[Samba] Samba 4.2.14 Group Policy (GPO) sync error

L.P.H. van Belle belle at bazuin.nl
Mon Aug 8 10:10:28 UTC 2016 

Hai, 

Ive tested the following, i use static and dhcp ip here. 

Everything on static ip works perfect on win7 and win10.
And at the domain join the a and ptr is created automaticly. 
GPO works fine for both.

Dhcp ip. 
Win 7 works fine, AD join A and PTR is created and updated when the ip is changes. GPO works fine. 


Win 10 works, AD join A and PTR is created and but not updated when the ip is changes. GPO works fine until the ip is updated
So i'll look into the "why" the ptr is not updated on win10.
Besides that it looks normal here.


Rainer, 
I dont think there is an inssue with your install. 
But i would change the krb5.conf to but im no kerberos guru, i would think its something like below what you need. 


[libdefaults]
         default_realm = AD.CYBERDYNE.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = false

[realms]
         AD.CYBERDYNE.LOCAL = {
                 default_domain = ad.cyberdne.local
                 kdc = skynet.ad.cyberdyne.local
                 admin_server = skynet.ad.cyberdyne.local
         }

[domain_realm]
         .ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
         ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
         .cyberdyne.local = AD.CYBERDYNE.LOCAL
         cyberdyne.local = AD.CYBERDYNE.LOCAL

or 

[libdefaults]
         default_realm = AD.CYBERDYNE.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true

[domain_realm]
         .ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
         ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
         .cyberdyne.local = AD.CYBERDYNE.LOCAL
         cyberdyne.local = AD.CYBERDYNE.LOCAL


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch
> Verzonden: vrijdag 5 augustus 2016 22:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
> 
> Hello Louis,
> 
> > Win 10, im configureing a pc now and settting up the gpo.
> > When done, i'll test that and report back how that goes.
> 
> I actually set up a Win7 VM to test whether GPO sync works fine with it.
> So I installed Windows 7 Professional with the last update rollup
> installed.
> Unfortunately I get exaclty the same errors as I get in Windows 10 Pro.
> 
> I am seriously thinking about an issue with my Samba installation or
> something which was broken during classicupgrade. I am facing the same
> issues on two additional Samba 4.2 installations, both were
> classic-upgraded.
> 
> Then I started investigating whether Samba provides some kind of
> "verification" tool.
> Unfortunately I tried 'samba-tool domain provision' once where I found
> it's not only verifying but actually resetting the Samba configuration
> (Privileges, User Accounts, Machine Accounts etc.).
> 
> 
> In fact I would be willing to re-configure my Samba installation from
> scratch. Actually there is only little data I would have to re-do and I
> did some research on whether it's possible to export this data and
> re-import it later. I did find a couple of transfer guides (how to
> transfer from one hardware to another) but here I think I would simply
> copy the /var/lib/samba and /etc/samba folders which should work.
> 
> In my case I am lookning for
> - Export user database (including passwords, SID(!!), unix LDAP
> attributes etc.)
> - Export group database (including SID)
> - Export machine accounts (optional, I might re-join the machines)
> - Keep domain SID (net getlocalsid / net setlocalsid)
> - Anything else?
> 
> 
> Actually especially the users database would be a hassle to re-create as
> I would have to inform the users and since I am using roaming profiles
> they should keep their SID as the user profile backup (mainly ntuser.dat
> registry hive) refers to the SID for security descriptors. So I would
> run into trouble if the user is assigned a new SID. Moreover some users
> have Unix attributes (UID, home directory, shell) attributes which I
> should keep as some of them need to log in to the shell too. Needless to
> say that changing the owner of all files owned by specific UID would be
> troublesome.
> But assuming I could export the complete user/group database and
> re-import them (all users except built-in ones like Administrator,
> service accounts etc.) I would be fine with it.
> 
> I already tried
> pdbedit -e smbpasswd:/mydir/myfile
> pdbedit -i smbpasswd:/mydir/myfile
> but it didn't work. The export was fine and the dump was created but
> import fails with an obscure message:
>      build_sam_account: smbpasswd database is corrupt!  username <user>
> with uid <uid> is not in unix passwd database!
>      Username not found!
> 
> Which is weird as of course the user does not exist when I try to import
> it. Moreover looking at the exported file it looks like only the plain
> Windows attributes are exported and especially the SID is not retained.
> So even when the user is restored it would be an issue to log on with
> its old profile assigning permissions to the old SID (e.g. in user
> registry hive). And I certainly don't want the users to start
> configuring all their profiles from scratch.
> 
> 
> Honestly I was a bit busy restoring my Samba installation after
> accidentally scratching it and I didn't do any test on GPO sync after I
> accidentally scratched it - my bad. I will do this again and verify
> whether I can sync GPO properly on a freshly initialized installation
> using 'samba-tool domain provision' with my current smb.conf left intact.
> 
> 
> Does anybody know whether such a migration of users and machine accounts
> to a new installation is possible?
> 
> Thanks
> Rainer
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list