[Samba] Samba 4.2.14 Group Policy (GPO) sync error
L.P.H. van Belle
belle at bazuin.nl
Thu Aug 4 09:04:01 UTC 2016
>I actually also thought Windows does not care
> about
> case sensitivity and for hostnames by default it shouldn't matter.
Thats correct but if windows is buggy..
Source : https://support.microsoft.com/nl-nl/kb/2891966
It was worth a try..
https://support.microsoft.com/en-us/kb/2954031
for the status rapport error, one you can check also.
I see still something incorrect here.
> C:\Temp>nslookup cyb64w10-hpnb
> Server: skynet.cyberdyne.local
> Address: 10.0.1.6
> C:\Temp>nslookup cyb64w10-hpnb
> Server: skynet.cyberdyne.local
> Address: 10.0.1.6
>
> Name: cyb64w10-hpnb.ad.cyberdyne.local
> Address: 10.0.1.186
SKYNET.AD.CYBERDYNE.LOCAL is the correct AD DC location.
Above still shows : skynet.cyberdyne.local
Review the settings again, if needed test with a dedicated IP.
Preffered ipv4 in the test.
Now im really out to office, im getting late.. so no reply for me untill at least 16:00 or tomorrow.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch
> Verzonden: donderdag 4 augustus 2016 10:45
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
>
> Hello,
>
> > On the win 10, check this reg key.
> > HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Hostname
>
> > It states you hostname here, but if its not in caps change it to
> HOSTNAME
>
> Actually the name was in lowercase letters. I changed it to capital
> letters.
> Though without any effect. I actually also thought Windows does not care
> about
> case sensitivity and for hostnames by default it shouldn't matter.
>
>
> > In that register key.
> (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters)
> > You should see also you dnsdomain at Domain and NV Domain.
> > NV Hostname should be in CAPS also.
> > The domains not.
>
> Also this was in lowercase which I changed with no effect.
>
> But I noticed another thing:
> In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
> there
> are a few important parameters:
> Dhcpv6DNSServers:
> Here I see correctly my server fdea:5b48:d4c1:1:1::6 listed.
>
> Dhcpv6DomainSearchList:
> Here it looks only my suffix cyberdyne.local is listed and not
> ad.cyberdyne.local. I have updated my DHCPv6 to include the search suffix
> as well:
> option dhcp6.domain-search "ad.cyberdyne.local", "cyberdyne.local";
>
>
> Strangely the value of the Dhcpv6DomainSearchList in the registry did not
> update. Neither does the value in ipconifig /all
>
> Connection-specific DNS Suffix Search List :
> cyberdyne.local
>
> Actually I tried on one of the machines to disable IPv6 entirely (on
> client side
> only). Even this did not do any change to the result.
>
>
> So for the moment I am operating one client for testing without IPv6 and
> one
> with IPv6 enabled. But none of them seem to synchronize GPO.
>
>
>
>
> Just for completeness here's the complete output from a test client with
> IPv6
> disabled entirely (on client side):
>
> C:\Temp>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : CYB64W10-HPNB
> Primary Dns Suffix . . . . . . . : ad.cyberdyne.local
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : ad.cyberdyne.local
>
> Ethernet adapter Ethernet:
>
> Connection-specific DNS Suffix . : cyberdyne.local
> Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network
> Connection
> Physical Address. . . . . . . . . : 00-1A-4B-79-B0-18
> DHCP Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 10.0.1.186(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Lease Obtained. . . . . . . . . . : Thursday, August 4, 2016 10:39:04
> AM
> Lease Expires . . . . . . . . . . : Saturday, August 6, 2016 10:39:03
> AM
> Default Gateway . . . . . . . . . : 10.0.1.6
> DHCP Server . . . . . . . . . . . : 10.0.1.6
> DNS Servers . . . . . . . . . . . : 10.0.1.6
> 10.0.2.6
> Primary WINS Server . . . . . . . : 10.0.1.6
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
> C:\Temp>nslookup cyb64w10-hpnb
> Server: skynet.cyberdyne.local
> Address: 10.0.1.6
>
> Name: cyb64w10-hpnb.ad.cyberdyne.local
> Address: 10.0.1.186
>
> C:\Temp>netdom verify cyb64w10-hpnb
> The secure channel from CYB64W10-HPNB to the domain CYBERDYNE has been
> verified.
> The connection
> is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
>
> The command completed successfully.
>
> C:\Temp>netdom verify cyb64w10-hpnb.ad.cyberdyne.local
> The secure channel from CYB64W10-HPNB.AD.CYBERDYNE.LOCAL to the domain
> CYBERDYNE
> has been verified. The connection
> is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
>
> The command completed successfully.
>
> C:\Temp>gpupdate /force
> Updating policy...
>
> Computer policy could not be updated successfully. The following errors
> were
> encountered:
>
> The processing of Group Policy failed. Windows could not resolve the
> computer
> name. This could be caused by one of more of the following:
> a) Name Resolution failure on the current domain controller.
> b) Active Directory Replication Latency (an account created on another
> domain
> controller has not replicated to the current domain controller).
> User Policy could not be updated successfully. The following errors were
> encountered:
>
> The processing of Group Policy failed. Windows could not resolve the user
> name.
> This could be caused by one of more of the following:
> a) Name Resolution failure on the current domain controller.
> b) Active Directory Replication Latency (an account created on another
> domain
> controller has not replicated to the current domain controller).
>
> To diagnose the failure, review the event log or run GPRESULT /H
> GPReport.html
> from the command line to access information about Group Policy results.
>
>
>
> On Server side I still get the same logs:
>
> [2016/08/04 10:44:54.784497, 3] ../lib/ldb-
> samba/ldb_wrap.c:321(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2016/08/04 10:44:54.785818, 5]
> ../auth/gensec/gensec_start.c:672(gensec_start_mech)
> Starting GENSEC mechanism spnego
> [2016/08/04 10:44:54.786480, 5]
> ../auth/gensec/gensec_start.c:672(gensec_start_mech)
> Starting GENSEC submechanism gssapi_krb5
> [2016/08/04 10:44:54.789262, 5]
> ../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update)
> gensec_gssapi: NO credentials were delegated
> [2016/08/04 10:44:54.789373, 5]
> ../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update)
> GSSAPI Connection will be cryptographically sealed
> [2016/08/04 10:44:54.806151, 1]
> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
> gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-
> code 0
> for mech 1 2 840 113554 1 2 2
> [2016/08/04 10:44:54.806331, 0]
> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
> gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=208,pdu=240)
> failed:
> NT_STATUS_ACCESS_DENIED
>
>
>
>
> best regards,
> Rainer
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list