[Samba] Samba 4.2.14 Group Policy (GPO) sync error

Achim Gottinger achim at ag-web.biz
Mon Aug 8 21:05:30 UTC 2016 


Am 08.08.2016 um 22:44 schrieb rme at bluemail.ch:
> Hi Louis,
>
>
>> Ive tested the following, i use static and dhcp ip here.
>
> I am using DHCP only.
>
>> Everything on static ip works perfect on win7 and win10.
>> And at the domain join the a and ptr is created automaticly.
>> GPO works fine for both.
>
> Can't tell about static setup as it's impractical in my networks.
>
>
>> Dhcp ip.
>> Win 7 works fine, AD join A and PTR is created and updated when the 
>> ip is changes. GPO works fine.
>
> Was it a fully patched Widndows 7 Pro? As my one still complains about 
> being unable to hange the name on domain join and also it fails to 
> update GPO.
>
>
>> Win 10 works, AD join A and PTR is created and but not updated when 
>> the ip is changes. GPO works fine until the ip is updated
>> So i'll look into the "why" the ptr is not updated on win10.
>> Besides that it looks normal here.
>
> Alright, but I doubt this will solve my problem. It probebly just 
> showed another problem with Samba which is only partially related. 
> Because my IPs don't change very often even with DHCP setup it should 
> actually work for me at least right after Domain join.
>
>
>
>> Rainer,
>> I dont think there is an inssue with your install.
>> But i would change the krb5.conf to but im no kerberos guru, i would 
>> think its something like below what you need.
>
>
> I did change my krb5.conf exactly to what you proposed (first proposal 
> with dns_lookup_realm = false and realm defined), then restarted Samba 
> and still renter into the same issue.
>
> gpupdate:
> The processing of Group Policy failed. Windows could not resolve the 
> computer name. This could be caused by one of more of the following:
> a) Name Resolution failure on the current domain controller.
> b) Active Directory Replication Latency (an account created on another 
> domain controller has not replicated to the current domain controller).
> User Policy could not be updated successfully. The following errors 
> were encountered:
>
> The processing of Group Policy failed. Windows could not resolve the 
> user name. This could be caused by one of more of the following:
> a) Name Resolution failure on the current domain controller.
> b) Active Directory Replication Latency (an account created on another 
> domain controller has not replicated to the current domain controller).
>
> To diagnose the failure, review the event log or run GPRESULT /H 
> GPReport.html from the command line to access information about Group 
> Policy results.
>
>
> This happens on at least 3 classicupgraded Samba installations here.
>
>
> Any idea how to trace it down?
>
> best regards,
> Rainer
>
Hello Rainer,

I remember this error. In my case the pc tried to connect to the gpo 
share not via the server name but via the domain name. In your case 
ad.cyberdyne.local.
In my case the domain name sometimes  resolved to ad dc servers in 
subnet whom where not reachable from the client pc so the connection failed.
Can you browse ad.cyberdyne.local from your client pc? And can it be you 
also have addc servers in other non reachable subnets.

Achim~

More information about the samba mailing list