[Samba] Failure gpupdate

L.P.H. van Belle belle at bazuin.nl
Wed Oct 5 13:16:58 UTC 2016 

Hai, 

After latest ms security fixes, user group policies are retrieved by using the computer’s security context. 
now read :  
https://bugzilla.samba.org/show_bug.cgi?id=11997 
and due to that you have a problem. You can work around it. 

Try the following. 
[sysvol]
        path = /path_to/samba/sysvol
        read only = No
        acl_xattr:ignore system acls = yes

Now restart samba, and do the sysvol reset. 

If you have multiple DC's, i suggest you sync sysvol and the idmap.tdb also. 
* idmap.tdb, samba must be stopped to copy it, only needed once per new DC. 

And do read the link below, explains a lot.

Link: 
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/



Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ricardo Pardim
> Claus via samba
> Verzonden: woensdag 5 oktober 2016 14:05
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Failure gpupdate
> 
> Colleagues,
> 
> I come to seek help to solve this problem. I use Samba 4.4.5.
> I'm getting errors when running gpupdate / force on local desktops.
> I get the following error:
> 
> User policy could not be updated successfully. The following errors were
> encountered:
> 
> 
> The processing of Group Policy failed. Windows could not apply the
> registry-based policy settings for the Group Policy object
> LDAP://CN=User,CN={31B2F340-016D-11D2-945F-
> 00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local. Group Policy
> settings will not be resolved until this event is resolved. View the event
> details for more information on the file name and path that caused the
> failure.
> The following warnings were encountered during user policy processing:
> 
> Windows failed to apply the Scripts settings. Scripts settings might have
> its own log file. Please click on the "More information" link.
> Computer policy could not be updated successfully. The following errors
> were encountered:
> 
> The processing of Group Policy failed. Windows could not apply the
> registry-based policy settings for the Group Policy object
> LDAP://CN=Machine,CN={31B2F340-016D-11D2-945F-
> 00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local. Group Policy
> settings will not be resolved until this event is resolved. View the event
> details for more information on the file name and path that caused the
> failure.
> 
> In the Samba log I see this error:
> 
> Oct  5 08:32:53 srv14 smbd_audit:
> DOMAIN\VMWIN10_|172.16.16.158|sysvol|3000019|stat|fail (File or directory
> not found)|domain.local/Policies/{0F5704BA-11D0-4D46-A138-
> 34A085A4E44D}/gpt.ini
> Oct  5 08:32:54 srv14 smbd_audit:
> DOMAIN\iuser|172.16.16.158|sysvol|users|stat|fail (File or directory not
> found)|domain.local/Policies/{7E0FAD97-3DFB-4C01-B35F-
> 5EB3FD63E371}/gpt.ini
> 
> 
> I checked the directory and confirmed that the file exists.
> 
> 
> Already I tried to reset the Sysvol, but I get this error:
> 
> # samba-tool ntacl sysvolreset -d3
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ldb_wrap open of idmap.ldb
> lp_load_ex: refreshing parameters
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [full_audit]
> Module 'full_audit' loaded
> 
> Segmentation fault (core of the recorded image)
> 
> Could someone help me?
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list