[Samba] group policy update fails

Mike Lykov combr at samges.ru
Fri Nov 18 17:29:25 UTC 2016 

18.11.2016 16:45, L.P.H. van Belle via samba пишет:

 > Ok just to verify.
 >
 > DC name=
 > ad41.dc.samges.ru
 >
 > dnsdomain= dc.samges.ru

yes

 > Kerberos domain ??

/etc/krb5.conf
[libdefaults]
         default_realm = DC.SAMGES.RU
         dns_lookup_realm = false
         dns_lookup_kdc = true

 > Im guessing you kerberos to dnsdomain mapping is wrong.
 > Can you post the
 > /etc/hosts
 > /etc/resolv.conf
 > /etc/krb5.conf

and see thread "DC server own hostname must be part of ad dc domain?" 
here from me.

In your script you use dns query like
SETDNSDOMAIN=`hostname -d`
... $(host -t SRV _kerberos._udp.${SETDNSDOMAIN}
but in my case it's not work, because
SETDNSDOMAIN=samges.ru instead of dc.samges.ru
(I patch it with setting SETDNSDOMAIN=dc.samges.ru by hand)

but all seems work (users authorised, gpo propagated)

 > And, can you post this line u used for provisioning?

where I can find it after more than 2 years?

It's like samba-tool domain provision --use-rfc2307 --interactive

Maybe we move to that thread (about own hostname) because here it's some 
offtopic not about gpo updates.


>> -----Oorspronkelijk bericht-----
>> Van: Mike Lykov [mailto:combr at samges.ru]
>> Verzonden: vrijdag 18 november 2016 12:20
>> Aan: L.P.H. van Belle
>> Onderwerp: Re: [Samba] group policy update fails
>>
>> 18.11.2016 12:04, L.P.H. van Belle via samba ??????????:
>>> This looks all good.
>>>
>>> Can you check you database replication with my script.
>>> http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh
>>> It does some basic checked to detect the AD DC's.
>>> And it compaires the ad db database in 2 ways.
>>
>> May I ask you about my results interpretation?
>>
>> -------------
>> Result for [DOMAIN]: FAILURE
>> Attributes found only in ldap://ad41.dc.samges.ru:
>>      msDS-NcType
>>      serverState
>> Result for [CONFIGURATION]: FAILURE
>> Attributes found only in ldap://ad41.dc.samges.ru:
>>      msDS-NcType
>>      subRefs
>>
>> Result for [SCHEMA]: FAILURE
>> Attributes found only in ldap://ad41.dc.samges.ru:
>>      msDS-NcType
>> ---------------
>>
>> What is this attributes means, why they could not replicate?
>> And how to fix this case?
>> "samba drs showrepl" show all is ok.
>>
>> -----------
>> * Comparing [DNSDOMAIN] context...
>> Failed search of base=DC=DomainDnsZones,DC=dc,DC=samges,DC=ru
>> ------------
>>
>> Why it can happen?
>>
>>
>> --
>> Mike Lykov, system administrator
>
>
>

More information about the samba mailing list