[Samba] group policy update fails

John Farmer jfarmer at industrialinfo.com
Fri Nov 18 17:30:47 UTC 2016 

Got a lot of

"    Attributes found only in ldap://dc1.ad.poopybutthole.com:
         cn
     Attributes found only in ldap://dc2.ad.poopybutthole.com.:
         CN
     FAILED"

[33mNo debconf-set-selections tool found, running apt-get update and 
install debconf , please wait..[0;10m
[37m[1mRunning with with console output[0;10m
[37m[1mRunning : /usr/bin/samba-tool ldapcmp --filter='whenChanged' 
ldap://dc1.ad.poopybutthole.com ldap://mode.[0;10m
[37m[1mPlease wait.. this can take a while..[0;10m
Failed to connect to ldap URL 'ldap://mode.' - LDAP client internal 
error: NT_STATUS_OBJECT_NAME_NOT_FOUND
Failed to connect to 'ldap://mode.' with backend 'ldap': (null)
ERROR(ldb): uncaught exception - None
   File 
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 
176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ldapcmp.py", 
line 968, in run
     outf=self.outf, errf=self.errf)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ldapcmp.py", 
line 64, in __init__
     options=ldb_options)
   File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 
115, in __init__
     self.connect(url, flags, options)
                             [32m[0;10m
[37m[1mRunning : /usr/bin/samba-tool ldapcmp --filter='whenChanged' 
ldap://dc1.ad.poopybutthole.com ldap://dc2.ad.poopybutthole.com.[0;10m
[37m[1mPlease wait.. this can take a while..[0;10m
ERROR: Compare failed: -1
[33m
* Comparing [DOMAIN] context...

* Objects to be compared: 1111

Comparing:
'CN=0b7fb422-3609-4587-8c2e-94b10f67d1bf,CN=Operations,CN=DomainUpdates,CN=System,DC=ad,DC=poopybutthole,DC=com' 
[ldap://dc1.ad.poopybutthole.com]
'CN=0b7fb422-3609-4587-8c2e-94b10f67d1bf,CN=Operations,CN=DomainUpdates,CN=System,DC=ad,DC=poopybutthole,DC=com' 
[ldap://dc2.ad.poopybutthole.com.]
     Attributes found only in ldap://dc1.ad.poopybutthole.com:
         cn
     Attributes found only in ldap://dc2.ad.poopybutthole.com.:
         CN
     FAILED


Comparing:
'DC=4257423d-4a8c-4ed5-a859-4c763dcfc842,DC=_msdcs.ad.poopybutthole.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ad,DC=poopybutthole,DC=com' 
[ldap://dc1.ad.poopybutthole.com]
'DC=4257423d-4a8c-4ed5-a859-4c763dcfc842,DC=_msdcs.ad.poopybutthole.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ad,DC=poopybutthole,DC=com' 
[ldap://dc2.ad.poopybutthole.com.]
     Attributes found only in ldap://dc1.ad.poopybutthole.com:
         dc
     Attributes found only in ldap://dc2.ad.poopybutthole.com.:
         DC
     FAILED
...skipping...
* Result for [DNSFOREST]: FAILURE

SUMMARY
---------

Attributes found only in ldap://dc1.ad.poopybutthole.com:

     ou
     cn
     dc
     CN

Attributes found only in ldap://dc2.ad.poopybutthole.com.:

     DC
     OU
     serverReferenceBL
     CN
     cn

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1719

Comparing:
'CN=002fb291-0d00-4b0c-8c00-fe7f50ce6f8d,CN=Operations,CN=ForestUpdates,CN=Configuration,DC=ad,DC=poopybutthole,DC=com' 
[ldap://dc1.ad.poopybutthole.com]
'CN=002fb291-0d00-4b0c-8c00-fe7f50ce6f8d,CN=Operations,CN=ForestUpdates,CN=Configuration,DC=ad,DC=poopybutthole,DC=com' 
[ldap://dc2.ad.poopybutthole.com.]
     Attributes found only in ldap://dc1.ad.poopybutthole.com:
         cn
     Attributes found only in ldap://dc2.ad.poopybutthole.com.:
         CN
     FAILED





* Result for [DOMAIN]: FAILURE




At 02:04 AM 11/18/2016, L.P.H. van Belle via samba wrote:
>This looks all good.
>
>Can you check you database replication with my script.
>http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh
>It does some basic checked to detect the AD DC's.
>And it compaires the ad db database in 2 ways.
>
>And can you try it again but unselect the IPV6 in the computer its 
>network settings.
>
>Greetz,
>
>Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens John Farmer via
> > samba
> > Verzonden: donderdag 17 november 2016 23:01
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] group policy update fails
> >
> > We can login just fine but Group Policy Update is throwing an error
> >
> > gpupdate
> > Updating Policy...
> >
> > User policy could not be updated successfully. The following errors
> > were encount
> > ered:
> >
> > The processing of Group Policy failed. Windows could not determine if
> > the user a
> > nd computer accounts are in the same forest. Ensure the user domain
> > name matches
> >   the name of a trusted domain that resides in the same forest as the
> > computer ac
> > count.
> > Computer Policy update has completed successfully.
> >
> > Windows Event Viewer Log shows:
> >
> > EventID      1110
> > ErrorCode 1311
> > ErrorDescription There are currently no logon servers available to
> > service the logon request.
> >
> >
> > Ive tried "samba-tool ntacl sysvolreset"
> >
> >
> >
> > gpresult /r
> > INFO: The user does not have RSOP data.
> >
> >
> >
> >
> > ipconfig /all
> >
> > Windows IP Configuration
> >
> >     Host Name . . . . . . . . . . . . : guymcfearsome
> >     Primary Dns Suffix  . . . . . . . : ad.poopybutthole.com
> >     Node Type . . . . . . . . . . . . : Hybrid
> >     IP Routing Enabled. . . . . . . . : No
> >     WINS Proxy Enabled. . . . . . . . : No
> >     DNS Suffix Search List. . . . . . : poopybutthole.com
> >
> > Ethernet adapter Local Area Connection:
> >
> >     Connection-specific DNS Suffix  . :
> >     Description . . . . . . . . . . . : Qualcomm Atheros AR8161/8165
> > PCI-E Gigabi
> > t Ethernet Controller (NDIS 6.20)
> >     Physical Address. . . . . . . . . : 94-DE-80-2F-D5-A2
> >     DHCP Enabled. . . . . . . . . . . : No
> >     Autoconfiguration Enabled . . . . : Yes
> >     Link-local IPv6 Address . . . . . :
> > fe80::f94d:55d6:8406:f24%11(Preferred)
> >     IPv4 Address. . . . . . . . . . . : 10.243.0.47(Preferred)
> >     Subnet Mask . . . . . . . . . . . : 255.255.0.0
> >     Default Gateway . . . . . . . . . : 10.243.0.4
> >     DHCPv6 IAID . . . . . . . . . . . : 244637312
> >     DHCPv6 Client DUID. . . . . . . . :
> > 00-01-00-01-19-30-AE-C5-94-DE-80-2F-D5-A2
> >
> >     DNS Servers . . . . . . . . . . . : 10.243.0.90
> >                                                 10.243.0.91
> >     Primary WINS Server . . . . . . . : 10.243.0.103
> >     NetBIOS over Tcpip. . . . . . . . : Enabled
> >
> >
> >
> > cat /etc/resolve.conf
> >
> > search ad.poopybutthole.com poopybutthole.com
> > nameserver 10.243.0.91
> > nameserver 10.243.0.90
> >
> >
> > Can telnet to 53 on dns server also can get to port 389 and 636 on the DC
> >
> >
> >
> > [root at dc1 samba]# cat /etc/samba/smb.conf
> > # Global parameters
> > [global]
> >          workgroup = AD
> >          realm = AD.poopybutthole.COM
> >          netbios name = DC1
> >          interfaces = 10.243.0.90/16
> >          bind interfaces only = Yes
> >          server role = active directory domain controller
> >          idmap_ldb:use rfc2307 = yes
> >          time server = yes
> >          server services = -dns
> > [netlogon]
> >          path = /var/lib/samba/sysvol/ad.poopybutthole.com/scripts
> >          read only = No
> >
> > [sysvol]
> >          path = /var/lib/samba/sysvol
> >          read only = No
> >
> >
> >
> > I can also get to the sysvol shares and netlogon shares just fine.
> >
> > [root at dc1 samba]# cat /etc/krb5.conf
> > [logging]
> >   default = FILE:/var/log/krb5libs.log
> >   kdc = FILE:/var/log/krb5kdc.log
> >   admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> >   dns_lookup_realm = false
> >   ticket_lifetime = 24h
> >   renew_lifetime = 7d
> >   forwardable = true
> >   rdns = false
> > # default_realm = EXAMPLE.COM
> >   default_ccache_name = KEYRING:persistent:%{uid}
> >
> > [realms]
> > # EXAMPLE.COM = {
> > #  kdc = kerberos.example.com
> > #  admin_server = kerberos.example.com
> > # }
> >
> > [domain_realm]
> > # .example.com = EXAMPLE.COM
> > # example.com = EXAMPLE.COM
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba




John Farmer
Systems Manager
www.industrialinfo.com
P.  (713) 980 3459
F.  (713) 735 8080


The information contained in this e-mail message is legally 
privileged and may include proprietary and confidential 
information.  This message is intended for the recipient(s) only.  If 
an error has misdirected this email, please notify the author by 
replying to this email and then delete it from your system 
immediately. If you are not the intended recipient then disclosure, 
distribution, copying or printing of this email is strictly 
prohibited. Information or opinions in this message that do not 
relate to the business of Industrial Information Resources shall be 
treated as neither given nor endorsed by it. No liability will be 
accepted by Industrial Information Resources for any defamatory 
statement or infringement of copyright which is contrary to our 
employment policies and outside the scope of the employment of the 
author. Neither Industrial Information Resources nor the author 
accepts any responsibility for viruses or other destructive elements 
and it is the recipients' responsibility to scan any 
attachments.Please note we intercept and monitor incoming/outgoing 
e-mail and therefore you should neither expect nor intend any e-mail 
to be private in nature.

More information about the samba mailing list