[Samba] Samba 4 and gpo in win7

Matthieu Patou mat at samba.org
Fri Jun 3 01:59:07 MDT 2011 

Hello Louis,
On 03/06/2011 10:57, L.P.H. van Belle wrote:
> in your example
>
>> Accessing sysvol works through: \\ip\sysvol and>\\dc.domain_name\sysvol
> 					^^^^^^^^		  ^^^^^^^^^^^^^^^^
> 					Ipadres		  Hostname.domainname_local
>
>> Doesn´t work through \\domainname\sysvol
> 			^^^^^^^^^^^^^^
> 			expected here is \\hostname
> 			\\domainname is a no go.
Your email is cryptic at best, what's the sense of your remarks ?
I persists to say that if you have a domain called demo.samba4.corp and 
a DC inside called dc1 with IP address 1.2.3.4
The following will work:
* \\1.2.3.4\sysvol
* \\dc1.demo.samba4.corp\sysvol

If you activate the option "host msdfs" in the global section of 
smb.conf then the following will work as well:
* \\demo.samba4.corp\sysvol

And that's the way group policy tools (gpmc.msc) stores GPO informations 
in the Active Directory Database. Check the example bellow with my 
personal domain called home.matws.net.


./bin/ldbsearch -H ~/workspace//samba/homematwsnet/private/sam.ldb -b 
"CN=Policies,CN=System,DC=home,DC=matws,DC=net" '(gPCFileSysPath=*)' 
gPCFileSysPath
# record 1
dn: 
CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=home,DC=matws,DC=net
gPCFileSysPath: 
\\home.matws.net\sysvol\home.matws.net\Policies\{6AC1786C-016F
  -11D2-945F-00C04FB984F9}

# record 2
dn: 
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=home,DC=matws,DC=net
gPCFileSysPath: 
\\home.matws.net\sysvol\home.matws.net\Policies\{31B2F340-016D
  -11D2-945F-00C04FB984F9}

# record 3
dn: 
CN={D1A937AB-7413-4E0D-ABF1-CBE9A3730C66},CN=Policies,CN=System,DC=home,DC=matws,DC=net
gPCFileSysPath: 
\\home.matws.net\SysVol\home.matws.net\Policies\{D1A937AB-7413
  -4E0D-ABF1-CBE9A3730C66}

# record 4
dn: 
CN={83AC0057-21E3-40E6-97EE-30C1D49498B6},CN=Policies,CN=System,DC=home,DC=matws,DC=net
gPCFileSysPath: 
\\home.matws.net\SysVol\home.matws.net\Policies\{83AC0057-21E3
  -40E6-97EE-30C1D49498B6}


For those who are interested, windows clients will check if the DC to 
which they are connected support DFS, if so client will start a DFS name 
resolution protocol to be able to translate \\domainname.tld\sysvol to 
\\dcname.domainname.tld\sysvol.

So if the DC support DFS, the client will first send a request to get 
all the domain supported by the DC, then client will check if in the 
list there is its domain (in a 1 domain forest that's obvious but in a 
multidomain forest it can be not so obvious). If so it will ask this DC 
for the list of DCs for this domain, the list is sorted by cost so that 
the first one are the closest (in the same windows site or in the site 
with the smallest connection cost). Client will pick the first DC in the 
list and will then ask it for the list of servers that hosts the sysvol 
share. The DC will return the list of network path for accessing this 
resource.


More details are available to MS-DFSC.pdf.

Matthieu.


> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: kalle at zimbra.inputinterior.se
>> [mailto:samba-bounces at lists.samba.org] Namens Kalle Pettersson
>> Verzonden: 2011-05-20 16:51
>> Aan: mat at samba.org
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba 4 and gpo in win7
>>
>> Hello!
>>
>> Attached a trace file while running gpupdate.
>>
>> Accessing sysvol works through: \\ip\sysvol and
>> \\dc.domain_name\sysvol
>> Doesn´t work through \\domainname\sysvol
>>
>>
>>
>>
>>
>> ----- Ursprungligt meddelande -----
>>
>> Från: "Matthieu Patou"<mat at samba.org>
>> Till: samba at lists.samba.org, "samba-technical"
>> <samba-technical at lists.samba.org>
>> Skickat: torsdag, 19 maj 2011 15:31:34
>> Ämne: Re: [Samba] Samba 4 and gpo in win7
>>
>> On 12/05/2011 11:21, taetre at bredband.net wrote:
>>> Hello!
>>>
>>> Having an issue with getting gpo to apply for my win7
>>> clients.
>>>
>>> Running samba4.
>>>
>>> Creating gpo with gpmc and they are created
>>> under var/locks/sysvol/"mydomain"/policies
>>>
>>> They applies just perfect
>>> on win xp clients but when trying on win7 clients they just
>> won´t apply.
>>>
>>> When runnin gpupdate /force we get this(summary):
>>>
>> So I pushed a few fixes in the Git tree of samba and made a
>> lot of tests
>> about this.
>> First you need:
>> host msdfs = yes in the [global] part of your configuration.
>>
>> Then reboot XP / windows7.
>>
>> Try to access \\domain.tld\sysvol and also navigate inside it.
>> If it works it means that dfs for sysvol is working in most
>> the case it
>> will solve Windows7 problems with fetching the GPO.
>>
>> If not make trace from the samba server and send us for
>> analysis, trace
>> can be done like this: tcpdump -i any host ip_of_the_client -s
>> 16000 -w
>> /tmp/trace.pcap.
>>
>> Matthieu.
>>
>>
>>
>>
>> -- 
>> Matthieu Patou
>> Samba Team http://samba.org
>> Private repo http://git.samba.org/?p=mat/samba.git;a=summary
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>


-- 
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary

More information about the samba mailing list