[Samba 4] Access to GPO failed

Son Nguyen sonnh at saigontech.edu.vn
Mon Dec 22 08:18:58 GMT 2008

Hi all,
    After testing for some days, I have some notes:

    * Testing with Samba4 running in CentOS-5.2 x86-64
    * Windows XP + Server 2003 running on some machines
    * The GPOs does not work well with all computers
          o With Computers can access and edit GPOs (using dsa.msc), the
            policy have effect for this computer. For example: if I
            configure GPO *do not* allow users access control panel, *no
            user can *access control panel
          o With Computers cannot access and edit GPOs, the policy will
            not effect. For example: if I configure GPO do not allow
            users access control panel,  user *can *access control panel 

Do you have any ideas about this problem?

Andrew Bartlett wrote:
> On Fri, 2008-12-12 at 14:39 +1100, Andrew Bartlett wrote:
>> On Fri, 2008-12-12 at 09:53 +0700, Son Nguyen wrote:
>>> Son Nguyen wrote:
>>>> Volker Lendecke wrote:
>>>>> On Wed, Dec 10, 2008 at 10:11:31AM -0500, Wes Deviers wrote:
>>>>>> I haven't said anything or really tracked down much on the behavior; 
>>>>>> I've assumed lots of people are using recent SVN pulls with 
>>>>>> everything working     
>>>>> You really mean SVN? We switched to git months ago. See
>>>>> http://us6.samba.org/samba/devel/ and
>>>>> http://wiki.samba.org/index.php/Samba4/HOWTO for info how to
>>>>> get the latest code.
>>>>> Volker
>>>>    I've duplicated this error today with the new version from GIT.
>>>> #define SAMBA_VERSION_GIT_COMMIT_DATE "Wed Dec 10 17:03:53 2008 -0800"
>>>> #define SAMBA_VERSION_OFFICIAL_STRING "4.0.0alpha6-GIT-d7d525b"
>>>> Are there some body have experience in working with Samba4 GPOs? 
>>>> Please give me your ideas about this error.
>>>> I also favorite in deploy samba4 with ldap backend (OpenLDAP, or 
>>>> CentDS). I try to follow document from Samba Wiki but there are some 
>>>> error when I provision Samba4. Please let me know if you have other 
>>>> document.
>>>> Thank a lot,
>>>> Son Nguyen
>>> Hi all,
>>>     After reading samba log file and network capture file, I think that 
>>> this error is related with KRB5.
>>>     * Log file: Kerberos: Failed building TGS-REP to
>>>     * Capture file: KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOW (packet
>>>       number 46)
>> I think this is a very reasonable conclusion.  The cases where this has
>> worked are probably those where the CIFS connection is already up, so
>> re-authentication is not required.
>> The challenge is:  Which host should this principal (cifs/my.realm)
>> point to?  Or do all the hosts share a 'realm password' (perhaps the
>> krbtgt password?) to decrypt such a ticket?
> As a test, could you please edit the servicePrincipalNames attribute of
> your DC entry in LDB (or simply setup/provision_self_join) to include
>  host/my.realm
> This should allow the client to connect and apply policies, while I
> figure out the proper way to handle this.
>> I'll ask for clarification from Microsoft (unless someone here already
>> knows)
> I've got an issue open with Microsoft for exactly this question.  Follow
> the fun on the cifs-protocol list if you like :-)
> Andrew Bartlett

More information about the samba-technical mailing list