[Samba 4] Access to GPO failed

Kenneth MacDonald K.MacDonald at ed.ac.uk
Wed Dec 10 12:14:18 GMT 2008

On Tue, 2008-12-09 at 17:07 -0500, Wes Deviers wrote:
> On Tuesday 09 December 2008 16:50:04 Andrew Bartlett wrote:
> > >
> > >     * *Got user=[] domain=[] workstation=[SRV1] len1=1 len2=0*
> > >
> > >     * *auth_check_password_recv: anonymous authentication for user [NT
> > >       AUTHORITY\ANONYMOUS LOGON] succeeded*
> > >
> > > Please let me know if you have any theory about this problem.
> >
> > These things can be a real challenge to debug, but I would start by
> > taking a network trace with wireshark, and see what was the last error
> > before the client message was.
> >
> > Andrew Bartlett
> In the past, I've had the same problem since at Alpha4 or so.  What seems to 
> be the problem (at least for me) is when it switches from accessing the server 
> as named (\\felix.fake.domain.local) to trying to access it via the domain to 
> pull the GPO (\\fake.domain.local) it fails about 90% of the time.  Meaning, 
> that if I keep pushing the "Edit Group Policy" button over and over, it will 
> eventually work once.  And then, when I go to save it, if I try to save the 
> changes over and over it will eventually work as well.
> I can get into the GP-UID portion of the tree every time, but if I try to edit 
> the policy file by hand (using Notepad), it fails about 90% of the time.  If I 
> traverse the tree using the machine name and NOT the domain, it works every 
> time with no problems (as in, \\felix.fake.domain.local\...\{uuid}\... lets me 
> edit and save the file correctly)  Of course, that doesn't help since all of 
> the GP tools use the domain name and not the machine, so they all fail 
> regardless.

You can set the Group Policy Management Console (GPMC) to use a specific
DC - right click on your domain and choose "Change Domain
Controller ...", then it should list available DCs and you can force it
to use one of them.

> I don't have the patience to try rebooting XP clients enough times to see if 
> the GPO will get -pulled- 10% of the time, but then I stopped trying entirely 
> about a month ago.  

I don't know of any way to force XP clients to talk to a particular DC
when processing GPOs.



The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the samba-technical mailing list