[Samba] SysVol replication on Windows seen as "in progress"

Stefan Bellon bellon at axivion.com
Tue Apr 20 10:20:06 UTC 2021 

Hi all,

I have postponed to find out what's wrong with the SysVol permissions
here and just run "samba-tool ntacl sysvolreset" after making a change.

However, I now noticed that when entering "Group Policy Management",
then navigating to the domain in question and clicking on "Detect Now"
on the Status tab, something seems to be wrong.

First of all, that page looks like this:

--------------------------------------------------------------------------
Status

This page shows the status of Active Directory and SYSVOL (FRS)
replication for this domain as it relates to Group Policy.

Status Details

dc1.xxx.com is the baseline domain controller for this domain.

2 Domain controller(s) with replication in progress

Name (FQDN)                  Active Directory              SysVol
old-dc.xxx.com                                             Inaccessible
dc2.xxx.com                                                Inaccessible

0 Domain controller(s) with replication in sync

Name (FQDN)                  Site Name                     IP Address
--------------------------------------------------------------------------

Also, when clicking on "Detect Now" on that page, I get the following
log entries in the log.smbd logfile of the Samba DCs:

[2021/04/20 12:05:37.102238,  0] ../../source3/rpc_server/rpc_server.c:1086(dcesrv_auth_gensec_prepare)
  dcesrv_auth_gensec_prepare: Failed to prepare gensec:
  NT_STATUS_INVALID_SERVER_STATE

This is with Samba 4.13.5+dfsg-1 on Debian bullseye.

On the Samba side, I have set up things as outlined on
https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
with dc1 being the master and old-dc and dc2 doing a rsync replication.

# samba-tool ntacl sysvolcheck

does not show any issues on all three DCs and rsync does not show any
errors and SysVol is the same on all three DCs.

Also, I can access from Windows File Explorer \\dc1\sysvol and
\\dc2\sysvol and \\dc-old\\sysvol just fine and the GPOs are
readable.

Why does Windows think, they are not in sync and a replication is
"in progress"? Where does Windows get this information from?

Greetings,
Stefan

-- 
Stefan Bellon

More information about the samba mailing list