[Samba] Samba 4.2.14 Group Policy (GPO) sync error
rme at bluemail.ch
rme at bluemail.ch
Tue Aug 9 18:48:04 UTC 2016
Hi Achim,
Thanks a lot for your reply.
> I remember this error. In my case the pc tried to connect to the gpo
> share not via the server name but via the domain name. In your case
> ad.cyberdyne.local.
Well, I am even able to browser the policies via the domain name:
\\ad.cyberdyne.local\sysvol\ad.cyberdyne.local\Policies
Or via hostname:
\\skynet.ad.cyberdyne.local\sysvol\ad.cyberdyne.local\Policies
It's all working just fine.
> In my case the domain name sometimes resolved to ad dc servers in
> subnet whom where not reachable from the client pc so the connection failed.
> Can you browse ad.cyberdyne.local from your client pc? And can it be you
> also have addc servers in other non reachable subnets.
Actually my trusted clients are in 10.0.1.0/24 subnet.
Untrusted clients are in 10.0.2.0/24 subnet but this subnet does not
contain ad-joined hosts.
Samba listens on 3 IPs:
- 10.0.1.6
- 10.0.1.6
- fdea:5b48:d4c1:1:1::6
DNS also resolves those hosts:
>nslookup skynet
Server: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6
Name: skynet.ad.cyberdyne.local
Addresses: fdea:5b48:d4c1:1:1::6
10.0.2.6
10.0.0.6
10.0.1.6
Actually the routes and firewalls also allo unlimited connection from
10.0.1.0/24 to 10.0.2.0/24.
Though as you brought up the topic I tested to connect to
\\10.0.2.6\sysvol from my 10.0.1.x machine. The connection works OK but
somehow I am prompted to enter the password and it does not accept it.
However I don't know why yet.
The same applies to the IPv6 connection at
\\fdea-5b48-d4c1-1-1--6.ipv6-literal.net\sysvol.
It seems I cannot authenticate on any listener interface other than the
main 10.0.1.6 listening address.
I don't know yet what the reason for this is. I also tried this in smb.conf:
interfaces = 10.0.1.6/24
bind interfaces only = true
Now samba only listens on 10.0.1.6 but still samba_dlz resolves all IP
adresses for skynet.ad.cyberdyne.local.
Then I reset my complete samba_dlz installation (removing keytab, user
and private/dns folder entirely) and re-initialized it. Then restarted
named too and run "samba_dnsupdate --all-names".
Now DNS resolved as follows:
>nslookup skynet.ad.cyberdyne.local
Server: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6
Name: skynet.ad.cyberdyne.local
Address: 10.0.1.6
10.0.0.6
I have no idea at all why Samba still resolves to 10.0.0.6 as it does
not listen on this interface. Yes this inteface exists and 10.0.0.0/24
is used on a dedicated physical network interface. But I don't want
Samba to listen on it and the interfaces line (see above) does not list
it. Netstat confirms Samba does not listen on this interface.
So I removed the entry manually:
samba-tool dns delete skynet.ad.cyberdyne.local ad.cyberdyne.local
skynet A 10.0.0.6
Now DNS looks alright, IPv4 only:
>nslookup skynet.ad.cyberdyne.local
Server: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6
Name: skynet.ad.cyberdyne.local
Address: 10.0.1.6
To also exclude any possible issue with IPv6 I also disabled IPv6 on my
testing client.
Now from the client I am able to connect to
\\skynet.ad.cyberdyne.local\sysvol, but get access-denied on
\\10.0.1.6\sysvol, no matter which account I try.
Also when I do 'samba_dnsupdate --all-names' I see the following in the
logs (repeated) but no error reported.
[2016/08/09 20:41:33.748195, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ named at AD.CYBERDYNE.LOCAL from ipv4:10.0.1.6:33531
for krbtgt/AD.CYBERDYNE.LOCAL at AD.CYBERDYNE.LOCAL
[2016/08/09 20:41:33.749880, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: UNKNOWN -- named at AD.CYBERDYNE.LOCAL: no such entry found in hdb
So something might be fishy in samba code to bind to multiple network
interaces:
- Samba partially ignores the intefaces directive
- Somehow I can only connect to the first interface, not to any other IP
best regards,
Rainer
More information about the samba
mailing list