[Samba] Restricting DC Roles?

[Andrew Bartlett]

On Thu, 2012-11-01 at 19:26 +0000, Bethel, Zach wrote:
> I went ahead and updated to samba-master, and the error is replaced by a new one that is rather strange:
> 
> "Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator’s requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected.
> 
> If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem."
> 
> So it's obviously complaining about clock skew. Once again, I checked the event log and it's trying to update from the samba machine. The odd thing is that the samba DC time is perfectly in sync with the two Windows DCs. I setup NTP on it, and lsof reveals that the signed socket is indeed being read by samba. I am not having any other authentication issues with kerberos.
> 
> Is this a known issue by chance?
> Thanks!

No, it is not, sorry.

Please file a bug with network captures etc.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org