Can not create a GPO in DSfW Domain

  • 7008755
  • 09-Jun-2011
  • 27-Apr-2012

Environment

Novell Open Enterprise Server 2 SP1 (OES2SP1)
Novell Open Enterprise Server 2 SP2 (OES2SP2)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSfW

Situation

Can not create a group policy object.

Resolution

If there is more than one Domain Controller followed KB 7005685 confirm its writing to the read write sysvol on the PDC.
 
Look in the /var/log/samba/log.smbd
Grep on " failing create on read-only share sysvol" 
example:
grep -i " failing create on read-only share sysvol" /var/log/samba/log/smbd
 
The log.smbd will also show the rights when opening the sysvol directory
If you see the following messages in the log.smbd then the sysvol or another directory within the sysvol has had the rights changed.
 
opening directory novell.com/sysvol/novell.com, access_mask = 0x100001, share_access = 0x3 create_options = 0x200001, create_disposition = 0x2, file_attributes = 0x8
[2011/02/27 08:32:22, 5] smbd/open.c:mkdir_internal(1952)
  mkdir_internal: failing create on read-only share sysvol
 
The GPOs are created in /var/opt/novell/xad/sysvol/domain/Policies
Verify the rights for /var/opt/novell/xad/sysvol/domain/Policies directory on the PDC are
drwxrwx--T+ 7 administrator domain admins 368 2011-03-05 08:34 Policies
 
Verify the rights for /var/opt/novell/xad/sysvol directory on the PDC are
drwxrwx---+ 6 administrator domain admins 368 2011-03-05 08:34 sysvol
 
Verify the rights for the directires in /var/opt/novell/xad/sysvol on the PDC are
drwxrwx---+ 6 administrator domain admins 368 2011-03-05 08:34 domain
drwxrwx---+ 6 administrator domain admins 368 2011-03-05 08:34 staging
drwxrwx---+ 6 administrator domain admins 368 2011-03-05 08:34 staging areas
drwxrwx---+ 6 administrator domain admins 368 2011-03-05 08:34 sysvol
 
 

Additional Information

Sample log.smbd
 
[2011/02/27 08:32:22, 4] smbd/vfs.c:vfs_ChDir(665)
  vfs_ChDir to /var/opt/novell/xad/sysvol/sysvol
[2011/02/27 08:32:22, 10] smbd/nttrans.c:reply_ntcreate_and_X(515)
  reply_ntcreate_and_X: flags = 0x10, access_mask = 0x100001 file_attributes = 0x80, share_access = 0x3, create_disposition = 0x2 create_options = 0x200001 root_dir_fid = 0x0
[2011/02/27 08:32:22, 5] smbd/filename.c:unix_convert(147)
  unix_convert called on file "novell.com/SysVol/novell.com"
[2011/02/27 08:32:22, 10] smbd/statcache.c:stat_cache_lookup(215)
  stat_cache_lookup: lookup failed for name [NOVELL.COM/SYSVOL/NOVELL.COM]
[2011/02/27 08:32:22, 10] smbd/statcache.c:stat_cache_lookup(248)
  stat_cache_lookup: lookup succeeded for name [NOVELL.COM/SYSVOL] -> [novell.com/sysvol]
[2011/02/27 08:32:22, 5] smbd/statcache.c:stat_cache_add(140)
  stat_cache_add: Added entry (555555ac9b80:size15) NOVELL.COM/SYSVOL/NOVELL.COM -> novell.com/sysvol/novell.com
[2011/02/27 08:32:22, 5] smbd/filename.c:unix_convert(241)
  conversion finished novell.com/SysVol/novell.com -> novell.com/sysvol/novell.com
[2011/02/27 08:32:22, 5] smbd/open.c:open_directory(2057)
  open_directory: opening directory novell.com/sysvol/novell.com, access_mask = 0x100001, share_access = 0x3 create_options = 0x200001, create_disposition = 0x2, file_attributes = 0x80
[2011/02/27 08:32:22, 5] smbd/open.c:mkdir_internal(1952)
  mkdir_internal: failing create on read-only share sysvol
[2011/02/27 08:32:22, 2] smbd/open.c:open_directory(2092)
  open_directory: unable to create novell.com/sysvol/novell.com. Error was NT_STATUS_ACCESS_DENIED