...).
>>>>>>
>>>>>> Yes, the only gpo, with errors.
>>>>>>
>>>>>> Regards;
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 10-01-2018 14:29, lingpanda101 via samba wrote:
>>>>>>> On 1/10/2018 8:59 AM, Carlos via samba wrote:
>>>>>>>> Hi!
>>>>>>>>
>>>>>>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>>>>>>>
>>>>>>>> All is ok, but GPO in DC3, with erro the permission, with dont
>>>>>>>> load in windows(gpresult /force).
>>>>>>>>
>>>>>>>>
>>>>>>>> My smb.conf all samba server DC.
>>>>>>>>
>>>>>>>>
>>>>>>>> [global]
>>>>>>>>         netbios name = SAMBA-DC103
>>>>>>>>         realm = <DOMAIN>
>>>>>>>>         server role = active directory domain controller
>>>>>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>>>>>>>> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>>>>>         workgroup = XXXXXXX
>>>>>>>>
>>>>>>>>         ldap server require strong auth = no
>>>>>>>>
>>>>>>>> [netlogon]
>>>>>>>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>>>>>>>         read only = No
>>>>>>>>
>>>>>>>> [sysvol]
>>>>>>>>         path = /opt/samba/var/locks/sysvol
>>>>>>>>         read only = No
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i
>>>>>>>> see a not good ideia..(
>>>>>>>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>>>>>>>
>>>>>>>>
>>>>>>>> Any ?
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards;
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Will need more information. How are you replicating sysvol? What
>>>>>>> is the exact message from gpupdate /force? Is it just one GPO
>>>>>>> not working?
>>>>>>>
>>>>>>
>>>>>>
>>>>> How often is sysvol replicating? Can you run on the target machine
>>>>> from cmd window "GPRESULT /H GPReport.html"?
>>>>>
>>>>
>>>
>> Hello Carlos,
>>
>>     I'm having trouble helping due to the language barrier. Are you
>> still having problems running 'gpupdate /force' on the client
>> workstation?
>>
>
No worries Carlos.

I do not perform a sysvolreset with my sysvol replication and do not
have these issues. If I do chose to reset the sysvol permissions, I do
it on the DC the others are pulling from.  The changes will be replicated.

--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 11 Jan 2018 17:42:19 +0100
Denis Cardon via samba <[hidden email]> wrote:

> Hi Carlos,
> >
> > DC to DC2/DC3 ->
> >
> >  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
> > root@samba-dc102:/opt/samba/var/locks/
> >
> >  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
> > root@samba-dc102:/opt/samba/var/locks/
>
> looking at your smb.conf file, you are using tdb idmap (default on
> DC). So the UID/SID mapping will be different on the different DC,
> and your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol
> are very important, otherwise GPO won't be applied.
>
> So it is logic for you to have to apply sysvolreset after your rsync.
>
> One way to avoid that would be to copy idmap.ldb from your first DC
> to the other two DCs. The other way would be to configure rfc2307,
> but I'd say it is too much of a hassle.

If you are going to configure rfc2307 (I take this to mean adding
uidNumber & gidNumber attributes to AD), do not give Domain Admins a
gidNumber, this will turn the group into just a group. This might seem
a strange thing to say, but Domain Admins is mapped to both a group
AND a user in idmap.ldb and the group needs to own GPOs in Sysvol and
it cannot if it is just a group.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 11 Jan 2018 15:50:40 -0200
Carlos via samba <[hidden email]> wrote:

> Hi,
>
> how do I do that ?
> And what would be the possible problems? (Both are in production)
>
> "One way to avoid that would be to copy idmap.ldb from your first DC
> to the other two DCs."
>

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Sysvolreset

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hello,

copying idmap is fairly straightforward.

1) on your first DC (that one that has PDC FSMO, and is the source for
rsync) create backup of idmap.ldb

tdbbackup -s .bak /path/to/samba/private/idmap.ldb

it will create idmap.ldb.bak

2) stop samba service on second DC

3) copy idmap.ldb.bak from first dc to second dc, lose the .bak suffix
and just copy it over idmap.ldb on second dc

4) start samba on second dc

I'm not sure if it's necessery, but you can flush winbindd cache:

net cache flush

and that's it

No problems occured for me, when I did that.


W dniu 11.01.2018 o 18:50, Carlos via samba pisze:

> Hi,
>
> how do I do that ?
> And what would be the possible problems? (Both are in production)
>
> "One way to avoid that would be to copy idmap.ldb from your first DC
> to the other two DCs."
>
> Regards;
>
>
> On 11-01-2018 14:42, Denis Cardon wrote:
>> Hi Carlos,
>>>
>>> DC to DC2/DC3 ->
>>>
>>>  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
>>> root@samba-dc102:/opt/samba/var/locks/
>>>
>>>  /usr/bin/rsync  -XAaz --delete-after /opt/samba/var/locks/sysvol
>>> root@samba-dc102:/opt/samba/var/locks/
>>
>> looking at your smb.conf file, you are using tdb idmap (default on
>> DC). So the UID/SID mapping will be different on the different DC,
>> and your rsync will thus mess up the ACLs of sysvol. ACLs on sysvol
>> are very important, otherwise GPO won't be applied.
>>
>> So it is logic for you to have to apply sysvolreset after your rsync.
>>
>> One way to avoid that would be to copy idmap.ldb from your first DC
>> to the other two DCs. The other way would be to configure rfc2307,
>> but I'd say it is too much of a hassle.
>>
>> Cheers,
>>
>> Denis
>>
>>>
>>> Regards
>>>
>>>
>>> On 10-01-2018 11:59, Carlos wrote:
>>>> Hi!
>>>>
>>>> I have 3 Samba 4 , version 4.7.3 running in Ubuntu Server 16.04.
>>>>
>>>> All is ok, but GPO in DC3, with erro the permission, with dont load in
>>>> windows(gpresult /force).
>>>>
>>>>
>>>> My smb.conf all samba server DC.
>>>>
>>>>
>>>> [global]
>>>>         netbios name = SAMBA-DC103
>>>>         realm = <DOMAIN>
>>>>         server role = active directory domain controller
>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>         workgroup = XXXXXXX
>>>>
>>>>         ldap server require strong auth = no
>>>>
>>>> [netlogon]
>>>>         path = /opt/samba/var/locks/sysvol/<DOMAIN>/scripts
>>>>         read only = No
>>>>
>>>> [sysvol]
>>>>         path = /opt/samba/var/locks/sysvol
>>>>         read only = No
>>>>
>>>>
>>>>
>>>>
>>>> For resolved, i with run "samba-tool ntacl sysvolreset" , but i see a
>>>> not good ideia..(
>>>> https://lists.samba.org/archive/samba/2017-March/207236.html)
>>>>
>>>>
>>>> Any ?
>>>>
>>>>
>>>> Regards;
>>>>
>>>>
>>>>
>>>
>>>
>>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba