[Samba] Samba 4.2.14 Group Policy (GPO) sync error

rme at bluemail.ch rme at bluemail.ch
Thu Aug 4 08:45:22 UTC 2016 

Hello,

 > On the win 10, check this reg key.
 > HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Hostname

 > It states you hostname here, but if its not in caps change it to HOSTNAME

Actually the name was in lowercase letters. I changed it to capital letters. 
Though without any effect. I actually also thought Windows does not care about 
case sensitivity and for hostnames by default it shouldn't matter.


 > In that register key.  (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters)
 > You should see also you dnsdomain at Domain and NV Domain.
 > NV Hostname should be in CAPS also.
 > The domains not.

Also this was in lowercase which I changed with no effect.

But I noticed another thing:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters there 
are a few important parameters:
Dhcpv6DNSServers:
   Here I see correctly my server fdea:5b48:d4c1:1:1::6 listed.

Dhcpv6DomainSearchList:
   Here it looks only my suffix cyberdyne.local is listed and not 
ad.cyberdyne.local. I have updated my DHCPv6 to include the search suffix as well:
   option dhcp6.domain-search "ad.cyberdyne.local", "cyberdyne.local";


Strangely the value of the Dhcpv6DomainSearchList in the registry did not 
update. Neither does the value in ipconifig /all

    Connection-specific DNS Suffix Search List :
                                        cyberdyne.local

Actually I tried on one of the machines to disable IPv6 entirely (on client side 
only). Even this did not do any change to the result.


So for the moment I am operating one client for testing without IPv6 and one 
with IPv6 enabled. But none of them seem to synchronize GPO.




Just for completeness here's the complete output from a test client with IPv6 
disabled entirely (on client side):

C:\Temp>ipconfig /all

Windows IP Configuration

    Host Name . . . . . . . . . . . . : CYB64W10-HPNB
    Primary Dns Suffix  . . . . . . . : ad.cyberdyne.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : ad.cyberdyne.local

Ethernet adapter Ethernet:

    Connection-specific DNS Suffix  . : cyberdyne.local
    Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network Connection
    Physical Address. . . . . . . . . : 00-1A-4B-79-B0-18
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 10.0.1.186(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Thursday, August 4, 2016 10:39:04 AM
    Lease Expires . . . . . . . . . . : Saturday, August 6, 2016 10:39:03 AM
    Default Gateway . . . . . . . . . : 10.0.1.6
    DHCP Server . . . . . . . . . . . : 10.0.1.6
    DNS Servers . . . . . . . . . . . : 10.0.1.6
                                        10.0.2.6
    Primary WINS Server . . . . . . . : 10.0.1.6
    NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Temp>nslookup cyb64w10-hpnb
Server:  skynet.cyberdyne.local
Address:  10.0.1.6

Name:    cyb64w10-hpnb.ad.cyberdyne.local
Address:  10.0.1.186

C:\Temp>netdom verify cyb64w10-hpnb
The secure channel from CYB64W10-HPNB to the domain CYBERDYNE has been verified. 
  The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.

The command completed successfully.

C:\Temp>netdom verify cyb64w10-hpnb.ad.cyberdyne.local
The secure channel from CYB64W10-HPNB.AD.CYBERDYNE.LOCAL to the domain CYBERDYNE 
has been verified.  The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.

The command completed successfully.

C:\Temp>gpupdate /force
Updating policy...

Computer policy could not be updated successfully. The following errors were 
encountered:

The processing of Group Policy failed. Windows could not resolve the computer 
name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain 
controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were 
encountered:

The processing of Group Policy failed. Windows could not resolve the user name. 
This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain 
controller has not replicated to the current domain controller).

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html 
from the command line to access information about Group Policy results.



On Server side I still get the same logs:

[2016/08/04 10:44:54.784497,  3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2016/08/04 10:44:54.785818,  5] 
../auth/gensec/gensec_start.c:672(gensec_start_mech)
   Starting GENSEC mechanism spnego
[2016/08/04 10:44:54.786480,  5] 
../auth/gensec/gensec_start.c:672(gensec_start_mech)
   Starting GENSEC submechanism gssapi_krb5
[2016/08/04 10:44:54.789262,  5] 
../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update)
   gensec_gssapi: NO credentials were delegated
[2016/08/04 10:44:54.789373,  5] 
../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update)
   GSSAPI Connection will be cryptographically sealed
[2016/08/04 10:44:54.806151,  1] 
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
   gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-code 0 
for mech 1 2 840 113554 1 2 2
[2016/08/04 10:44:54.806331,  0] 
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
   gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=208,pdu=240) failed: 
NT_STATUS_ACCESS_DENIED




best regards,
Rainer

More information about the samba mailing list