[Samba] strange gpo behaviour
sergio at serjux.com
Wed Apr 17 17:29:19 UTC 2019
On Tue, 2019-04-16 at 15:00 -0700, Ray Klassen via samba wrote:
> -- 3 samba 4.10.2 DC's, binaries compiled from tarballs on Debian
> -- 2 DC's are on the same (main office) LAN, one is at another
> vpn'ed to the main office
> -- randomly windows 10 pc's will not be able to complete a gpupdate
> (repeated tries) with no consistency as to solutions. Sometimes the
> can't connect to the \\dc\sysvol\local.somedomain.com
> -- we've tried (and thought we had it)
> -- samba-tool ntacl sysvolreset
> -- synchronizing time (again) between servers, and between
> servers and pc's
> -- rebooting pc's
> sometimes any of these measures seem to suddenly work and then not.
> any pointers?
(copy and paste from another email )
My experience was :
1. Mit kbr doesn't support it, we need to use the old kbr system.
2. We need disable selinux , selinux permissive is not enough to allow
to write on shared folder sysvol. it cause crashes on windows.
3. When we have 2 or more DC(s) we need to force client tools like RAST
only write in the first DC because "Samba in its current state doesn't
support SysVol replication" , if RAST write randomly on DC(s) we may
have errors like: samba-tool ntacl sysvolreset, - open: error=2 (No
such file or directory) 
4. With an efficient replication and writing POL(s) just in first DC ,
seems that works well.
Sérgio M. B.
More information about the samba