rme at bluemail.ch
2016-Apr-19 13:04 UTC
[Samba] Samba 4.2.11 Group Policy (GPO) sync error
Hi all, Since I have upgraded to Samba 4.2.11 I got errors when updating group policy objects (GPO) on my clients (all Windows 7 Professional). When running "gpupdate" from the command line on Windows 7 Pro Domain-Joined clients it states not to be able to resolve the domain controller. According to what I see from the logs it looks like it's related to resolving accounts. I am running Samba 4.2.11 as an AD DC with BIND_DLZ DNS backend on Gentoo. For now I have reverted all installations to Samba 4.2.9 where GPO updates seem to work fine again. Does anybody experience the same issues with Samba 4.2.11? -- Rainer
Hi, You said your client can't resolve the domain controllers any more. Do you made tests using "dig" or "nslookup" to be sure there is an issue with your DNS system? If you did and if there is really a DNS issue, I would start checking rights on keytab(s) used by your Bind(s). Checking logs would be a good option too. Bind and Samba logs. 2016-04-19 15:04 GMT+02:00 <rme at bluemail.ch>:> Hi all, > > Since I have upgraded to Samba 4.2.11 I got errors when updating group > policy objects (GPO) on my clients (all Windows 7 Professional). > > When running "gpupdate" from the command line on Windows 7 Pro > Domain-Joined clients it states not to be able to resolve the domain > controller. According to what I see from the logs it looks like it's > related to resolving accounts. > > I am running Samba 4.2.11 as an AD DC with BIND_DLZ DNS backend on Gentoo. > For now I have reverted all installations to Samba 4.2.9 where GPO updates > seem to work fine again. > > Does anybody experience the same issues with Samba 4.2.11? > > -- > Rainer > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
rme at bluemail.ch
2016-Apr-20 16:35 UTC
[Samba] Samba 4.2.11 Group Policy (GPO) sync error
Hello, Thanks for your reply! On 20.04.2016 12:40, mathias dufresne wrote:> You said your client can't resolve the domain controllers any more. Do you made > tests using "dig" or "nslookup" to be sure there is an issue with your DNS system?Name lookups on AD domain look alright. DNS tests are successful. I think it's not about name resolution of DNS but rather about resolving user IDs to user names. The exact message displayed by gpupdate is: --- Updating policy... Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). User Policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results. --- In addition the system event log contains event ID 1055 from source "GroupPolicy (Microsoft-Windows-GroupPolicy with OpCode 1 and contais the following details: --- The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). ---> Checking logs would be a good option too. Bind and Samba logs.No errors actually logged to the BIND log file. Moreover BIND is not upgraded or affected at all. In Samba logs I see the same error repeated many times during the update: [2016/04/20 18:29:02.510222, 0] ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed: NT_STATUS_ACCESS_DENIED Any ideas what to check? This happens on all my Samba 4.2.11 installations. When downgrading to Samba 4.2.9 the issue disappears completely (without any change in configuration od TDB files). best regards, Rainer