[Samba] GPO on a DC

David Mulder dmulder at samba.org
Tue Jun 21 14:38:57 UTC 2022

On 6/21/22 8:25 AM, samba-ml-en via samba wrote:
> Hello David,
>> Does 'CN=TRISTSNPA43,OU=Domain Controllers,DC=ad2,DC=TESTDOMAIN,DC=eu' exist?
> Of course, the problem happens only at boot time and after 90mn + some random time <30mn, because I set "apply group policies = true". also "systemctl restart samba-ad-dc" will output the same result (meaning there is not dependency on something that's not started, but rather a problem with samba itself)
> Logged via ssh "samba-gpupdate --force" will always work.
> In my original description I provide both examples. Now I could cron this but obviously this not the way things are meant to happen. GPOs set for windows clients and other winbind clients work flawlessly.

Have you tried running the job using oddjob-gpupdate 
(https://github.com/openSUSE/oddjob-gpupdate)? You could set this up as 
a work around. This would be a more appropriate method for your ADDC 
anyhow, so that winbind isn't required.

So, your failure is happening in libgpo/pygpo.c:py_ads_get_gpo_list
Could you do an ldap search for the 'userAccountControl' attribute on 
that ADDC machine object?

It's very strange that you're seeing different behavior with a forced 
apply :-/ I'll try reproducing the issue and see if I can track down the 

*David Mulder*
Labs Software Engineer, Samba
1221 Valley Grove Way
Pleasant Grove, UT 84062

dmulder at suse.com

More information about the samba mailing list