rme at bluemail.ch
2016-Aug-04 07:46 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hello Louis, Thanks for your reply. > No, your output is not good. So let's have a look. > >C:\Temp>netdom verify cyb64w10-monster > >The format of the specified computer name is invalid. > Thats not good. Well, it quite clearly states the format is invalid. If I use the the FQDN of the AD domain it works fine. The DNS search is also including the AD domain as well as the primary DNS suffix is set to the AD domain (see below). > > C:\Temp>nslookup cyb64w10-monster > > Server: UnKnown > > Address: fdea:5b48:d4c1:1:1::6 > Also not good. It resolves fine. Just I missed the correct IPv6 PTR record from the DNS. I did quickly fix this now (with no change to the result in GPO sync): C:\Temp>nslookup cyb64w10-monster Server: skynet.cyberdyne.local Address: fdea:5b48:d4c1:1:1::6 Name: cyb64w10-monster.ad.cyberdyne.local Addresses: 2a02:120b:2c38:2951:8d95:bd76:deaa:73db fdea:5b48:d4c1:1:1::100 fdea:5b48:d4c1:1:8d95:bd76:deaa:73db 10.0.1.119 > open dos box and type ipconfig /all > check you primary dns suffix AND dns search. > Normaly these are the same, can you check this? > My guess, your missing the dns-search I actually get both suffixes and the primary DNS Suffix is set to ad.cyberdyne.local. The reason for this is that I am running a DNS zone including host data for my local LAN (cyberdyne.local) while the AD zone is entirely managed by bind_dlz (ad.cyberdyne.local). So in my DHCP configuration I am assigning the cyberdyne.local DNS domain name (dhcp.conf: option domain-name "cyberyne.local"; C:\Temp>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : cyb64w10-monster Primary Dns Suffix . . . . . . . : ad.cyberdyne.local Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : ad.cyberdyne.local cyberdyne.local > Are you using ipv6 in your lan? If not, try disable it. > And try again. > If your using ipv6, then disable it, try it and enable it back. Well, I am using IPv6 mainly for all services and don't want to disable it. Though I might try this temporary which will be quite a bunch of reconfiguration to disable IPv6 in all services. So I will come back with results on this later. > And post the resolv.conf and hosts files My resolv.conf: # Generated by net-scripts for interface lan0 domain ad.cyberdyne.local search ad.cyberdyne.local cyberdyne.local nameserver fdea:5b48:d4c1:1:1::6 nameserver 10.0.1.6 my /etc/hosts: # IPv4 and IPv6 localhost aliases 127.0.0.1 localhost ::1 localhost 10.0.1.6 skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local fdea:5b48:d4c1:1:1::6 skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local On clients I don't have any modifications to the stock Windows 10 hosts file, just containing localhost entries. best regards, Rainer
rme at bluemail.ch
2016-Aug-04 10:02 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
> Well, I am using IPv6 mainly for all services and don't want to disable it. > Though I might try this temporary which will be quite a bunch of reconfiguration > to disable IPv6 in all services. So I will come back with results on this later.I have completely disabled IPv6 on the server temporary as well as I removed the second IPv4 address from the interface. Unfortunately this didn't do any change to the result. Still getting the same errors in Samba log. [2016/08/04 11:49:23.546473, 1] ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2 [2016/08/04 11:49:23.546602, 0] ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed: NT_STATUS_ACCESS_DENIED best regards, Rainer
On Thu, 4 Aug 2016 12:02:18 +0200 rme at bluemail.ch wrote:> > Well, I am using IPv6 mainly for all services and don't want to > > disable it. Though I might try this temporary which will be quite a > > bunch of reconfiguration to disable IPv6 in all services. So I will > > come back with results on this later. > > I have completely disabled IPv6 on the server temporary as well as I > removed the second IPv4 address from the interface. > > Unfortunately this didn't do any change to the result. > > Still getting the same errors in Samba log. > > [2016/08/04 11:49:23.546473, 1] > ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) > gss_unwrap_iov failed: Miscellaneous failure (see text): unknown > mech-code 0 for mech 1 2 840 113554 1 2 2 > [2016/08/04 11:49:23.546602, 0] > ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) > gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) > failed: NT_STATUS_ACCESS_DENIED > > > best regards, > Rainer >Lets go back to basics, can you post you smb.conf again, but this time, obtain it via cat Can you also post your /etc/krb5.conf Rowland