[Samba] Samba 4.2.14 Group Policy (GPO) sync error

L.P.H. van Belle belle at bazuin.nl
Thu Aug 4 09:04:01 UTC 2016 

>I actually also thought Windows does not care
> about
> case sensitivity and for hostnames by default it shouldn't matter.
Thats correct but if windows is buggy..  
Source :  https://support.microsoft.com/nl-nl/kb/2891966 
It was worth a try.. 


https://support.microsoft.com/en-us/kb/2954031 
for the status rapport error, one you can check also. 


I see still something incorrect here. 

> C:\Temp>nslookup cyb64w10-hpnb
> Server:  skynet.cyberdyne.local
> Address:  10.0.1.6

> C:\Temp>nslookup cyb64w10-hpnb
> Server:  skynet.cyberdyne.local
> Address:  10.0.1.6
> 
> Name:    cyb64w10-hpnb.ad.cyberdyne.local
> Address:  10.0.1.186

SKYNET.AD.CYBERDYNE.LOCAL is the correct AD DC location. 
Above still shows : skynet.cyberdyne.local 

Review the settings again, if needed test with a dedicated IP. 
Preffered ipv4 in the test. 

Now im really out to office, im getting late.. so no reply for me untill at least 16:00 or tomorrow.



Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch
> Verzonden: donderdag 4 augustus 2016 10:45
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
> 
> Hello,
> 
>  > On the win 10, check this reg key.
>  > HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Hostname
> 
>  > It states you hostname here, but if its not in caps change it to
> HOSTNAME
> 
> Actually the name was in lowercase letters. I changed it to capital
> letters.
> Though without any effect. I actually also thought Windows does not care
> about
> case sensitivity and for hostnames by default it shouldn't matter.
> 
> 
>  > In that register key.
> (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters)
>  > You should see also you dnsdomain at Domain and NV Domain.
>  > NV Hostname should be in CAPS also.
>  > The domains not.
> 
> Also this was in lowercase which I changed with no effect.
> 
> But I noticed another thing:
> In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
> there
> are a few important parameters:
> Dhcpv6DNSServers:
>    Here I see correctly my server fdea:5b48:d4c1:1:1::6 listed.
> 
> Dhcpv6DomainSearchList:
>    Here it looks only my suffix cyberdyne.local is listed and not
> ad.cyberdyne.local. I have updated my DHCPv6 to include the search suffix
> as well:
>    option dhcp6.domain-search "ad.cyberdyne.local", "cyberdyne.local";
> 
> 
> Strangely the value of the Dhcpv6DomainSearchList in the registry did not
> update. Neither does the value in ipconifig /all
> 
>     Connection-specific DNS Suffix Search List :
>                                         cyberdyne.local
> 
> Actually I tried on one of the machines to disable IPv6 entirely (on
> client side
> only). Even this did not do any change to the result.
> 
> 
> So for the moment I am operating one client for testing without IPv6 and
> one
> with IPv6 enabled. But none of them seem to synchronize GPO.
> 
> 
> 
> 
> Just for completeness here's the complete output from a test client with
> IPv6
> disabled entirely (on client side):
> 
> C:\Temp>ipconfig /all
> 
> Windows IP Configuration
> 
>     Host Name . . . . . . . . . . . . : CYB64W10-HPNB
>     Primary Dns Suffix  . . . . . . . : ad.cyberdyne.local
>     Node Type . . . . . . . . . . . . : Hybrid
>     IP Routing Enabled. . . . . . . . : No
>     WINS Proxy Enabled. . . . . . . . : No
>     DNS Suffix Search List. . . . . . : ad.cyberdyne.local
> 
> Ethernet adapter Ethernet:
> 
>     Connection-specific DNS Suffix  . : cyberdyne.local
>     Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network
> Connection
>     Physical Address. . . . . . . . . : 00-1A-4B-79-B0-18
>     DHCP Enabled. . . . . . . . . . . : Yes
>     Autoconfiguration Enabled . . . . : Yes
>     IPv4 Address. . . . . . . . . . . : 10.0.1.186(Preferred)
>     Subnet Mask . . . . . . . . . . . : 255.255.255.0
>     Lease Obtained. . . . . . . . . . : Thursday, August 4, 2016 10:39:04
> AM
>     Lease Expires . . . . . . . . . . : Saturday, August 6, 2016 10:39:03
> AM
>     Default Gateway . . . . . . . . . : 10.0.1.6
>     DHCP Server . . . . . . . . . . . : 10.0.1.6
>     DNS Servers . . . . . . . . . . . : 10.0.1.6
>                                         10.0.2.6
>     Primary WINS Server . . . . . . . : 10.0.1.6
>     NetBIOS over Tcpip. . . . . . . . : Enabled
> 
> C:\Temp>nslookup cyb64w10-hpnb
> Server:  skynet.cyberdyne.local
> Address:  10.0.1.6
> 
> Name:    cyb64w10-hpnb.ad.cyberdyne.local
> Address:  10.0.1.186
> 
> C:\Temp>netdom verify cyb64w10-hpnb
> The secure channel from CYB64W10-HPNB to the domain CYBERDYNE has been
> verified.
>   The connection
> is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
> 
> The command completed successfully.
> 
> C:\Temp>netdom verify cyb64w10-hpnb.ad.cyberdyne.local
> The secure channel from CYB64W10-HPNB.AD.CYBERDYNE.LOCAL to the domain
> CYBERDYNE
> has been verified.  The connection
> is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
> 
> The command completed successfully.
> 
> C:\Temp>gpupdate /force
> Updating policy...
> 
> Computer policy could not be updated successfully. The following errors
> were
> encountered:
> 
> The processing of Group Policy failed. Windows could not resolve the
> computer
> name. This could be caused by one of more of the following:
> a) Name Resolution failure on the current domain controller.
> b) Active Directory Replication Latency (an account created on another
> domain
> controller has not replicated to the current domain controller).
> User Policy could not be updated successfully. The following errors were
> encountered:
> 
> The processing of Group Policy failed. Windows could not resolve the user
> name.
> This could be caused by one of more of the following:
> a) Name Resolution failure on the current domain controller.
> b) Active Directory Replication Latency (an account created on another
> domain
> controller has not replicated to the current domain controller).
> 
> To diagnose the failure, review the event log or run GPRESULT /H
> GPReport.html
> from the command line to access information about Group Policy results.
> 
> 
> 
> On Server side I still get the same logs:
> 
> [2016/08/04 10:44:54.784497,  3] ../lib/ldb-
> samba/ldb_wrap.c:321(ldb_wrap_connect)
>    ldb_wrap open of secrets.ldb
> [2016/08/04 10:44:54.785818,  5]
> ../auth/gensec/gensec_start.c:672(gensec_start_mech)
>    Starting GENSEC mechanism spnego
> [2016/08/04 10:44:54.786480,  5]
> ../auth/gensec/gensec_start.c:672(gensec_start_mech)
>    Starting GENSEC submechanism gssapi_krb5
> [2016/08/04 10:44:54.789262,  5]
> ../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update)
>    gensec_gssapi: NO credentials were delegated
> [2016/08/04 10:44:54.789373,  5]
> ../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update)
>    GSSAPI Connection will be cryptographically sealed
> [2016/08/04 10:44:54.806151,  1]
> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
>    gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-
> code 0
> for mech 1 2 840 113554 1 2 2
> [2016/08/04 10:44:54.806331,  0]
> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
>    gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=208,pdu=240)
> failed:
> NT_STATUS_ACCESS_DENIED
> 
> 
> 
> 
> best regards,
> Rainer
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list