[Samba] GPOs updating on some client systems and not others

[Thomas Maerz]

Hello,

	I have 3 sernet-samba-ad domain controllers replicating with rsync-based sysvol replication as per https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO, https://wiki.samba.org/index.php/SysVol_Replication and https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC.

The issue I am experiencing is that gpupdate.exe on clients joined to the domain fails on some machines and not others. Initially, both user and computer policies failed to update. I decided maybe something was up with my replicated sysvol volumes, so I ran samba-tool ntacl sysvolreset. After this, the user policy succeeded, but the computer policy still failed with this error: http://pastebin.com/FtvQdqSq. After running sysvolreset, I saw my rsync cron job pick up all the changed files and send them to the other two domain controllers. I went to the sysvol volumes on all three machines and I have verified that the permissions are identical as well as the ACLs, including UID/GIDs. Unless there is something else I should be checking I think that RFC2307 is properly working, but I am a little fuzzy on how to check that, I was able to show the username mapped to the SID and that SID mapped to the GID I see when running getfacl on the sysvol files on each DC.

I have run a lot of diagnostics to see what the issue is. The only substantial thing I can see so far is my install (samba 4.1.9) has this bug: https://bugzilla.samba.org/show_bug.cgi?id=10631

I’ve run the following diagnostics and they’ve all come back as expected: samba-tool testparm, ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=ad,DC=kmnr,DC=org, samba-tool ntacl sysvolcheck, samba-tool drs showrepl, samba-tool drs kcc, samba-tool dbcheck, smbclient //localhost/netlogon -UAdministrator -c ‘ls’, host -t SRV _ldap._tcp.ad.kmnr.org., host -t SRV _kerberos._udp.ad.kmnr.org., host -t A auth1.ad.kmnr.org. kinit administrator at AD.KMNR.ORG.

The really weird thing here is that on one client machine, GPOs and everything work just fine, and another few machines in my test environment can’t complete the gpupdate. I’ve tried to browse to the sysvol share on all of them and the ones that work can browse the sysvol shares and the ones who can’t gpupdate say: \\ad.kmnr.org\sysvol is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.  Element not found.

The workstations I’m testing are all logged in as the same user (Domain Admin), the successful one is Windows 7 x64, and the failing ones are both Windows Server 2008 r2 x64, if that makes any difference.

Here is my smb.conf, it is identical on the domain controllers: http://pastebin.com/s5Db5J7S