samba - Apr 2016 - Samba as AD-Controller: unable to update policies and call start scripts

Zitat von Sébastien Le Ray <sebastien-samba at orniz.org>:
>> The very strange thing is, that gpupdate tries to copy somethings  
>> from \\cch.intra\sysvol and not from \\dc1\sysvol...
>> There a no server with name cch.intra, this is just the Realm...
>
> Thats expected. your.realm should resolve to all your DC in a  
> round-robin fashion.
OK, I didn't know that... Thansk!
> Please paste the output of dig cch.intra (or nslookup on a windows box)
 From the DC (Ubuntu 14.04):

root at dc1:~# dig cch.intra

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> cch.intra
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47849
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cch.intra.                     IN      A

;; ANSWER SECTION:
cch.intra.              900     IN      A       192.168.50.2

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 08 09:36:39 CEST 2016
;; MSG SIZE  rcvd: 43

from a Windows PC:

nslookup cch.intra
Server:  dc1.cch.intra
Address:  192.168.50.2

Name:    cch.intra
Address:  192.168.50.2

Of course, the IP of the AD-Controller is 192.168.50.2...

Thanks
Luca Bertoncello
(lucabert at lucabert.de)

Did you try a samba-tool ntacl sysvolreset on the DC? (actually… that 
almost never fixed anything in my case but why not)

You can also dig in the Windows events log which could give you a more 
detailed error

Regards

Le 08/04/2016 09:38, Luca Bertoncello a écrit :
> Zitat von Sébastien Le Ray <sebastien-samba at orniz.org>:
>
>>> The very strange thing is, that gpupdate tries to copy somethings 
>>> from \\cch.intra\sysvol and not from \\dc1\sysvol...
>>> There a no server with name cch.intra, this is just the Realm...
>>
>> Thats expected. your.realm should resolve to all your DC in a 
>> round-robin fashion.
>
> OK, I didn't know that... Thansk!
>
>> Please paste the output of dig cch.intra (or nslookup on a windows box)
>
> From the DC (Ubuntu 14.04):
>
> root at dc1:~# dig cch.intra
>
> ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> cch.intra
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47849
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, 
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;cch.intra.                     IN      A
>
> ;; ANSWER SECTION:
> cch.intra.              900     IN      A       192.168.50.2
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Apr 08 09:36:39 CEST 2016
> ;; MSG SIZE  rcvd: 43
>
> from a Windows PC:
>
> nslookup cch.intra
> Server:  dc1.cch.intra
> Address:  192.168.50.2
>
> Name:    cch.intra
> Address:  192.168.50.2
>
> Of course, the IP of the AD-Controller is 192.168.50.2...
>
> Thanks
> Luca Bertoncello
> (lucabert at lucabert.de)
>
>

Zitat von Sébastien Le Ray <sebastien-samba at orniz.org>:
> Did you try a samba-tool ntacl sysvolreset on the DC? (actually…  
> that almost never fixed anything in my case but why not)
Unfortunately it did not help...
> You can also dig in the Windows events log which could give you a  
> more detailed error
I see that:

Der Computer konnte eine sichere Sitzung mit einem Domänencontroller  
in der Domäne CCH aufgrund der folgenden Ursache nicht einrichten:
Es sind momentan keine Anmeldeserver zum Verarbeiten der  
Anmeldeanforderung verfügbar.
Dies kann zu Authentifizierungsproblemen führen. Stellen Sie sicher,  
dass der Computer mit dem Netzwerk verbunden ist.
Wenden Sie sich an den Domänenadministrator, wenn das Problem  
weiterhin besteht.

ZUSÄTZLICHE INFORMATIONEN
Wenn dieser Computer ein Domänencontroller der bestimmten Domäne ist,  
wird eine sichere Sitzung zum primären Domänencontrolleremulator
in der bestimmten Domäne eingerichtet. Andernfalls richtet dieser  
Computer eine sichere Sitzung zu einem beliebigen Domänencontroller in  
der bestimmten Domäne ein.

The sentence "Es sind momentan keine Anmeldeserver zum Verarbeiten der  
Anmeldeanforderung verfügbar." (there are no logon server available  
now" seems to be the problem...
But how can I solve it?

Thanks
Luca Bertoncello
(lucabert at lucabert.de)

Zitat von Sébastien Le Ray <sebastien-samba at orniz.org>:
> Did you try a samba-tool ntacl sysvolreset on the DC? (actually…  
> that almost never fixed anything in my case but why not)
I just tried to run "samba_dnsupdate --verbose --all-names" on the DC
and I got many "Failed nsupdate: 2" and at the end "Failed update
of
21 entries".
Attached is the full result.

Maybe is THIS my problem?

Thanks
Luca Bertoncello
(lucabert at lucabert.de)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dns.lst
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160408/e20e28ae/dns.ksh>