Error updating policy (GPO)

v7
activedirectory

(Andres) #1

NethServer Version: NethServer release 7.4.1708
Module: nsdc

Hello everyone.

I currently have problems with GPOs using RSAT.
In Windows clients when applying:

C:\Users\user1>  gpupdate /force
Updating policy ...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file
\\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT/H GPReport.html
from the command line to access information about Group Policy results.

Searching, I found this link https://blog.vucica.net/2015/02/error-when-applying-group-policies-on-a-samba-4-ad-member.html

And the solution is executing:

# samba-tool ntacl sysvolreset

I do not know if this (the command) generates possible errors with the operation of the service.

Thank you.


(Alessio Fattorini) #2

Hi Andres,
welcome to the NethServer Community!
I would tag here @des @planet_jeroen @davidep @saitobenkei @iglqut they are really expert in such fields


(Andres) #3

Thanks @alefattorini

I could give more information:

  1. There is only one DC.
  2. Yesterday I moved the partition / var. (I do not know if this was the cause). I had moved this partition before and had no problems.
  3. Windows clients authenticate against the server without problem.

I’m still looking for a solution on the Internet. :slight_smile:

Thank you.


(Andres) #4

With samba-tool you can reset:

But:

# /var/lib/machines/nsdc/usr/bin/samba-tool ntacl sysvolreset
Traceback (most recent call last):
  File "/var/lib/machines/nsdc/usr/bin/samba-tool", line 33, in <module>
    from samba.netcmd.main import cmd_sambatool
ImportError: No module named samba.netcmd.main

This message is known on the internet.

I’ll keep looking.


(Jeroen Visser) #5

You mention you can log on. Can you also browse the sysvol share ?

The samba-tool … are you entering that command from the Nethserver commandprompt? I suspect it needs to be run from within the container, as the Nethserver host is just a member of the domain that runs in the container afaik.

I’ll look in a small hour, if still needed.


(Andres) #6

Hi @planet_jeroen

Only administrator users can access the sysvol.
Another user has the message:
you do not have permission to access...

The efectivemeten command is launched from the NethServer server. This event is 100% related to SAMBA, according to the SAMBA website.


(Markus Neuberger) #7

Hi @Andres,

to run samba-tool ntacl sysvolreset inside the container you may run following command on your NethServer:

systemd-run -M nsdc -t /bin/bash -c "samba-tool ntacl sysvolreset"

I tried it and can still login and access shares but you should have a backup ready…

Source:

https://wiki.nethserver.org/doku.php?id=howto:useful_commands#samba4

https://wiki.samba.org/index.php/FAQ#What_Does_The_permissions_for_this_GPO_in_the_SYSVOL_folder_are_inconsistent_with_those_in_Active_Directory_Mean.3F


(Andres) #8

Solved! Thank you @mrmarkuz

In console when entering:

# systemd-run -M nsdc -t /bin/bash -c "samba-tool ntacl sysvolreset"
unning as unit run-16298.service.
Press ^] three times within 1s to disconnect TTY.

In the client:

C:\Users\user1>  gpupdate /force
Updating policy ...

User Policy update has completed successfully.
Computer policy update has completed successfully.

Thank you very much!