There is a huge problem.
Seems that Policies in OU’s doesn’t work. I’ve create them via RSAT and link properly. Checked it twice even in clean install. Any idea what can it be?
Every change in policy linked to OU make an error:
`samba-tool ntacl sysvolcheck` returned a problem with the sysvol ACLs.
STDOUT:
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/test.local/Policies/{DA2B6029-BF3D-4967-B1CA-A76FB3CACA49}/Machine/Registry.pol O:S-1-5-21-485807191-1044838808-759050481-1116G:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;S-1-5-21-485807191-1044838808-759050481-1116)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/test.local/Policies/{DA2B6029-BF3D-4967-B1CA-A76FB3CACA49}/Machine/Registry.pol O:S-1-5-21-485807191-1044838808-759050481-1116G:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;S-1-5-21-485807191-1044838808-759050481-1116)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
You can run `samba-tool ntacl sysvolreset` to fix the issue.
Edit:
I tried to apply policy for specific users using a group and I’ve link policy to domain but this method doesn’t work either.
Can anyone help how to apply policy for specific users not for all users in domain using UCS?
Edit 2:
After a clean install I have one error listed below. Is it normal? Can it be connected with described problem with OUs?
`samba-tool dbcheck` returned a problem with the local AD database.
STDOUT:
Checking 229 objects
ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=test,DC=local - ;;;;;;;;CN=Administrator,CN=Users,DC=test,DC=local
Not fixing SID component mismatch
Please use --fix to fix these errors
Checked 229 objects (1 errors)
You can run `samba-tool dbcheck --fix` to fix the issue.