[Samba] Samba 4.2.14 Group Policy (GPO) sync error
L.P.H. van Belle
belle at bazuin.nl
Thu Aug 4 07:12:32 UTC 2016
Forgot one extra.
On the win 10, check this reg key.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Hostname
It states you hostname here, but if its not in caps change it to HOSTNAME
In that register key. (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters)
You should see also you dnsdomain at Domain and NV Domain.
NV Hostname should be in CAPS also.
The domains not.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: donderdag 4 augustus 2016 8:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
>
> Hai,
>
> No, your output is not good.
>
> >C:\Temp>netdom verify cyb64w10-monster
> >The format of the specified computer name is invalid.
>
> Thats not good.
>
> > C:\Temp>nslookup cyb64w10-monster
> > Server: UnKnown
> > Address: fdea:5b48:d4c1:1:1::6
>
> Also not good.
>
>
> If you resolving is setup correct both should work.
> netdom verify cyb64w10-monster
> and
> netdom verify cyb64w10-monster.ad.cyberdyne.local
>
> Both work for me and my windows 10 gets this policies.
>
> open dos box and type ipconfig /all
>
> check you primary dns suffix AND dns search.
> Normaly these are the same, can you check this?
>
> My guess, your missing the dns-search
>
> Are you using ipv6 in your lan? If not, try disable it.
> And try again.
> If your using ipv6, then disable it, try it and enable it back.
>
>
> And post the resolv.conf and hosts files
>
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch
> > Verzonden: woensdag 3 augustus 2016 17:51
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
> >
> > > Can you run on a failing computer :
> > > - netdom verify yourpcname
> >
> > It seems to work only with FQDN:
> >
> >
> > C:\Temp>netdom verify cyb64w10-monster
> > The format of the specified computer name is invalid.
> >
> > The command failed to complete successfully.
> >
> >
> > C:\Temp>netdom verify cyb64w10-monster.ad.cyberdyne.local
> > The secure channel from CYB64W10-MONSTER.AD.CYBERDYNE.LOCAL to the
> domain
> > CYBERDYNE has been verified. The connection
> > is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
> >
> > The command completed successfully.
> >
> >
> > > - nslookup yourpcname
> >
> > Seems to work fine:
> >
> > C:\Temp>nslookup cyb64w10-monster
> > Server: UnKnown
> > Address: fdea:5b48:d4c1:1:1::6
> >
> > Name: cyb64w10-monster.ad.cyberdyne.local
> > Addresses: fdea:5b48:d4c1:1:1::100
> > 2a02:120b:2c38:2951:8d95:bd76:deaa:73db
> > fdea:5b48:d4c1:1:8d95:bd76:deaa:73db
> > 10.0.1.119
> >
> > > All ok?
> >
> > To me this looks alright. Isn't it?
> >
> >
> > > And is time in sync?
> >
> > Yes, 100% in sync, synchronized via NTP server.
> > I am using two external time servers and the following config in my
> > /etc/ntp.conf:
> > restrict default nomodify nopeer noquery limited kod mssntp
> > restrict 127.0.0.1
> > restrict [::1]
> >
> > As of my understanding with Samba time server enabled this should allow
> > clients
> > to synchronize the clock. Actually manual verification and manual clock
> > sync
> > seems to work:
> >
> > C:\Temp>w32tm /resync
> > Sending resync command to local computer
> > The command completed successfully.
> >
> >
> > > Did you install winbind after the update and also and did you change
> > you
> > > server services line?
> >
> > Well, I have installed Samba on Gentoo via official repositories.
> Winbind
> > was
> > enabled from the beginning when upgrading from Samba 3.1 to 4.0. The
> group
> > policy synchronization worked perfectly fine until 4.2.11 update on
> 4.2.9
> > it was
> > working flawlessly.
> >
> > My service line looks as follows:
> > server services = -dns
> >
> > Full line (samba-tool testparm -vv | grep "server service"):
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbindd,
> > ntp_signd, kcc, dnsupdate
> >
> >
> >
> > > And best is really to setup TLS/SSL
> >
> > Copy that.
> >
> > >
> >
> <https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_S
> > amba_AD_DC>
> > > ( missing on that site : add TLS_REQCERT allow to ldap.conf )
> >
> > Actually from the page I understood if I don't change anything the TLS
> > certificates are generated but they are only valid 700 days. Though my
> > ones were
> > generated in November 2015 (perhaps on first Samba 4 startup) I just
> > cleaned
> > them and let Samba rebuild them on restart. I might go for my own CA and
> > signed
> > certs valid for longer period later if this turns out to be the culprit.
> >
> >
> > So now I changed /etc/ldap/ldap.conf and inserted
> > TLS_REQCERT allow
> >
> >
> > Then I verified the configuration:
> >
> > First verify without TLS, this should fail.
> >
> > # ldapsearch -xLL -H ldap://localhost -D
> > "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
> > "dc=ad,dc=cyberdyne,dc=local"
> > Enter LDAP Password:
> > ldap_bind: Strong(er) authentication required (8)
> > additional info: BindSimple: Transport encryption required.
> >
> >
> > Then try with TLS, this should succeed.
> >
> > # ldapsearch -ZZ -xLL -H ldap://localhost -D
> > "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
> > "dc=ad,dc=cyberdyne,dc=local" | head -5
> > Enter LDAP Password:
> > version: 1
> >
> > dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
> > objectClass: top
> > objectClass: group
> > ...
> >
> >
> > Then try with SSL too.
> >
> > # ldapsearch -xLL -H ldaps://localhost -D
> > "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
> > "dc=ad,dc=cyberdyne,dc=local" | head -5
> > Enter LDAP Password:
> > version: 1
> >
> > dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
> > objectClass: top
> > objectClass: group
> > ...
> >
> >
> >
> > > Now, for the other problem, after above is done/checked.
> >
> > I think TLS works as expected.
> >
> >
> > > You can clear you GPO history on the pc.
> > > Its recreated when you reboot/login again, so now worries..
> >
> > > @echo off
> > > DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group >
> > Policy\History\*.*”
> > > REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
> > > REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
> > > DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb
> > > klist purge
> > > gpupdate /force
> > > exit
> >
> > > now reboot your pc, and check again.
> >
> >
> > I did run those although the Group Policy History and secedit.sdb did
> not
> > exist
> > as GPO has never been synced on this machine (fresh Win 10 Pro 1607
> > installation). Though the klist purge and gpupdate run. Unfortunately
> > gpupdate
> > immediately showed the same errors again while Samba printing the same
> > errors in
> > its log:
> >
> > [2016/08/03 17:48:48.064741, 1]
> > ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
> > gss_unwrap_iov failed: Miscellaneous failure (see text): unknown
> mech-
> > code 0
> > for mech 1 2 840 113554 1 2 2
> > [2016/08/03 17:48:48.064868, 0]
> > ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
> > gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)
> > failed:
> > NT_STATUS_ACCESS_DENIED
> >
> >
> > Many thanks for your patience trying to debug this issue. I am a bit out
> > of
> > ideas now how to trace this down. All file server services of Samba seem
> > to work
> > fine.
> >
> > Thanks again
> > Rainer
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list