Group Policy not working + other problems

Matthieu Patou mat at samba.org
Sun Jul 17 02:58:42 MDT 2011


On 17/07/2011 11:11, James Rhodes wrote:
> So I recently upgraded my Samba 4 server to alpha 17 using GIT revision
> 3dae323 and Group Policy has stopped working (I've spent the last few hours
> trying to resolve this issue, but I seem to be stuck).  I hadn't actually
> noticed this until today when I attempted to join a computer to a domain and
> then manually updated it's Group Policy using gpupdate.
>
> I've managed to narrow down the error to this (shown when using samba -i -d
> 3):
>
>> Kerberos: TGS-REQ james-pc$@REDPOINT.INT from ipv4:192.168.1.84:57355 for
> LDAP/redpoint.redpoint.int/redpoint.int at REDPOINT.INT [renewable,
> forwardable]
>> Kerberos: Searching referral for redpoint.redpoint.int
>> Kerberos: Server not found in database: LDAP/
> redpoint.redpoint.int/redpoint.int at REDPOINT.INT: no such entry found in hdb
>> Kerberos: Failed building TGS-REP to ipv4:192.168.1.84:57355
>> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
>> Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
>> single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
> I am assuming that the cause of Kerberos no longer being able to find the
> server is caused by updated Samba 4 to a newer version, however I do not
> know how to correct this issue (I had a look through the LDAP server's tree
> but couldn't find anything that seemed like it might map to "LDAP/
> redpoint.redpoint.int/redpoint.int at REDPOINT.INT").  I am concerned about the
> "redpoint.redpoint.int" however, as the name of the domain controller is
> actually "main" within the redpoint.int realm.
It's indeed interesting.
Can you on the samba server do:

*kinit administrator at REDPOINT.INT
* klist
* ldbsearch -k 1 ldap://main '(cn=administrator)'
* klist

Can you post the result of the two klist commands ?

It seems that somehow the canonization of your DC (main.redpoint.int)
gives redpoint.redpoint.int. Have a look in your DNS files !


>
> Through running -d 3 I've also found a few other errors which would explain
> why Offline Files and a few other components aren't working correctly.  The
> first is:
>
>> /usr/local/samba/sbin/samba_spnupdate: Failed to find computer object for
> REDPOINT$
can you post the content of your smb.conf ?
Also can you do this ./bin/ldbsearch -H <path_to_private_dir>/sam.ldb
'(primaryGroupId=516)' and post the output ?

>
> I'm not sure what impact this has, however the second error issue is:
>
>> pvfs_setfileinfo: utimes() failed '/srv/users/.' - Operation not permitted
> This is causing errors with Offline Files which reports that access to
> \\main\users$ was denied (which causes Sync to fail).  Checking the utimes()
> documentation shows:
>
> "The times argument is not a null pointer and the calling process' effective
> user ID has write access to the file but does not match the owner of the
> file and the calling process does not have the appropriate privileges."
>
> This is rather confusing given that the ownership of /srv/users (and /srv)
> is root, which is the user that the Samba 4 server is running as.  I can
> only assume that /srv/users is meant to be owned by one of the actual NT
> users (3000xxx) however given that this is a public directory, that's not
> going to work as all users have to be able to update the timestamp on the
> file.
The thing is that most of the time samba change it's UID when dealing
with file to match the UID of the user accessing the file.
Can you try this patch it will gives us more information of where the
error occur in our code (which function).

The fix shouldn't be too complicated to do, it's basically a become_root
with appropriate checks but it shouldn't affect your GPO stuff.

> If anyone knows solutions or has suggestions as to how I can fix any of the
> problems I've outlined above, it would be greatly appreciated.
>

Matthieu.

-- 
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary


-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug.patch
Type: text/x-patch
Size: 1186 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110717/cecb06e4/attachment.bin>


More information about the samba-technical mailing list