[Samba] Samba 4.2.11 Group Policy (GPO) sync error
rme at bluemail.ch
rme at bluemail.ch
Wed Apr 20 16:35:35 UTC 2016
Hello,
Thanks for your reply!
On 20.04.2016 12:40, mathias dufresne wrote:
> You said your client can't resolve the domain controllers any more. Do you made
> tests using "dig" or "nslookup" to be sure there is an issue with your DNS system?
Name lookups on AD domain look alright. DNS tests are successful. I think it's
not about name resolution of DNS but rather about resolving user IDs to user names.
The exact message displayed by gpupdate is:
---
Updating policy...
Computer policy could not be updated successfully. The following errors were
encountered:
The processing of Group Policy failed. Windows could not resolve the computer
name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were
encountered:
The processing of Group Policy failed. Windows could not resolve the user name.
This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html
from the command line to access information about Group Policy results.
---
In addition the system event log contains event ID 1055 from source "GroupPolicy
(Microsoft-Windows-GroupPolicy with OpCode 1 and contais the following details:
---
The processing of Group Policy failed. Windows could not resolve the computer
name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
---
> Checking logs would be a good option too. Bind and Samba logs.
No errors actually logged to the BIND log file. Moreover BIND is not upgraded or
affected at all.
In Samba logs I see the same error repeated many times during the update:
[2016/04/20 18:29:02.510222, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED
Any ideas what to check? This happens on all my Samba 4.2.11 installations. When
downgrading to Samba 4.2.9 the issue disappears completely (without any change
in configuration od TDB files).
best regards,
Rainer
More information about the samba
mailing list