Thank you David, userAccountControl=532480 is the value (SERVER_TRUST_ACCOUNT|TRUSTED_FOR_DELEGATION) As of oddjob-gpupdate I prefer to use winbind if possible, it is more complex but has better flexibility than SSSD. Eric> Have you tried running the job using oddjob-gpupdate > (https://github.com/openSUSE/oddjob-gpupdate)? You could set this up as > a work around. This would be a more appropriate method for your ADDC > anyhow, so that winbind isn't required. > > So, your failure is happening in libgpo/pygpo.c:py_ads_get_gpo_list > Could you do an ldap search for the 'userAccountControl' attribute on > that ADDC machine object?
On 6/21/22 9:23 AM, samba-ml-en via samba wrote:> userAccountControl=532480 is the value (SERVER_TRUST_ACCOUNT|TRUSTED_FOR_DELEGATION) > > As of oddjob-gpupdate I prefer to use winbind if possible, it is more complex but has better flexibility than SSSD. >oddjob-gpupdate isn't just for SSSD. You can use it in combination with Winbind also. In fact, you have to use oddjob-gpupdate in order to utilize user policies (at least for the moment, I will add this to winbind at some point). -- *David Mulder* Labs Software Engineer, Samba SUSE 1221 Valley Grove Way Pleasant Grove, UT 84062 dmulder at suse.com http://www.suse.com