Re: [Samba] Fwd: AD Policies are not applying properly
- Date: Fri, 23 Jun 2017 16:25:49 +0530
- From: Anantha Raghava via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Fwd: AD Policies are not applying properly
Thanks for your reply.
Our replies are in line.
Thanks & Regards,
On 22/06/17 8:16 PM, lingpanda101 via samba wrote:
Group policies are not consistently applied on all workstations. Some
get applied some not. This is the primary problem. On the Windows XP / 7
/ 8 (8.1) / 10 workstations, the client reports that it is unable to
resolve the domain controller name to fetch policies. This is the
primary problem. We have observed that there is time skew, which we are
correcting. Whether this has any impact on policies?
On 6/22/2017 9:41 AM, Anantha Raghava via samba wrote:
Not sure exactly what your issue is but based on your error Samba is
reporting the following on that particular Policy;
No solutions to get out of this?
* Lost Allow Object and Container inheritance on each ACE.
We are using RFC2307 and we believe this enable contain inheritence.
Can we enable this manually using windows gpedit console and set the
Create Owner as Domain Administrators instead of Builtin Administrators?
* Create Owner missing ACE and you have Built in Administrators with
* You have the primary owner as Built in Administrators Group. Samba
expects it to be Domain Administrators Group
What exactly you mean by this? Can we set this manually using gpedit
* Primary Group you have as Domain users. Samba expects it to be
* Samba expects the SE_DACL_Protected flag be set.
How do we set this?
RFC2307 is used in smb.conf. We have not assigned any UNIX GID to Domain
Admins. We attempted 'samba-tool ntacl sysvolreset'. However, instead of
correcting the permissions, it corrupted the whole set of policies.
Are you using RFC2307 in your smb.conf? Did you assign Domain Admins a
Unix GID(You shouldn't)? Have you run 'samba-tool ntacl sysvolreset'
to see if Samba could correct the permissions?
I have also seen in one of the posts that one should not attempt
sysvolreset as it has some bug.
To unsubscribe from this list go to the following URL and read the