Can you run on a failing computer : - netdom verify yourpcname - nslookup yourpcname All ok? And is time in sync? Did you install winbind after the update and also and did you change you server services line? Like, i use bind9 dns My smb.conf contains only this : server services = -dns The full line is : samba-tool testparm -vv | grep "server service" server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate The thing you have to look at is : winbindd And not winbind. And best is really to setup TLS/SSL https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC ( missing on that site : add TLS_REQCERT allow to ldap.conf ) Or a simple setup with own cert. https://www.spinics.net/lists/samba/msg134098.html Its debian minded but translate it to your os, most is same. Or make them manually https://www.google.nl/search?q=setup+own+caroot#q=openssl+create+self+signed+certificate pik one. Now, for the other problem, after above is done/checked. You can clear you GPO history on the pc. Its recreated when you reboot/login again, so now worries.. @echo off DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History\*.*” REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb Klist purge gpupdate /force exit now reboot your pc, and check again. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch> Verzonden: woensdag 3 augustus 2016 15:19> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error>> Hi Louis,>> Many many thanks for your very quick and comprehensive reply.> I also found this thread here> <https://lists.samba.org/archive/samba/2016-July/201471.html>>> Unfortunately none of the suggestions seem to entirely resolve the issue.>> As a first work-around I have inserted> ldap server require strong auth = no> to my smb.conf and re-started Samba.>> Unfortunately this didn't change anything. I am still getting the same> errors> from gpupdate.exe (with the same errors logged to event log) claiming name> resolution failure while samba logs report:>> [2016/08/03 15:17:45.609250, 1]> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)> gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-> code 0> for mech 1 2 840 113554 1 2 2> [2016/08/03 15:17:45.609387, 0]> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)> gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)> failed:> NT_STATUS_ACCESS_DENIED>>> I am not fully sure about the MS changes though. My GPO all list> "Authenticated> Users" in the "Security Filtering" section in Scope tab. I unsure where to> insert the "Authenticated Users" group in the GPO with read permissions.> Does it> mean I should add "Authenticated Users" in the Delegation tab? If yes,> then all> my GPO already have this entry in Delegation tab:> - Authenticated Users, Read (from Security Filtering)>> I also tried inserting Domain Computers with Read permissions to the> Delegation> tab. No change in the result though.>> I also tried to remove the "Authenticated Users" entry from Security> Filtering> with and without adding it to the Delegation tab at no avail. It still> complains> about name resolution failure on domain controller.>>>>>> I also added the admx templates sucessfully to sysvol but this did not fix> the> GPO processing issue (as expected).>>> In addition also samba-tool ntacl sysvolcheck returns the same error as> indicated in the thread above:>> # samba-tool ntacl sysvolcheck> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -> ProvisioningError: DB ACL on GPO directory> /var/lib/samba/sysvol/ad.cyberdyne.local/Policies/{31B2F340-016D-11D2-> 945F-00C04FB984F9}> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)> does not match expected value> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)> from GPO object> File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",> line 175,> in _run> return self.run(*args, **kwargs)> File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line> 249, in run> lp)> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",> line> 1730, in checksysvolacl> direct_db_access)> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",> line> 1681, in check_gpos_acl> domainsid, direct_db_access)> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",> line> 1628, in check_dir_acl> raise ProvisioningError('%s ACL on GPO directory %s %s does not match> expected value %s from GPO object' % (acl_type(direct_db_access), path,> fsacl_sddl, acl))>> Though according to> <https://lists.samba.org/archive/samba/2016-July/201448.html> this might> be a> samba-tool issue.>> Though I don't think it's related to the error as it looks like somehow> it's not> about permissions or issues on sysvol share level but rather> crypto/signature> issues.>>>>>> Moreover I tried a bit more GPO debugging as instructed here:> <https://lists.samba.org/archive/samba/2016-August/201762.html>>> Perhaps the following log line points out an error:> GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed> with 5.>> The full log can be found here:> <http://pastebin.com/vgbhx0cm>>>>> Many thanks again.> Rainer>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
rme at bluemail.ch
2016-Aug-03 15:51 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
> Can you run on a failing computer :> - netdom verify yourpcname It seems to work only with FQDN: C:\Temp>netdom verify cyb64w10-monster The format of the specified computer name is invalid. The command failed to complete successfully. C:\Temp>netdom verify cyb64w10-monster.ad.cyberdyne.local The secure channel from CYB64W10-MONSTER.AD.CYBERDYNE.LOCAL to the domain CYBERDYNE has been verified. The connection is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL. The command completed successfully. > - nslookup yourpcname Seems to work fine: C:\Temp>nslookup cyb64w10-monster Server: UnKnown Address: fdea:5b48:d4c1:1:1::6 Name: cyb64w10-monster.ad.cyberdyne.local Addresses: fdea:5b48:d4c1:1:1::100 2a02:120b:2c38:2951:8d95:bd76:deaa:73db fdea:5b48:d4c1:1:8d95:bd76:deaa:73db 10.0.1.119 > All ok? To me this looks alright. Isn't it? > And is time in sync? Yes, 100% in sync, synchronized via NTP server. I am using two external time servers and the following config in my /etc/ntp.conf: restrict default nomodify nopeer noquery limited kod mssntp restrict 127.0.0.1 restrict [::1] As of my understanding with Samba time server enabled this should allow clients to synchronize the clock. Actually manual verification and manual clock sync seems to work: C:\Temp>w32tm /resync Sending resync command to local computer The command completed successfully. > Did you install winbind after the update and also and did you change you > server services line? Well, I have installed Samba on Gentoo via official repositories. Winbind was enabled from the beginning when upgrading from Samba 3.1 to 4.0. The group policy synchronization worked perfectly fine until 4.2.11 update on 4.2.9 it was working flawlessly. My service line looks as follows: server services = -dns Full line (samba-tool testparm -vv | grep "server service"): server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > And best is really to setup TLS/SSL Copy that. > <https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC> > ( missing on that site : add TLS_REQCERT allow to ldap.conf ) Actually from the page I understood if I don't change anything the TLS certificates are generated but they are only valid 700 days. Though my ones were generated in November 2015 (perhaps on first Samba 4 startup) I just cleaned them and let Samba rebuild them on restart. I might go for my own CA and signed certs valid for longer period later if this turns out to be the culprit. So now I changed /etc/ldap/ldap.conf and inserted TLS_REQCERT allow Then I verified the configuration: First verify without TLS, this should fail. # ldapsearch -xLL -H ldap://localhost -D "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b "dc=ad,dc=cyberdyne,dc=local" Enter LDAP Password: ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required. Then try with TLS, this should succeed. # ldapsearch -ZZ -xLL -H ldap://localhost -D "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b "dc=ad,dc=cyberdyne,dc=local" | head -5 Enter LDAP Password: version: 1 dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local objectClass: top objectClass: group ... Then try with SSL too. # ldapsearch -xLL -H ldaps://localhost -D "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b "dc=ad,dc=cyberdyne,dc=local" | head -5 Enter LDAP Password: version: 1 dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local objectClass: top objectClass: group ... > Now, for the other problem, after above is done/checked. I think TLS works as expected. > You can clear you GPO history on the pc. > Its recreated when you reboot/login again, so now worries.. > @echo off > DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group > Policy\History\*.*” > REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f > REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f > DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb > klist purge > gpupdate /force > exit > now reboot your pc, and check again. I did run those although the Group Policy History and secedit.sdb did not exist as GPO has never been synced on this machine (fresh Win 10 Pro 1607 installation). Though the klist purge and gpupdate run. Unfortunately gpupdate immediately showed the same errors again while Samba printing the same errors in its log: [2016/08/03 17:48:48.064741, 1] ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2 [2016/08/03 17:48:48.064868, 0] ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed: NT_STATUS_ACCESS_DENIED Many thanks for your patience trying to debug this issue. I am a bit out of ideas now how to trace this down. All file server services of Samba seem to work fine. Thanks again Rainer
Hai, No, your output is not good.>C:\Temp>netdom verify cyb64w10-monster >The format of the specified computer name is invalid.Thats not good.> C:\Temp>nslookup cyb64w10-monster > Server: UnKnown > Address: fdea:5b48:d4c1:1:1::6Also not good. If you resolving is setup correct both should work. netdom verify cyb64w10-monster and netdom verify cyb64w10-monster.ad.cyberdyne.local Both work for me and my windows 10 gets this policies. open dos box and type ipconfig /all check you primary dns suffix AND dns search. Normaly these are the same, can you check this? My guess, your missing the dns-search Are you using ipv6 in your lan? If not, try disable it. And try again. If your using ipv6, then disable it, try it and enable it back. And post the resolv.conf and hosts files Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch > Verzonden: woensdag 3 augustus 2016 17:51 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error > > > Can you run on a failing computer : > > - netdom verify yourpcname > > It seems to work only with FQDN: > > > C:\Temp>netdom verify cyb64w10-monster > The format of the specified computer name is invalid. > > The command failed to complete successfully. > > > C:\Temp>netdom verify cyb64w10-monster.ad.cyberdyne.local > The secure channel from CYB64W10-MONSTER.AD.CYBERDYNE.LOCAL to the domain > CYBERDYNE has been verified. The connection > is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL. > > The command completed successfully. > > > > - nslookup yourpcname > > Seems to work fine: > > C:\Temp>nslookup cyb64w10-monster > Server: UnKnown > Address: fdea:5b48:d4c1:1:1::6 > > Name: cyb64w10-monster.ad.cyberdyne.local > Addresses: fdea:5b48:d4c1:1:1::100 > 2a02:120b:2c38:2951:8d95:bd76:deaa:73db > fdea:5b48:d4c1:1:8d95:bd76:deaa:73db > 10.0.1.119 > > > All ok? > > To me this looks alright. Isn't it? > > > > And is time in sync? > > Yes, 100% in sync, synchronized via NTP server. > I am using two external time servers and the following config in my > /etc/ntp.conf: > restrict default nomodify nopeer noquery limited kod mssntp > restrict 127.0.0.1 > restrict [::1] > > As of my understanding with Samba time server enabled this should allow > clients > to synchronize the clock. Actually manual verification and manual clock > sync > seems to work: > > C:\Temp>w32tm /resync > Sending resync command to local computer > The command completed successfully. > > > > Did you install winbind after the update and also and did you change > you > > server services line? > > Well, I have installed Samba on Gentoo via official repositories. Winbind > was > enabled from the beginning when upgrading from Samba 3.1 to 4.0. The group > policy synchronization worked perfectly fine until 4.2.11 update on 4.2.9 > it was > working flawlessly. > > My service line looks as follows: > server services = -dns > > Full line (samba-tool testparm -vv | grep "server service"): > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, > ntp_signd, kcc, dnsupdate > > > > > And best is really to setup TLS/SSL > > Copy that. > > > > <https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_S > amba_AD_DC> > > ( missing on that site : add TLS_REQCERT allow to ldap.conf ) > > Actually from the page I understood if I don't change anything the TLS > certificates are generated but they are only valid 700 days. Though my > ones were > generated in November 2015 (perhaps on first Samba 4 startup) I just > cleaned > them and let Samba rebuild them on restart. I might go for my own CA and > signed > certs valid for longer period later if this turns out to be the culprit. > > > So now I changed /etc/ldap/ldap.conf and inserted > TLS_REQCERT allow > > > Then I verified the configuration: > > First verify without TLS, this should fail. > > # ldapsearch -xLL -H ldap://localhost -D > "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b > "dc=ad,dc=cyberdyne,dc=local" > Enter LDAP Password: > ldap_bind: Strong(er) authentication required (8) > additional info: BindSimple: Transport encryption required. > > > Then try with TLS, this should succeed. > > # ldapsearch -ZZ -xLL -H ldap://localhost -D > "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b > "dc=ad,dc=cyberdyne,dc=local" | head -5 > Enter LDAP Password: > version: 1 > > dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local > objectClass: top > objectClass: group > ... > > > Then try with SSL too. > > # ldapsearch -xLL -H ldaps://localhost -D > "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b > "dc=ad,dc=cyberdyne,dc=local" | head -5 > Enter LDAP Password: > version: 1 > > dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local > objectClass: top > objectClass: group > ... > > > > > Now, for the other problem, after above is done/checked. > > I think TLS works as expected. > > > > You can clear you GPO history on the pc. > > Its recreated when you reboot/login again, so now worries.. > > > @echo off > > DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group > > Policy\History\*.*” > > REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f > > REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f > > DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb > > klist purge > > gpupdate /force > > exit > > > now reboot your pc, and check again. > > > I did run those although the Group Policy History and secedit.sdb did not > exist > as GPO has never been synced on this machine (fresh Win 10 Pro 1607 > installation). Though the klist purge and gpupdate run. Unfortunately > gpupdate > immediately showed the same errors again while Samba printing the same > errors in > its log: > > [2016/08/03 17:48:48.064741, 1] > ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) > gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech- > code 0 > for mech 1 2 840 113554 1 2 2 > [2016/08/03 17:48:48.064868, 0] > ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) > gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) > failed: > NT_STATUS_ACCESS_DENIED > > > Many thanks for your patience trying to debug this issue. I am a bit out > of > ideas now how to trace this down. All file server services of Samba seem > to work > fine. > > Thanks again > Rainer > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Forgot one extra. On the win 10, check this reg key. HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Hostname It states you hostname here, but if its not in caps change it to HOSTNAME In that register key. (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters) You should see also you dnsdomain at Domain and NV Domain. NV Hostname should be in CAPS also. The domains not. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: donderdag 4 augustus 2016 8:25 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error > > Hai, > > No, your output is not good. > > >C:\Temp>netdom verify cyb64w10-monster > >The format of the specified computer name is invalid. > > Thats not good. > > > C:\Temp>nslookup cyb64w10-monster > > Server: UnKnown > > Address: fdea:5b48:d4c1:1:1::6 > > Also not good. > > > If you resolving is setup correct both should work. > netdom verify cyb64w10-monster > and > netdom verify cyb64w10-monster.ad.cyberdyne.local > > Both work for me and my windows 10 gets this policies. > > open dos box and type ipconfig /all > > check you primary dns suffix AND dns search. > Normaly these are the same, can you check this? > > My guess, your missing the dns-search > > Are you using ipv6 in your lan? If not, try disable it. > And try again. > If your using ipv6, then disable it, try it and enable it back. > > > And post the resolv.conf and hosts files > > > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch > > Verzonden: woensdag 3 augustus 2016 17:51 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error > > > > > Can you run on a failing computer : > > > - netdom verify yourpcname > > > > It seems to work only with FQDN: > > > > > > C:\Temp>netdom verify cyb64w10-monster > > The format of the specified computer name is invalid. > > > > The command failed to complete successfully. > > > > > > C:\Temp>netdom verify cyb64w10-monster.ad.cyberdyne.local > > The secure channel from CYB64W10-MONSTER.AD.CYBERDYNE.LOCAL to the > domain > > CYBERDYNE has been verified. The connection > > is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL. > > > > The command completed successfully. > > > > > > > - nslookup yourpcname > > > > Seems to work fine: > > > > C:\Temp>nslookup cyb64w10-monster > > Server: UnKnown > > Address: fdea:5b48:d4c1:1:1::6 > > > > Name: cyb64w10-monster.ad.cyberdyne.local > > Addresses: fdea:5b48:d4c1:1:1::100 > > 2a02:120b:2c38:2951:8d95:bd76:deaa:73db > > fdea:5b48:d4c1:1:8d95:bd76:deaa:73db > > 10.0.1.119 > > > > > All ok? > > > > To me this looks alright. Isn't it? > > > > > > > And is time in sync? > > > > Yes, 100% in sync, synchronized via NTP server. > > I am using two external time servers and the following config in my > > /etc/ntp.conf: > > restrict default nomodify nopeer noquery limited kod mssntp > > restrict 127.0.0.1 > > restrict [::1] > > > > As of my understanding with Samba time server enabled this should allow > > clients > > to synchronize the clock. Actually manual verification and manual clock > > sync > > seems to work: > > > > C:\Temp>w32tm /resync > > Sending resync command to local computer > > The command completed successfully. > > > > > > > Did you install winbind after the update and also and did you change > > you > > > server services line? > > > > Well, I have installed Samba on Gentoo via official repositories. > Winbind > > was > > enabled from the beginning when upgrading from Samba 3.1 to 4.0. The > group > > policy synchronization worked perfectly fine until 4.2.11 update on > 4.2.9 > > it was > > working flawlessly. > > > > My service line looks as follows: > > server services = -dns > > > > Full line (samba-tool testparm -vv | grep "server service"): > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbindd, > > ntp_signd, kcc, dnsupdate > > > > > > > > > And best is really to setup TLS/SSL > > > > Copy that. > > > > > > > > <https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_S > > amba_AD_DC> > > > ( missing on that site : add TLS_REQCERT allow to ldap.conf ) > > > > Actually from the page I understood if I don't change anything the TLS > > certificates are generated but they are only valid 700 days. Though my > > ones were > > generated in November 2015 (perhaps on first Samba 4 startup) I just > > cleaned > > them and let Samba rebuild them on restart. I might go for my own CA and > > signed > > certs valid for longer period later if this turns out to be the culprit. > > > > > > So now I changed /etc/ldap/ldap.conf and inserted > > TLS_REQCERT allow > > > > > > Then I verified the configuration: > > > > First verify without TLS, this should fail. > > > > # ldapsearch -xLL -H ldap://localhost -D > > "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b > > "dc=ad,dc=cyberdyne,dc=local" > > Enter LDAP Password: > > ldap_bind: Strong(er) authentication required (8) > > additional info: BindSimple: Transport encryption required. > > > > > > Then try with TLS, this should succeed. > > > > # ldapsearch -ZZ -xLL -H ldap://localhost -D > > "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b > > "dc=ad,dc=cyberdyne,dc=local" | head -5 > > Enter LDAP Password: > > version: 1 > > > > dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local > > objectClass: top > > objectClass: group > > ... > > > > > > Then try with SSL too. > > > > # ldapsearch -xLL -H ldaps://localhost -D > > "cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b > > "dc=ad,dc=cyberdyne,dc=local" | head -5 > > Enter LDAP Password: > > version: 1 > > > > dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local > > objectClass: top > > objectClass: group > > ... > > > > > > > > > Now, for the other problem, after above is done/checked. > > > > I think TLS works as expected. > > > > > > > You can clear you GPO history on the pc. > > > Its recreated when you reboot/login again, so now worries.. > > > > > @echo off > > > DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group > > > Policy\History\*.*” > > > REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f > > > REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f > > > DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb > > > klist purge > > > gpupdate /force > > > exit > > > > > now reboot your pc, and check again. > > > > > > I did run those although the Group Policy History and secedit.sdb did > not > > exist > > as GPO has never been synced on this machine (fresh Win 10 Pro 1607 > > installation). Though the klist purge and gpupdate run. Unfortunately > > gpupdate > > immediately showed the same errors again while Samba printing the same > > errors in > > its log: > > > > [2016/08/03 17:48:48.064741, 1] > > ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) > > gss_unwrap_iov failed: Miscellaneous failure (see text): unknown > mech- > > code 0 > > for mech 1 2 840 113554 1 2 2 > > [2016/08/03 17:48:48.064868, 0] > > ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) > > gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) > > failed: > > NT_STATUS_ACCESS_DENIED > > > > > > Many thanks for your patience trying to debug this issue. I am a bit out > > of > > ideas now how to trace this down. All file server services of Samba seem > > to work > > fine. > > > > Thanks again > > Rainer > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
rme at bluemail.ch
2016-Aug-04 07:46 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hello Louis,
Thanks for your reply.
> No, your output is not good.
So let's have a look.
> >C:\Temp>netdom verify cyb64w10-monster
> >The format of the specified computer name is invalid.
> Thats not good.
Well, it quite clearly states the format is invalid. If I use the the FQDN of
the AD domain it works fine. The DNS search is also including the AD domain as
well as the primary DNS suffix is set to the AD domain (see below).
> > C:\Temp>nslookup cyb64w10-monster
> > Server: UnKnown
> > Address: fdea:5b48:d4c1:1:1::6
> Also not good.
It resolves fine. Just I missed the correct IPv6 PTR record from the DNS.
I did quickly fix this now (with no change to the result in GPO sync):
C:\Temp>nslookup cyb64w10-monster
Server: skynet.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6
Name: cyb64w10-monster.ad.cyberdyne.local
Addresses: 2a02:120b:2c38:2951:8d95:bd76:deaa:73db
fdea:5b48:d4c1:1:1::100
fdea:5b48:d4c1:1:8d95:bd76:deaa:73db
10.0.1.119
> open dos box and type ipconfig /all
> check you primary dns suffix AND dns search.
> Normaly these are the same, can you check this?
> My guess, your missing the dns-search
I actually get both suffixes and the primary DNS Suffix is set to
ad.cyberdyne.local. The reason for this is that I am running a DNS zone
including host data for my local LAN (cyberdyne.local) while the AD zone is
entirely managed by bind_dlz (ad.cyberdyne.local). So in my DHCP configuration I
am assigning the cyberdyne.local DNS domain name (dhcp.conf:
option domain-name "cyberyne.local";
C:\Temp>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : cyb64w10-monster
Primary Dns Suffix . . . . . . . : ad.cyberdyne.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ad.cyberdyne.local
cyberdyne.local
> Are you using ipv6 in your lan? If not, try disable it.
> And try again.
> If your using ipv6, then disable it, try it and enable it back.
Well, I am using IPv6 mainly for all services and don't want to disable it.
Though I might try this temporary which will be quite a bunch of reconfiguration
to disable IPv6 in all services. So I will come back with results on this later.
> And post the resolv.conf and hosts files
My resolv.conf:
# Generated by net-scripts for interface lan0
domain ad.cyberdyne.local
search ad.cyberdyne.local cyberdyne.local
nameserver fdea:5b48:d4c1:1:1::6
nameserver 10.0.1.6
my /etc/hosts:
# IPv4 and IPv6 localhost aliases
127.0.0.1 localhost
::1 localhost
10.0.1.6 skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local
fdea:5b48:d4c1:1:1::6 skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local
On clients I don't have any modifications to the stock Windows 10 hosts
file,
just containing localhost entries.
best regards,
Rainer
Just I missed the correct IPv6 PTR record from the DNS. Ok and whats obligated for a correct working kerberos environment. Ahh.. Yes... dns A and PTR records. ;-) so one thing fixed thats ok.. The PC, ( ipconfig /all ) looks good now. Next.. your hosts files...> my /etc/hosts:>> # IPv4 and IPv6 localhost aliases> 127.0.0.1 localhost> ::1 localhost>> 10.0.1.6 skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local> fdea:5b48:d4c1:1:1::6 skynet skynet.cyberdyne.local> skynet.ad.cyberdyne.localWhich looks ok but it isnt. # look at this layout i made.. ( the localhost.localdomain is optional. ) 127.0.0.1 localhost localhost.localdomain # 10.0.1.6 skynet.ad.cyberdyne.local skynet fdea:5b48:d4c1:1:1::6 skynet.ad.cyberdyne.local skynet # # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters Why above. :> # Generated by net-scripts for interface lan0> domain ad.cyberdyne.localSo you server is in domain ad.cyberdyne.local Now after these changes reboot the server, when up, reboot the pc. And check again. For the : skynet.cyberdyne.local setup an alias in your dns, if needed, but since you have dns search also to both domains that “should” not be needed. Dont make an A record for this in .cyberdyne.local CNAME. p.s. you do know that .local is reserved for apple’s mDNS (zeroconf ) and is “adviced” not to use. https://en.wikipedia.org/wiki/.local see also note 5 there. But ! if your already up and running DONT change the domain, that wil give more problems.. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch> Verzonden: donderdag 4 augustus 2016 9:47> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error>> Hello Louis,>> Thanks for your reply.>>> > No, your output is not good.>> So let's have a look.>>> > >C:\Temp>netdom verify cyb64w10-monster> > >The format of the specified computer name is invalid.> > Thats not good.>> Well, it quite clearly states the format is invalid. If I use the the FQDN> of> the AD domain it works fine. The DNS search is also including the AD> domain as> well as the primary DNS suffix is set to the AD domain (see below).>>>> > > C:\Temp>nslookup cyb64w10-monster> > > Server: UnKnown> > > Address: fdea:5b48:d4c1:1:1::6> > Also not good.>> It resolves fine. Just I missed the correct IPv6 PTR record from the DNS.>> I did quickly fix this now (with no change to the result in GPO sync):> C:\Temp>nslookup cyb64w10-monster> Server: skynet.cyberdyne.local> Address: fdea:5b48:d4c1:1:1::6>> Name: cyb64w10-monster.ad.cyberdyne.local> Addresses: 2a02:120b:2c38:2951:8d95:bd76:deaa:73db> fdea:5b48:d4c1:1:1::100> fdea:5b48:d4c1:1:8d95:bd76:deaa:73db> 10.0.1.119>>> > open dos box and type ipconfig /all>> > check you primary dns suffix AND dns search.> > Normaly these are the same, can you check this?>> > My guess, your missing the dns-search>>> I actually get both suffixes and the primary DNS Suffix is set to> ad.cyberdyne.local. The reason for this is that I am running a DNS zone> including host data for my local LAN (cyberdyne.local) while the AD zone> is> entirely managed by bind_dlz (ad.cyberdyne.local). So in my DHCP> configuration I> am assigning the cyberdyne.local DNS domain name (dhcp.conf:> option domain-name "cyberyne.local";>>> C:\Temp>ipconfig /all>> Windows IP Configuration>> Host Name . . . . . . . . . . . . : cyb64w10-monster> Primary Dns Suffix . . . . . . . : ad.cyberdyne.local> Node Type . . . . . . . . . . . . : Hybrid> IP Routing Enabled. . . . . . . . : No> WINS Proxy Enabled. . . . . . . . : No> DNS Suffix Search List. . . . . . : ad.cyberdyne.local> cyberdyne.local>>> > Are you using ipv6 in your lan? If not, try disable it.> > And try again.> > If your using ipv6, then disable it, try it and enable it back.>> Well, I am using IPv6 mainly for all services and don't want to disable> it.> Though I might try this temporary which will be quite a bunch of> reconfiguration> to disable IPv6 in all services> later. . So I will come back with results on this>>> > And post the resolv.conf and hosts files>> My resolv.conf:>> # Generated by net-scripts for interface lan0> domain ad.cyberdyne.local> search ad.cyberdyne.local cyberdyne.local> nameserver fdea:5b48:d4c1:1:1::6> nameserver 10.0.1.6>>> my /etc/hosts:>> # IPv4 and IPv6 localhost aliases> 127.0.0.1 localhost> ::1 localhost>> 10.0.1.6 skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local> fdea:5b48:d4c1:1:1::6 skynet skynet.cyberdyne.local> skynet.ad.cyberdyne.local>>> On clients I don't have any modifications to the stock Windows 10 hosts> file,> just containing localhost entries.>>> best regards,> Rainer>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba