[Samba] GPO
Rowland penny
rpenny at samba.org
Thu Apr 7 12:51:50 UTC 2016
On 07/04/16 13:34, Eben Victor wrote:
> Hi Louis,
> I don't have a FW enabled on my PC.
> I even tried to disable the FW on my all my DC's
> I can telnet to port 389/636/53, they are all open and goes through to
> my all DC's.
> Primary DC
> # Global parameters
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.CORP
> netbios name = ##SELECTION_END##ZACPRDC002
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> guest account = nobody
> restrict anonymous = 1
> dns forwarder = 10.102.204.200
> dns forwarder = 10.102.208.200
> log level = 3
> [netlogon]
> path = /var/lib/samba/sysvol/domain.corp/scripts
> read only = No
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> Second DC
> # Global parameters
> [global]
> workgroup = DOMAIN
> realm = domain.corp
> netbios name = ZACPRDC001
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> guest account = nobody
> restrict anonymous = 1
> dns forwarder = 10.102.204.200
> dns forwarder = 10.102.208.200
> log level = 3
> [netlogon]
> path = /var/lib/samba/sysvol/domain.corp/scripts
> read only = Yes
> writable = no
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = Yes
> writable = no
> I appreciate the assistance, I've started running into walls already.
> Regards
> -----Original Message-----
> From: Eben Victor <eben.victor at vcontractor.co.za>
> To: samba <samba at lists.samba.org>
> Subject: Re: [Samba] GPO
> Date: Thu, 7 Apr 2016 12:15:34 +0200
> Mailer: Evolution 3.18.5.2 (3.18.5.2-1.fc23)
> Hi Louis,
> See below,
> C:\>ipconfig /all
> Windows IP Configuration
> Host Name . . . . . . . . . . . . : EBEN-TEST-PC
> Primary Dns Suffix . . . . . . . : domain.corp
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.corp
> Ethernet adapter Local Area Connection:
> Connection-specific DNS Suffix . : domain.corp
> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> Connection
> Physical Address. . . . . . . . . : 00-0C-29-67-2C-53
> DHCP Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 172.16.210.130(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Lease Obtained. . . . . . . . . . : 06 April 2016 01:17:33 PM
> Lease Expires . . . . . . . . . . : 06 April 2016 03:14:04 PM
> Default Gateway . . . . . . . . . : 172.16.210.2
> DHCP Server . . . . . . . . . . . : 172.16.210.254
> DNS Servers . . . . . . . . . . . : 10.102.219.51
> 10.102.219.50
> 10.132.33.48
> 10.132.33.2
> Primary WINS Server . . . . . . . : 172.16.210.2
> NetBIOS over Tcpip. . . . . . . . : Enabled
> I have already tested disjoin and rejoining the PC, still the same
> error. I did a clean installation with new hostname as well.
> Also see below Microsoft analyst report
> User Logon Info
> ************
> User Name : domain\user
> User SID : S-1-5-21-801203796-115225906-466470621-
> 4513
> User Object DN : CN=user,OU=Users,DC=domain,DC=corp
> User Password Last Set : 7/16/2015 3:20:41 PM
> UserAccountControl Value : {NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD}
> Logon Authentication Method : Kerberos
> User Domain : domain.corp
> Computer Site : Default-First-Site-Name
> Computer Role : Client
> Computer Operating System : Windows 7
> Computer Domain : domain.corp
> Domain Controller : {zafprdc001.domain.corp}
> Global Catalog : {zacprdc001.domain.corp}
>
> System Logs:
> ***********
> 11/2/2015 10:15:00 AM Warning EBEN-TEST-PC.domain.corp 1014 Microsoft-
> Windows-DNS-Client N/A NT AUTHORITY\NETWORK SERVICE Name resolution for
> the name _ldap._tcp.dc._msdcs.domain.corp timed out after none of the
> configured DNS servers responded.
> http://social.technet.microsoft.com/wiki/contents/articles/3336.event-i
> d-1014-microsoft-windows-dns-client.aspx
>
> 11/2/2015 10:15:02 AM Error EBEN-TEST-PC.domain.corp 5719 NETLOGON N/A
> N/A This computer was not able to set up a secure session with a domain
> controller in domain domain due to the following: There are currently
> no logon servers available to service the logon request. This may lead
> to authentication problems. Make sure that this computer is connected
> to the network. If the problem persists, please contact your domain
> administrator. ADDITIONAL INFO If this computer is a domain
> controller for the specified domain, it sets up the secure session to
> the primary domain controller emulator in the specified domain.
> Otherwise, this computer sets up the secure session to any domain
> controller in the specified domain.
> https://support.microsoft.com/en-us/kb/938449
>
> 11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 1058 Microsoft-
> Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The processing of Group
> Policy failed. Windows attempted to read the file
> \\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466-
> D95765CC1AD0}\gpt.ini from a domain controller and was not successful.
> Group Policy settings may not be applied until this event is resolved.
> This issue may be transient and could be caused by one or more of the
> following: a) Name Resolution/Network Connectivity to the current
> domain controller. b) File Replication Service Latency (a file created
> on another domain controller has not replicated to the current domain
> controller). c) The Distributed File System (DFS) client has been
> disabled.
> https://technet.microsoft.com/en-us/library/cc727259(v=ws.10).aspx
>
> 11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 1110 Microsoft-
> Windows-GroupPolicy N/A domain\EBEN-TEST-PC The processing of Group
> Policy failed. Windows could not determine if the user and computer
> accounts are in the same forest. Ensure the user domain name matches
> the name of a trusted domain that resides in the same forest as the
> computer account.
> https://technet.microsoft.com/en-us/library/cc727342(v=ws.10).aspx
>
> Group policy Logs:
> **************
> 11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 7017 Microsoft-
> Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The system calls to access
> specified file completed.
> \\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466-
> D95765CC1AD0}\gpt.ini The call failed after 827 milliseconds.
> 11/2/2015 10:15:12 AM Error EBEN-TEST-PC.domain.corp 7000 Microsoft-
> Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Computer boot policy
> processing failed for domain\EBEN-TEST-PC$ in 4 seconds.
> 11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 7001 Microsoft-
> Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM User logon policy
> processing failed for domain\EBEN-TEST-PC in 0 seconds.
> 11/2/2015 10:16:25 AM Error EBEN-TEST-PC.domain.corp 7005 Microsoft-
> Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Manual processing of policy
> failed for user domain\EBEN-TEST-PC in 0 seconds.
>
> Gpresult:
> *******
> INFO: The user "domain\user" does not have RSOP data.
>
> 07/21/2015 02:11:48 AM Error EBEN-TEST-PC.domain 4205
> Microsoft-Windows-NlaSvc Gateway Resolution NT
> AUTHORITY\NETWORK SERVICE Gateway resolution failed on interface
> {581B9AD1-62E8-4689-9338-E2568B7DD014} for 10.23.199.1 with error: 0x43
> 07/22/2015 02:10:24 AM Error EBEN-TEST-PC.domain 4343
> Microsoft-Windows-NlaSvc Ldap Authenticatio NT
> AUTHORITY\NETWORK SERVICE LDAP authentication on interface
> {581B9AD1-62E8-4689-9338-E2568B7DD014} (10.23.199.220) failed with
> error 0x56
> LDAP errors:
> https://support.microsoft.com/en-us/kb/218185
> -----Original Message-----
> From: barış tombul <bbtombul at gmail.com>
> To: Eben Victor <eben.victor at vcontractor.co.za>
> Cc: samba <samba at lists.samba.org>
> Subject: Re: [Samba] GPO
> Date: Wed, 6 Apr 2016 14:10:10 +0300
> this command >> samba-tool ntacl sysvolreset
> 2016-04-06 13:34 GMT+03:00 Eben Victor <eben.victor at vcontractor.co.za>:
>> Hi All,
>> I create a Samba domain and works it's great, the issue that I have
>> is with the GPO's.When applying GPO's then only the computer Policy
>> is applied and not the user GPO. I keep on receiving below error.
>> Has anybody else perhaps been experiencing the same issues?
>>
>> C:\>gpupdate /force
>> Updating Policy...
>>
>> User policy could not be updated successfully. The following errors
>> were encountered:
>>
>> The processing of Group Policy failed. Windows could not determine if
>> the user and computer accounts are in the same forest. Ensure the
>> user domain name matches the name of a trusted domain that resides in
>> the same forest as the computer account.
>> Computer Policy update has completed successfully.
>>
>> To diagnose the failure, review the event log or run GPRESULT /H
>> GPReport.html from the command line to access information about Group
>> Policy results.4
>>
>> Kind Regards
>> “This e-mail is sent on the Terms and Conditions that can be accessed
>> by Clicking on this link https://webmail.vodacom.co.za/tc/default.htm
>> l "
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> �This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link https://webmail.vodacom.co.za/tc/default.html "
>
>
I take it that your first DC isn't really called
'##SELECTION_END##ZACPRDC002' ?
You seem to be using the internal DNS server, with this you can only
have one 'dns forwarder'
What do you have in /etc/resolv.conf on the DCs ?
they should point to each other first then themselves i.e
First DC
search your.domain
nameserver ip.of.second.dc
nameserver ip.of.this.dc
Second DC
search your.domain
nameserver ip.of.first.dc
nameserver ip.of.this.dc
What is in /etc/krb5.conf ?
Rowland
More information about the samba
mailing list