Group Policy not working + other problems

James Rhodes jrhodes at
Sun Jul 17 04:42:30 MDT 2011

2011/7/17 Matthieu Patou <mat at>
> On 17/07/2011 11:11, James Rhodes wrote:
> > So I recently upgraded my Samba 4 server to alpha 17 using GIT revision
> > 3dae323 and Group Policy has stopped working (I've spent the last few hours
> > trying to resolve this issue, but I seem to be stuck).  I hadn't actually
> > noticed this until today when I attempted to join a computer to a domain and
> > then manually updated it's Group Policy using gpupdate.
> >
> > I've managed to narrow down the error to this (shown when using samba -i -d
> > 3):
> >
> >> Kerberos: TGS-REQ james-pc$@REDPOINT.INT from ipv4: for
> > LDAP/ at REDPOINT.INT [renewable,
> > forwardable]
> >> Kerberos: Searching referral for
> >> Kerberos: Server not found in database: LDAP/
> > at REDPOINT.INT: no such entry found in hdb
> >> Kerberos: Failed building TGS-REP to ipv4:
> >> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> >> Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
> >> single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
> > I am assuming that the cause of Kerberos no longer being able to find the
> > server is caused by updated Samba 4 to a newer version, however I do not
> > know how to correct this issue (I had a look through the LDAP server's tree
> > but couldn't find anything that seemed like it might map to "LDAP/
> > at REDPOINT.INT").  I am concerned about the
> > "" however, as the name of the domain controller is
> > actually "main" within the realm.
> It's indeed interesting.
> Can you on the samba server do:
> *kinit administrator at REDPOINT.INT
> * klist
> * ldbsearch -k 1 ldap://main '(cn=administrator)'
> * klist
> Can you post the result of the two klist commands ?


ldbsearch asked for a -H parameter, I have assumed you wanted me to
query /usr/local/samba/private/sam.ldb.

> It seems that somehow the canonization of your DC (
> gives Have a look in your DNS files !

This configuration is (as far as I remember) straight out of the
provisioning.  I noticed an entry:

$TTL 900        ; 15 minutes
redpoint                A

in the zone file, but this must have been automatically generated by
Samba 4 as it appears after the DNS mappings for Windows clients,
which would not have existed during the initial provision.

> >
> > Through running -d 3 I've also found a few other errors which would explain
> > why Offline Files and a few other components aren't working correctly.  The
> > first is:
> >
> >> /usr/local/samba/sbin/samba_spnupdate: Failed to find computer object for
> can you post the content of your smb.conf ?
> Also can you do this ./bin/ldbsearch -H <path_to_private_dir>/sam.ldb
> '(primaryGroupId=516)' and post the output ?

ldbsearch output:

Judging from the output of ldbsearch, the computer object is MAIN$
(which fits in with the intended, while Samba 4
seems to be looking for REDPOINT$.  This looks like it might be tying
into the Kerberos querying problem above.

> >
> > I'm not sure what impact this has, however the second error issue is:
> >
> >> pvfs_setfileinfo: utimes() failed '/srv/users/.' - Operation not permitted
> > This is causing errors with Offline Files which reports that access to
> > \\main\users$ was denied (which causes Sync to fail).  Checking the utimes()
> > documentation shows:
> >
> > "The times argument is not a null pointer and the calling process' effective
> > user ID has write access to the file but does not match the owner of the
> > file and the calling process does not have the appropriate privileges."
> >
> > This is rather confusing given that the ownership of /srv/users (and /srv)
> > is root, which is the user that the Samba 4 server is running as.  I can
> > only assume that /srv/users is meant to be owned by one of the actual NT
> > users (3000xxx) however given that this is a public directory, that's not
> > going to work as all users have to be able to update the timestamp on the
> > file.
> The thing is that most of the time samba change it's UID when dealing
> with file to match the UID of the user accessing the file.
> Can you try this patch it will gives us more information of where the
> error occur in our code (which function).
> The fix shouldn't be too complicated to do, it's basically a become_root
> with appropriate checks but it shouldn't affect your GPO stuff.

I applied the patch and recompiled, however I can't seem to get the
problem to reoccur.  I'll monitor the output again tomorrow to see if
it appears (the "Access Denied" might be being cached on my computer
or something like that).

> > If anyone knows solutions or has suggestions as to how I can fix any of the
> > problems I've outlined above, it would be greatly appreciated.
> >
> Matthieu.
> --
> Matthieu Patou
> Samba Team
> Private repo;a=summary

More information about the samba-technical mailing list