[Samba] Samba 4.2.14 Group Policy (GPO) sync error

rme at bluemail.ch rme at bluemail.ch
Mon Aug 8 20:44:02 UTC 2016 

Hi Louis,


> Ive tested the following, i use static and dhcp ip here.

I am using DHCP only.

> Everything on static ip works perfect on win7 and win10.
> And at the domain join the a and ptr is created automaticly.
> GPO works fine for both.

Can't tell about static setup as it's impractical in my networks.


> Dhcp ip.
> Win 7 works fine, AD join A and PTR is created and updated when the ip is changes. GPO works fine.

Was it a fully patched Widndows 7 Pro? As my one still complains about 
being unable to hange the name on domain join and also it fails to 
update GPO.


> Win 10 works, AD join A and PTR is created and but not updated when the ip is changes. GPO works fine until the ip is updated
> So i'll look into the "why" the ptr is not updated on win10.
> Besides that it looks normal here.

Alright, but I doubt this will solve my problem. It probebly just showed 
another problem with Samba which is only partially related. Because my 
IPs don't change very often even with DHCP setup it should actually work 
for me at least right after Domain join.



>Rainer,
> I dont think there is an inssue with your install.
> But i would change the krb5.conf to but im no kerberos guru, i would think its something like below what you need.


I did change my krb5.conf exactly to what you proposed (first proposal 
with dns_lookup_realm = false and realm defined), then restarted Samba 
and still renter into the same issue.

gpupdate:
The processing of Group Policy failed. Windows could not resolve the 
computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another 
domain controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were 
encountered:

The processing of Group Policy failed. Windows could not resolve the 
user name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another 
domain controller has not replicated to the current domain controller).

To diagnose the failure, review the event log or run GPRESULT /H 
GPReport.html from the command line to access information about Group 
Policy results.


This happens on at least 3 classicupgraded Samba installations here.


Any idea how to trace it down?

best regards,
Rainer

More information about the samba mailing list