Have you tried samba-tool ntacl sysvolreset yet? Ricky On Mar 29, 2013 2:16 PM, "Pavel Valach" <valach.pa...@outlook.com> wrote:
> Hello, > I'm having one strange issue with latest stable Samba 4.0.4. I'm testing > it as a domain controller for two virtual machines. > The Samba AD DC is Debian stable, with two domain members - Windows XP Pro > and trial Windows 8 Enterprise. > User configuration using GPOs is working as expected. However, Computer > configuration is never applied properly. Event logs show this entry: > ------ > Source: GroupPolicy (Microsoft-Windows-GroupPolicy) > Event ID: 1058 > EventData > SupportInfo1 4 > SupportInfo2 820 > ProcessingMode 0 > ProcessingTimeInMilliseconds 516 > ErrorCode 5 > ErrorDescription Access is denied. > DCName debian-server.gym.internal > GPOCNName > cn={CE7B09A1-D85A-4A40-9C2F-3DD0DA013345},cn=policies,cn=system,DC=gym,DC=internal > FilePath > \\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini > The processing of Group Policy failed. Windows attempted to read the file > \\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini > from a domain controller and was not successful. Group Policy settings may > not be applied until this event is resolved. This issue may be transient > and could be caused by one or more of the following: > a) Name Resolution/Network Connectivity to the current domain controller. > b) File Replication Service Latency (a file created on another domain > controller has not replicated to the current domain controller). > c) The Distributed File System (DFS) client has been disabled. > ------ > a) Name resolution works, gym.internal is accessible and DNS query for > gym.internal returns correct result. > b) File gpt.ini is readable with following content: > ------ > [General] > Version=3 > displayName=Nový objekt zásad skupiny > ------ > c) Distributed File System is not enabled on my VMs. > I'm suspecting a possible problem with permissions. I have already tried > to: > 1) link GPO to the proper domain / OU > 2) reboot computer several times > 3) set various permissions for various people > Currently I have two GPOs which modify computer settings. "Default Domain > Policy" and "Nejaka nastaveni pro ucebnu". Neither of them show up in the > GPRESULT report. "Default Domain Policy" modify both user and computer > configuration, "Nejaka nastaveni pro ucebnu" modify only computer > configuration. > Permissions for "Nejaka nastaveni pro ucebnu": > - Authenticated Users - Read (from Security Filtering) - Not Inherited > - Domain Admins - Edit settings, delete, modify security - Not Inherited > - Enterprise Admins - Edit settings, delete, modify security - Not > Inherited > - ServerLogon - Read - Not Inherited > - SYSTEM - Edit settings, delete, modify security - Not Inherited > Here is result of GPRESULT /R command that ran on the Win8 VM. On Windows > XP, Computer Settings had N/A security groups - which is weird. > ===== > RSOP data for GYM\valachp on UC01-TEST : Logging Mode > ------------------------------------------------------ > OS Configuration: Member Workstation > OS Version: 6.2.9200 > Site Name: N/A > Roaming Profile: N/A > Local Profile: C:\Users\valachp > Connected over a slow link?: No > COMPUTER SETTINGS > ------------------ > CN=UC01-TEST,OU=Ucebny,DC=gym,DC=internal > Last time Group Policy was applied: 29. 3. 2013 at 19:35:17 > Group Policy was applied from: debian-server.gym.internal > Group Policy slow link threshold: 500 kbps > Domain Name: WINDOWS-UJ49S6B > Domain Type: WindowsNT 4 > Applied Group Policy Objects > ----------------------------- > N/A > The following GPOs were not applied because they were filtered out > ------------------------------------------------------------------- > Local Group Policy > Filtering: Not Applied (Empty) > The computer is a part of the following security groups > ------------------------------------------------------- > System Mandatory Level > Everyone > BUILTIN\Users > NT AUTHORITY\SERVICE > CONSOLE LOGON > NT AUTHORITY\Authenticated Users > This Organization > BDESVC > BITS > CertPropSvc > DsmSvc > Eaphost > hkmsvc > IKEEXT > iphlpsvc > LanmanServer > MMCSS > MSiSCSI > NcaSvc > RasAuto > RasMan > RemoteAccess > Schedule > SCPolicySvc > SENS > SessionEnv > SharedAccess > ShellHWDetection > SystemEventsBroker > wercplsupport > Winmgmt > wlidsvc > wuauserv > LOCAL > BUILTIN\Administrators > USER SETTINGS > -------------- > CN=Pavel Valach,CN=Users,DC=gym,DC=internal > Last time Group Policy was applied: 29. 3. 2013 at 19:35:17 > Group Policy was applied from: debian-server.gym.internal > Group Policy slow link threshold: 500 kbps > Domain Name: GYM > Domain Type: Windows 2000 > Applied Group Policy Objects > ----------------------------- > Default Domain Policy > Zásady pro studenty > The following GPOs were not applied because they were filtered out > ------------------------------------------------------------------- > Local Group Policy > Filtering: Not Applied (Empty) > The user is a part of the following security groups > --------------------------------------------------- > Domain Users > Everyone > BUILTIN\Users > NT AUTHORITY\INTERACTIVE > CONSOLE LOGON > NT AUTHORITY\Authenticated Users > This Organization > LOCAL > Studenti > Medium Mandatory Level > ===== > Well, I think that's enough for now... I'd very appreciate if someone > could take a look at this. I hope it's just me overlooking something so > simple. > If you need any other information, please let me know. > Thanks and best regards > -Pavel > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba