[Samba] strange gpo behaviour

Sérgio Basto sergio at serjux.com
Wed Apr 17 17:29:19 UTC 2019

On Tue, 2019-04-16 at 15:00 -0700, Ray Klassen via samba wrote:
> -- 3 samba 4.10.2 DC's, binaries compiled from tarballs on Debian
> stretch
> -- 2 DC's are on the same (main office) LAN, one is at another
> location 
> vpn'ed to the main office
> -- randomly windows 10 pc's will not be able to complete a gpupdate 
> (repeated tries) with no consistency as to solutions. Sometimes the
> pc's 
> can't connect to the \\dc\sysvol\local.somedomain.com
> -- we've tried (and thought we had it)
> 	-- samba-tool ntacl sysvolreset
> 	-- synchronizing time (again) between servers, and between
> servers and pc's
> 	-- rebooting pc's
> sometimes any of these measures seem to suddenly work and then not.
> any pointers?

(copy and paste from another email ) 
My experience was :

1. Mit kbr doesn't support it, we need to use the old kbr system.
2. We need disable selinux , selinux permissive is not enough to allow
to write on shared folder sysvol. it cause crashes on windows.
3. When we have 2 or more DC(s) we need to force client tools like RAST
only write in the first DC because "Samba in its current state doesn't
support SysVol replication" [1], if RAST write randomly on DC(s) we may
have errors like: samba-tool ntacl sysvolreset, - open: error=2 (No
such file or directory) [2]
4. With an efficient replication and writing POL(s) just in first DC ,
seems that works well.

Best Regards,

[2] https://lists.samba.org/archive/samba/2018-September/218137.html

> Ray
Sérgio M. B.

More information about the samba mailing list