[Samba] Samba 4.2.14 Group Policy (GPO) sync error

L.P.H. van Belle belle at bazuin.nl
Thu Aug 4 06:25:28 UTC 2016 

Hai, 

No, your output is not good. 

>C:\Temp>netdom verify cyb64w10-monster
>The format of the specified computer name is invalid.

Thats not good. 

> C:\Temp>nslookup cyb64w10-monster
> Server:  UnKnown
> Address:  fdea:5b48:d4c1:1:1::6

Also not good. 


If you resolving is setup correct both should work.
netdom verify cyb64w10-monster
and 
netdom verify cyb64w10-monster.ad.cyberdyne.local

Both work for me and my windows 10 gets this policies.

open dos box and type ipconfig /all 

check you primary dns suffix AND dns search.
Normaly these are the same, can you check this?

My guess, your missing the dns-search 

Are you using ipv6 in your lan? If not, try disable it. 
And try again.
If your using ipv6, then disable it, try it and enable it back. 


And post the resolv.conf and hosts files 



Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch
> Verzonden: woensdag 3 augustus 2016 17:51
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
> 
>  > Can you run on a failing computer :
>  > - netdom verify yourpcname
> 
> It seems to work only with FQDN:
> 
> 
> C:\Temp>netdom verify cyb64w10-monster
> The format of the specified computer name is invalid.
> 
> The command failed to complete successfully.
> 
> 
> C:\Temp>netdom verify cyb64w10-monster.ad.cyberdyne.local
> The secure channel from CYB64W10-MONSTER.AD.CYBERDYNE.LOCAL to the domain
> CYBERDYNE has been verified.  The connection
> is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
> 
> The command completed successfully.
> 
> 
>  > - nslookup yourpcname
> 
> Seems to work fine:
> 
> C:\Temp>nslookup cyb64w10-monster
> Server:  UnKnown
> Address:  fdea:5b48:d4c1:1:1::6
> 
> Name:    cyb64w10-monster.ad.cyberdyne.local
> Addresses:  fdea:5b48:d4c1:1:1::100
>            2a02:120b:2c38:2951:8d95:bd76:deaa:73db
>            fdea:5b48:d4c1:1:8d95:bd76:deaa:73db
>            10.0.1.119
> 
>  > All ok?
> 
> To me this looks alright. Isn't it?
> 
> 
>  > And is time in sync?
> 
> Yes, 100% in sync, synchronized via NTP server.
> I am using two external time servers and the following config in my
> /etc/ntp.conf:
> restrict default nomodify nopeer noquery limited kod mssntp
> restrict 127.0.0.1
> restrict [::1]
> 
> As of my understanding with Samba time server enabled this should allow
> clients
> to synchronize the clock. Actually manual verification and manual clock
> sync
> seems to work:
> 
> C:\Temp>w32tm /resync
> Sending resync command to local computer
> The command completed successfully.
> 
> 
>  > Did you install winbind after the update and also and did you change
> you
>  > server services line?
> 
> Well, I have installed Samba on Gentoo via official repositories. Winbind
> was
> enabled from the beginning when upgrading from Samba 3.1 to 4.0. The group
> policy synchronization worked perfectly fine until 4.2.11 update on 4.2.9
> it was
> working flawlessly.
> 
> My service line looks as follows:
>      server services = -dns
> 
> Full line (samba-tool testparm -vv | grep "server service"):
>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd,
> ntp_signd, kcc, dnsupdate
> 
> 
> 
>  > And best is really to setup TLS/SSL
> 
> Copy that.
> 
>  >
> <https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_S
> amba_AD_DC>
>  > ( missing on that site : add TLS_REQCERT allow  to ldap.conf )
> 
> Actually from the page I understood if I don't change anything the TLS
> certificates are generated but they are only valid 700 days. Though my
> ones were
> generated in November 2015 (perhaps on first Samba 4 startup) I just
> cleaned
> them and let Samba rebuild them on restart. I might go for my own CA and
> signed
> certs valid for longer period later if this turns out to be the culprit.
> 
> 
> So now I changed /etc/ldap/ldap.conf and inserted
>      TLS_REQCERT     allow
> 
> 
> Then I verified the configuration:
> 
> First verify without TLS, this should fail.
> 
> # ldapsearch -xLL -H ldap://localhost -D
> "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
> "dc=ad,dc=cyberdyne,dc=local"
> Enter LDAP Password:
> ldap_bind: Strong(er) authentication required (8)
>          additional info: BindSimple: Transport encryption required.
> 
> 
> Then try with TLS, this should succeed.
> 
> # ldapsearch -ZZ -xLL -H ldap://localhost -D
> "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
> "dc=ad,dc=cyberdyne,dc=local" | head -5
> Enter LDAP Password:
> version: 1
> 
> dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
> objectClass: top
> objectClass: group
> ...
> 
> 
> Then try with SSL too.
> 
> # ldapsearch -xLL -H ldaps://localhost -D
> "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
> "dc=ad,dc=cyberdyne,dc=local" | head -5
> Enter LDAP Password:
> version: 1
> 
> dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
> objectClass: top
> objectClass: group
> ...
> 
> 
> 
>  > Now, for the other problem, after above is done/checked.
> 
> I think TLS works as expected.
> 
> 
>  > You can clear you GPO history on the pc.
>  > Its recreated when you reboot/login again, so now worries..
> 
>  > @echo off
>  > DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group >
> Policy\History\*.*”
>  > REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
>  > REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
>  > DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb
>  > klist purge
>  > gpupdate /force
>  > exit
> 
>  > now reboot your pc,  and check again.
> 
> 
> I did run those although the Group Policy History and secedit.sdb did not
> exist
> as GPO has never been synced on this machine (fresh Win 10 Pro 1607
> installation). Though the klist purge and gpupdate run. Unfortunately
> gpupdate
> immediately showed the same errors again while Samba printing the same
> errors in
> its log:
> 
> [2016/08/03 17:48:48.064741,  1]
> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
>    gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-
> code 0
> for mech 1 2 840 113554 1 2 2
> [2016/08/03 17:48:48.064868,  0]
> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
>    gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)
> failed:
> NT_STATUS_ACCESS_DENIED
> 
> 
> Many thanks for your patience trying to debug this issue. I am a bit out
> of
> ideas now how to trace this down. All file server services of Samba seem
> to work
> fine.
> 
> Thanks again
> Rainer
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list