Okay, I copied the files over and ran those two commands. Both of them returned 
nothing (which I assume is a good thing?) and the file permissions appear to 
have extended ACLs in the sysvol folder. So I'm assuming that worked.

However, when my Windows client attempts to `gpupdate /force` (as the domain 
admin) from the samba machine, I get the following error message for the 
computer policy:

"The processing of Group Policy failed. Windows attempted to read the file 
\\csetest.taylor.edu\sysvol\csetest.taylor.edu\Policies\{GUID}\gpt.ini from a 
domain controller and was not successful. Group Policy settings may not be 
applied until this event is resolved. This issue may be transient and could be 
caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain 
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled."

The user policy gets applied just fine.
When I look in the event viewer, I get error code 5 with "Access is Denied" as 
the description. The same event has a DCName field which points at the samba 
machine, so I know that it's trying to talk to samba. I can mount the sysvol 
share manually as the domain administrator and see all the files just fine.

Any idea what might be going on?

Thanks,
Zach.
________________________________________
From: Andrew Bartlett [[email protected]]
Sent: Thursday, October 25, 2012 7:18 PM
To: Bethel, Zach
Subject: Re: [Samba] Restricting DC Roles?

On Thu, 2012-10-25 at 23:16 +0000, Bethel, Zach wrote:
> Fair enough, are there special permissions needed for that data on the samba 
> side, or can I mount the sysvol share on my Windows DC as the Domain 
> Administrator and copy/paste those files directly? (or through a script, 
> obviously).

Copy the files, then run 'samba-tool ntacl sysvolreset'.

That will (modulo bugs) fix the ACLs back to be correct.  If your script
on the windows side uses an ACL-preserving copy, that should be good
too.  'samba-tool ntacl sysvolcheck' will tell you if it worked.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




The information in this communication is intended solely for the individual or 
entity to whom it is addressed. It may contain confidential or legally 
privileged information. If you are not the intended recipient, any disclosure, 
copying, distribution or reliance on the contents of this information is 
strictly prohibited, and may be unlawful. If you have received this 
communication in error, please notify us immediately by responding to the 
sender of this email, and then delete it from your system. Taylor University is 
not liable for the inaccurate or improper transmission of the information 
contained in this communication or for any delay in its receipt.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to