[Samba] GPO on a DC
David Mulder
dmulder at samba.org
Tue Jun 21 14:38:57 UTC 2022
On 6/21/22 8:25 AM, samba-ml-en via samba wrote:
> Hello David,
>
>> Does 'CN=TRISTSNPA43,OU=Domain Controllers,DC=ad2,DC=TESTDOMAIN,DC=eu' exist?
>
> Of course, the problem happens only at boot time and after 90mn + some random time <30mn, because I set "apply group policies = true". also "systemctl restart samba-ad-dc" will output the same result (meaning there is not dependency on something that's not started, but rather a problem with samba itself)
>
> Logged via ssh "samba-gpupdate --force" will always work.
>
> In my original description I provide both examples. Now I could cron this but obviously this not the way things are meant to happen. GPOs set for windows clients and other winbind clients work flawlessly.
>
>
>
Have you tried running the job using oddjob-gpupdate
(https://github.com/openSUSE/oddjob-gpupdate)? You could set this up as
a work around. This would be a more appropriate method for your ADDC
anyhow, so that winbind isn't required.
So, your failure is happening in libgpo/pygpo.c:py_ads_get_gpo_list
Could you do an ldap search for the 'userAccountControl' attribute on
that ADDC machine object?
It's very strange that you're seeing different behavior with a forced
apply :-/ I'll try reproducing the issue and see if I can track down the
cause.
--
*David Mulder*
Labs Software Engineer, Samba
SUSE
1221 Valley Grove Way
Pleasant Grove, UT 84062
dmulder at suse.com
http://www.suse.com
More information about the samba
mailing list