[Samba] GPO on a DC
dmulder at samba.org
Tue Jun 21 14:38:57 UTC 2022
On 6/21/22 8:25 AM, samba-ml-en via samba wrote:
> Hello David,
>> Does 'CN=TRISTSNPA43,OU=Domain Controllers,DC=ad2,DC=TESTDOMAIN,DC=eu' exist?
> Of course, the problem happens only at boot time and after 90mn + some random time <30mn, because I set "apply group policies = true". also "systemctl restart samba-ad-dc" will output the same result (meaning there is not dependency on something that's not started, but rather a problem with samba itself)
> Logged via ssh "samba-gpupdate --force" will always work.
> In my original description I provide both examples. Now I could cron this but obviously this not the way things are meant to happen. GPOs set for windows clients and other winbind clients work flawlessly.
Have you tried running the job using oddjob-gpupdate
(https://github.com/openSUSE/oddjob-gpupdate)? You could set this up as
a work around. This would be a more appropriate method for your ADDC
anyhow, so that winbind isn't required.
So, your failure is happening in libgpo/pygpo.c:py_ads_get_gpo_list
Could you do an ldap search for the 'userAccountControl' attribute on
that ADDC machine object?
It's very strange that you're seeing different behavior with a forced
apply :-/ I'll try reproducing the issue and see if I can track down the
Labs Software Engineer, Samba
1221 Valley Grove Way
Pleasant Grove, UT 84062
dmulder at suse.com
More information about the samba