[Samba] group policy update fails

John Farmer jfarmer at industrialinfo.com
Thu Nov 17 22:01:28 UTC 2016 

We can login just fine but Group Policy Update is throwing an error

gpupdate
Updating Policy...

User policy could not be updated successfully. The following errors 
were encount
ered:

The processing of Group Policy failed. Windows could not determine if 
the user a
nd computer accounts are in the same forest. Ensure the user domain 
name matches
  the name of a trusted domain that resides in the same forest as the 
computer ac
count.
Computer Policy update has completed successfully.

Windows Event Viewer Log shows:

EventID      1110
ErrorCode 1311
ErrorDescription There are currently no logon servers available to 
service the logon request.


Ive tried "samba-tool ntacl sysvolreset"



gpresult /r
INFO: The user does not have RSOP data.




ipconfig /all

Windows IP Configuration

    Host Name . . . . . . . . . . . . : guymcfearsome
    Primary Dns Suffix  . . . . . . . : ad.poopybutthole.com
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : poopybutthole.com

Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : Qualcomm Atheros AR8161/8165 
PCI-E Gigabi
t Ethernet Controller (NDIS 6.20)
    Physical Address. . . . . . . . . : 94-DE-80-2F-D5-A2
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::f94d:55d6:8406:f24%11(Preferred)
    IPv4 Address. . . . . . . . . . . : 10.243.0.47(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 10.243.0.4
    DHCPv6 IAID . . . . . . . . . . . : 244637312
    DHCPv6 Client DUID. . . . . . . . : 
00-01-00-01-19-30-AE-C5-94-DE-80-2F-D5-A2

    DNS Servers . . . . . . . . . . . : 10.243.0.90
                                                10.243.0.91
    Primary WINS Server . . . . . . . : 10.243.0.103
    NetBIOS over Tcpip. . . . . . . . : Enabled



cat /etc/resolve.conf

search ad.poopybutthole.com poopybutthole.com
nameserver 10.243.0.91
nameserver 10.243.0.90


Can telnet to 53 on dns server also can get to port 389 and 636 on the DC



[root at dc1 samba]# cat /etc/samba/smb.conf
# Global parameters
[global]
         workgroup = AD
         realm = AD.poopybutthole.COM
         netbios name = DC1
         interfaces = 10.243.0.90/16
         bind interfaces only = Yes
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes
         time server = yes
         server services = -dns
[netlogon]
         path = /var/lib/samba/sysvol/ad.poopybutthole.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No



I can also get to the sysvol shares and netlogon shares just fine.

[root at dc1 samba]# cat /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  dns_lookup_realm = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  rdns = false
# default_realm = EXAMPLE.COM
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

More information about the samba mailing list