[Samba 4] Access to GPO failed
Kenneth MacDonald
K.MacDonald at ed.ac.uk
Wed Dec 10 12:14:18 GMT 2008
On Tue, 2008-12-09 at 17:07 -0500, Wes Deviers wrote:
> On Tuesday 09 December 2008 16:50:04 Andrew Bartlett wrote:
> > >
> > > * *Got user=[] domain=[] workstation=[SRV1] len1=1 len2=0*
> > >
> > > * *auth_check_password_recv: anonymous authentication for user [NT
> > > AUTHORITY\ANONYMOUS LOGON] succeeded*
> > >
> > > Please let me know if you have any theory about this problem.
> >
> > These things can be a real challenge to debug, but I would start by
> > taking a network trace with wireshark, and see what was the last error
> > before the client message was.
> >
> > Andrew Bartlett
>
>
> In the past, I've had the same problem since at Alpha4 or so. What seems to
> be the problem (at least for me) is when it switches from accessing the server
> as named (\\felix.fake.domain.local) to trying to access it via the domain to
> pull the GPO (\\fake.domain.local) it fails about 90% of the time. Meaning,
> that if I keep pushing the "Edit Group Policy" button over and over, it will
> eventually work once. And then, when I go to save it, if I try to save the
> changes over and over it will eventually work as well.
>
> I can get into the GP-UID portion of the tree every time, but if I try to edit
> the policy file by hand (using Notepad), it fails about 90% of the time. If I
> traverse the tree using the machine name and NOT the domain, it works every
> time with no problems (as in, \\felix.fake.domain.local\...\{uuid}\... lets me
> edit and save the file correctly) Of course, that doesn't help since all of
> the GP tools use the domain name and not the machine, so they all fail
> regardless.
You can set the Group Policy Management Console (GPMC) to use a specific
DC - right click on your domain and choose "Change Domain
Controller ...", then it should list available DCs and you can force it
to use one of them.
> I don't have the patience to try rebooting XP clients enough times to see if
> the GPO will get -pulled- 10% of the time, but then I stopped trying entirely
> about a month ago.
I don't know of any way to force XP clients to talk to a particular DC
when processing GPOs.
Cheers,
Kenny.
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
More information about the samba-technical
mailing list