[Samba] Samba 4.2.14 Group Policy (GPO) sync error
rme at bluemail.ch
rme at bluemail.ch
Thu Aug 4 08:45:22 UTC 2016
Hello,
> On the win 10, check this reg key.
> HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Hostname
> It states you hostname here, but if its not in caps change it to HOSTNAME
Actually the name was in lowercase letters. I changed it to capital letters.
Though without any effect. I actually also thought Windows does not care about
case sensitivity and for hostnames by default it shouldn't matter.
> In that register key. (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters)
> You should see also you dnsdomain at Domain and NV Domain.
> NV Hostname should be in CAPS also.
> The domains not.
Also this was in lowercase which I changed with no effect.
But I noticed another thing:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters there
are a few important parameters:
Dhcpv6DNSServers:
Here I see correctly my server fdea:5b48:d4c1:1:1::6 listed.
Dhcpv6DomainSearchList:
Here it looks only my suffix cyberdyne.local is listed and not
ad.cyberdyne.local. I have updated my DHCPv6 to include the search suffix as well:
option dhcp6.domain-search "ad.cyberdyne.local", "cyberdyne.local";
Strangely the value of the Dhcpv6DomainSearchList in the registry did not
update. Neither does the value in ipconifig /all
Connection-specific DNS Suffix Search List :
cyberdyne.local
Actually I tried on one of the machines to disable IPv6 entirely (on client side
only). Even this did not do any change to the result.
So for the moment I am operating one client for testing without IPv6 and one
with IPv6 enabled. But none of them seem to synchronize GPO.
Just for completeness here's the complete output from a test client with IPv6
disabled entirely (on client side):
C:\Temp>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : CYB64W10-HPNB
Primary Dns Suffix . . . . . . . : ad.cyberdyne.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ad.cyberdyne.local
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : cyberdyne.local
Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network Connection
Physical Address. . . . . . . . . : 00-1A-4B-79-B0-18
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.0.1.186(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, August 4, 2016 10:39:04 AM
Lease Expires . . . . . . . . . . : Saturday, August 6, 2016 10:39:03 AM
Default Gateway . . . . . . . . . : 10.0.1.6
DHCP Server . . . . . . . . . . . : 10.0.1.6
DNS Servers . . . . . . . . . . . : 10.0.1.6
10.0.2.6
Primary WINS Server . . . . . . . : 10.0.1.6
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Temp>nslookup cyb64w10-hpnb
Server: skynet.cyberdyne.local
Address: 10.0.1.6
Name: cyb64w10-hpnb.ad.cyberdyne.local
Address: 10.0.1.186
C:\Temp>netdom verify cyb64w10-hpnb
The secure channel from CYB64W10-HPNB to the domain CYBERDYNE has been verified.
The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
The command completed successfully.
C:\Temp>netdom verify cyb64w10-hpnb.ad.cyberdyne.local
The secure channel from CYB64W10-HPNB.AD.CYBERDYNE.LOCAL to the domain CYBERDYNE
has been verified. The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
The command completed successfully.
C:\Temp>gpupdate /force
Updating policy...
Computer policy could not be updated successfully. The following errors were
encountered:
The processing of Group Policy failed. Windows could not resolve the computer
name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were
encountered:
The processing of Group Policy failed. Windows could not resolve the user name.
This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html
from the command line to access information about Group Policy results.
On Server side I still get the same logs:
[2016/08/04 10:44:54.784497, 3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/08/04 10:44:54.785818, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC mechanism spnego
[2016/08/04 10:44:54.786480, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC submechanism gssapi_krb5
[2016/08/04 10:44:54.789262, 5]
../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update)
gensec_gssapi: NO credentials were delegated
[2016/08/04 10:44:54.789373, 5]
../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update)
GSSAPI Connection will be cryptographically sealed
[2016/08/04 10:44:54.806151, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/04 10:44:54.806331, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=208,pdu=240) failed:
NT_STATUS_ACCESS_DENIED
best regards,
Rainer
More information about the samba
mailing list