samba - Aug 2016 - Samba 4.2.14 Group Policy (GPO) sync error

Hello Louis,

Thanks for your reply.


 > No, your output is not good.

So let's have a look.


 > >C:\Temp>netdom verify cyb64w10-monster
 > >The format of the specified computer name is invalid.
 > Thats not good.

Well, it quite clearly states the format is invalid. If I use the the FQDN of 
the AD domain it works fine. The DNS search is also including the AD domain as 
well as the primary DNS suffix is set to the AD domain (see below).



 > > C:\Temp>nslookup cyb64w10-monster
 > > Server:  UnKnown
 > > Address:  fdea:5b48:d4c1:1:1::6
 > Also not good.

It resolves fine. Just I missed the correct IPv6 PTR record from the DNS.

I did quickly fix this now (with no change to the result in GPO sync):
C:\Temp>nslookup cyb64w10-monster
Server:  skynet.cyberdyne.local
Address:  fdea:5b48:d4c1:1:1::6

Name:    cyb64w10-monster.ad.cyberdyne.local
Addresses:  2a02:120b:2c38:2951:8d95:bd76:deaa:73db
           fdea:5b48:d4c1:1:1::100
           fdea:5b48:d4c1:1:8d95:bd76:deaa:73db
           10.0.1.119


 > open dos box and type ipconfig /all

 > check you primary dns suffix AND dns search.
 > Normaly these are the same, can you check this?

 > My guess, your missing the dns-search


I actually get both suffixes and the primary DNS Suffix is set to 
ad.cyberdyne.local. The reason for this is that I am running a DNS zone 
including host data for my local LAN (cyberdyne.local) while the AD zone is 
entirely managed by bind_dlz (ad.cyberdyne.local). So in my DHCP configuration I
am assigning the cyberdyne.local DNS domain name (dhcp.conf:
     option domain-name "cyberyne.local";


C:\Temp>ipconfig /all

Windows IP Configuration

    Host Name . . . . . . . . . . . . : cyb64w10-monster
    Primary Dns Suffix  . . . . . . . : ad.cyberdyne.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : ad.cyberdyne.local
                                        cyberdyne.local


 > Are you using ipv6 in your lan? If not, try disable it.
 > And try again.
 > If your using ipv6, then disable it, try it and enable it back.

Well, I am using IPv6 mainly for all services and don't want to disable it. 
Though I might try this temporary which will be quite a bunch of reconfiguration
to disable IPv6 in all services. So I will come back with results on this later.


 > And post the resolv.conf and hosts files

My resolv.conf:

# Generated by net-scripts for interface lan0
domain ad.cyberdyne.local
search ad.cyberdyne.local cyberdyne.local
nameserver fdea:5b48:d4c1:1:1::6
nameserver 10.0.1.6


my /etc/hosts:

# IPv4 and IPv6 localhost aliases
127.0.0.1       localhost
::1             localhost

10.0.1.6        skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local
fdea:5b48:d4c1:1:1::6   skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local


On clients I don't have any modifications to the stock Windows 10 hosts
file,
just containing localhost entries.


best regards,
Rainer

> Well, I am using IPv6 mainly for all services and don't want to disable
it.
> Though I might try this temporary which will be quite a bunch of
reconfiguration
>  to disable IPv6 in all services. So I will come back with results on this
later.
I have completely disabled IPv6 on the server temporary as well as I removed the
second IPv4 address from the interface.

Unfortunately this didn't do any change to the result.

Still getting the same errors in Samba log.

[2016/08/04 11:49:23.546473,  1] 
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
   gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/04 11:49:23.546602,  0] 
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
   gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed: 
NT_STATUS_ACCESS_DENIED


best regards,
Rainer

On Thu, 4 Aug 2016 12:02:18 +0200
rme at bluemail.ch wrote:
> > Well, I am using IPv6 mainly for all services and don't want to
> > disable it. Though I might try this temporary which will be quite a
> > bunch of reconfiguration to disable IPv6 in all services. So I will
> > come back with results on this later.
> 
> I have completely disabled IPv6 on the server temporary as well as I
> removed the second IPv4 address from the interface.
> 
> Unfortunately this didn't do any change to the result.
> 
> Still getting the same errors in Samba log.
> 
> [2016/08/04 11:49:23.546473,  1] 
> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
>    gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown
> mech-code 0 for mech 1 2 840 113554 1 2 2
> [2016/08/04 11:49:23.546602,  0] 
> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
>    gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)
> failed: NT_STATUS_ACCESS_DENIED
> 
> 
> best regards,
> Rainer
> 
Lets go back to basics, can you post you smb.conf again, but this time,
obtain it via cat

Can you also post your /etc/krb5.conf

Rowland