[Samba] GPO error after activating domain trust

[alessandro at aleboscolo.it]

Hello everyone,
this is my first post, so please be kind :)


I've a working Samba AD DC 4.7.6 installed on Ubuntu 18.04
I can join Windows Machine, manage everything with RSAT.


Yesterday I tried to estabilish a Domain Trust between my Samba Domain and a Windows 2008 domain, using "Active Directory Domains and Trusts".
The Win2008 AD is one-way on outgoing trust, and my Samba is one-way on the incoming side, both as "External" trust

After the wizard, everything works as intended, Samba users can access shares on Win2008 domain.


The problem is that after this procedure, I can't get my User GPO working, if i try a gpupdate /force on any of my windows machine joined on Samba AD DC I get this message:


"C:\Users\Administrator.MYDOM>gpupdate /force
Updating Policy...
User policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.
Computer Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results."


As soon as I remove the trust, GPO start working again.


Anyone has any experience on that?



Here is my AD DC smb.conf
[global]
        dns forwarder = 111.111.111.111 222.222.222.222
        netbios name = DC1
        realm = MY.MYDOM.DOM
        server role = active directory domain controller
        workgroup = MYDOM
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no

[netlogon]
        path = /var/lib/samba/sysvol/ad.orange1.eu/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No






Thanks for your intrest :)

Alessandro