Web lists-archives.com

Re: [Samba] Fwd: AD Policies are not applying properly

Hello James,

Thanks for your reply.

Our replies are in line.

Any guidance?


Thanks & Regards,

Anantha Raghava

On 22/06/17 8:16 PM, lingpanda101 via samba wrote:
On 6/22/2017 9:41 AM, Anantha Raghava via samba wrote:

No solutions to get out of this?

Not sure exactly what your issue is but based on your error Samba is reporting the following on that particular Policy;
Group policies are not consistently applied on all workstations. Some get applied some not. This is the primary problem. On the Windows XP / 7 / 8 (8.1) / 10 workstations, the client reports that it is unable to resolve the domain controller name to fetch policies. This is the primary problem. We have observed that there is time skew, which we are correcting. Whether this has any impact on policies?

 * Lost Allow Object and Container inheritance on each ACE.
We are using RFC2307 and we believe this enable contain inheritence.
 * Create Owner missing ACE and you have Built in Administrators with
an ACE * You have the primary owner as Built in Administrators Group. Samba
   expects it to be Domain Administrators Group
Can we enable this manually using windows gpedit console and set the Create Owner as Domain Administrators instead of Builtin Administrators?
 * Primary Group you have as Domain users. Samba expects it to be
   Domain Administrators.
What exactly you mean by this? Can we set this manually using gpedit console?
 * Samba expects the SE_DACL_Protected flag be set.
How do we set this?

Are you using RFC2307 in your smb.conf? Did you assign Domain Admins a Unix GID(You shouldn't)? Have you run 'samba-tool ntacl sysvolreset' to see if Samba could correct the permissions?
RFC2307 is used in smb.conf. We have not assigned any UNIX GID to Domain Admins. We attempted 'samba-tool ntacl sysvolreset'. However, instead of correcting the permissions, it corrupted the whole set of policies.

I have also seen in one of the posts that one should not attempt sysvolreset as it has some bug.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba