[Samba] Group Policy failures related to machine password replication
Arthur Ramsey
arthur_ramsey at mediture.com
Fri Sep 12 11:36:03 MDT 2014
We are using Samba-4.1.11.
I can run gpupdate /force without error on my machine.
H:\>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
On several other machines in the same OU the computer GPOs fail.
C:\Windows\system32>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file \\mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Event details indicate the file is accessed from DC02 as I expected due
to AD Sites configuration. If I reset the machine account using netdom
against DC02 then I can access the file on DC02, but not the other
domain controllers.
C:\Windows\system32>netdom resetpwd /server:dc01.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc02.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc03.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc04.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
I use rsync to sync the sysvol folder across domain controllers. I've
also reset the access lists on all controllers using samba-tool ntacl
sysvolreset.
I don't observe any DRS errors or errors in the samba log.
samba-tool drs showrepl
Default\DC01
DSA Options: 0x00000001
DSA object GUID: da9bb168-47a0-4368-aff3-bf06d1b869d2
DSA invocationId: 58439028-5404-4b55-b267-671e626644b9
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:42 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:42 2014 CDT
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:42 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:42 2014 CDT
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:43 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:43 2014 CDT
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:43 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:43 2014 CDT
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:44 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:44 2014 CDT
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:44 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:44 2014 CDT
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:46 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:46 2014 CDT
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:46 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:46 2014 CDT
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:47 2014 CDT
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:47 2014 CDT
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:47 2014 CDT
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:48 2014 CDT
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:48 2014 CDT
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:48 2014 CDT
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:49 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:49 2014 CDT
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 6eba921b-0b6c-4cdb-8094-d4a15728d7bd
Enabled : TRUE
Server DNS name : DC02.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC02,CN=Servers,CN=EP,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 9b7312d1-a46a-435f-b867-0ca8128da202
Enabled : TRUE
Server DNS name : DC03.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC03,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: d84eed77-ab18-40ce-9023-60586596fb51
Enabled : TRUE
Server DNS name : DC04.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC04,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
I also have a possibly releated issue deleting LDAP objects. I can't
delete an object I just created and the ACL seems correct for the LDAP
object.
ldbdel -H ldap://localhost --realm=mediture.dom -UAdministrator OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom
Password for [MEDITURE\Administrator]:
delete of 'OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom' failed - (insufficient access rights) LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <>
I am totally stumped. Any help would be greatly apperciated!
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.
More information about the samba
mailing list