[Samba] Having a trust with Windows domain breaks GPOs in Samba domain

Tino Müller tmu at spreadshirt.net
Thu Jul 5 11:33:14 UTC 2018 

Hi list,

this might be related to my other mail with the subject "Domain trust
and browsing users and groups problem".

We have a forest trust of two domains. One domain in US (us.root.prv)
running exclusively on Windows 2012 R2 and one in EU
(spreadshirt.private) running exclusively Sernet Samba 4.8.3-11. Both
domains run functional level "2008 R2". The trust validates successful
using "samba-tool domain trust validate" and in "Domains and trusts".

Since establishing the trust, processing of group policies fail at all
Windows members in the Samba domain.

Running gpupdate /force produces this error:

C:\Users\tmu>gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy could not be updated successfully. The following errors were
encountered:

The processing of Group Policy failed. Windows could not determine if
the user and computer accounts are in the same forest. Ensure the user
domain name matches the name of a trusted domain that resides in the
same forest as the computer account.

To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from the command line to access information about Group
Policy results.


In system event log this is logged:
Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          7/5/2018 12:18:35 PM
Event ID:      1110
Task Category: None
Level:         Error
Keywords:
User:          SPREADSHIRT\tmu
Computer:      p223.spreadshirt.private
Description:
The processing of Group Policy failed. Windows could not determine if
the user and computer accounts are in the same forest. Ensure the user
domain name matches the name of a trusted domain that resides in the
same forest as the computer account.


Searching the internet to this error only points to a not running
netlogon service at Windows machine, which is the case here.
Removing the trust make GPOs working again at all Windows clients.

My question is: Are trusts ready for production?

>From my experience so far, they produce more trouble than gain.
Thank you for any insights.

Tino

More information about the samba mailing list