Hai,> > Windows can update the forward zone, but, if I understand it correctly, > it doesn't update the reverse zone, Unix clients does neither > > Rowland > > --Some more info on this. - Windows 7/Static ip's Here windows does update there forward and reverse zone, but only when u use static ip, so to avoid problems here, all my normal pcs have static ip. - Windows 7/dhcp ip's My dhcp clients only update te forward zones no reverve, but this should be fixable, i just havent lookt into this (yet). ( i didnt need it (yet) ) Win 10, im configureing a pc now and settting up the gpo. When done, i'll test that and report back how that goes. Greetz, Louis
rme at bluemail.ch
2016-Aug-05 20:54 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hello Louis,> Win 10, im configureing a pc now and settting up the gpo. > When done, i'll test that and report back how that goes.I actually set up a Win7 VM to test whether GPO sync works fine with it. So I installed Windows 7 Professional with the last update rollup installed. Unfortunately I get exaclty the same errors as I get in Windows 10 Pro. I am seriously thinking about an issue with my Samba installation or something which was broken during classicupgrade. I am facing the same issues on two additional Samba 4.2 installations, both were classic-upgraded. Then I started investigating whether Samba provides some kind of "verification" tool. Unfortunately I tried 'samba-tool domain provision' once where I found it's not only verifying but actually resetting the Samba configuration (Privileges, User Accounts, Machine Accounts etc.). In fact I would be willing to re-configure my Samba installation from scratch. Actually there is only little data I would have to re-do and I did some research on whether it's possible to export this data and re-import it later. I did find a couple of transfer guides (how to transfer from one hardware to another) but here I think I would simply copy the /var/lib/samba and /etc/samba folders which should work. In my case I am lookning for - Export user database (including passwords, SID(!!), unix LDAP attributes etc.) - Export group database (including SID) - Export machine accounts (optional, I might re-join the machines) - Keep domain SID (net getlocalsid / net setlocalsid) - Anything else? Actually especially the users database would be a hassle to re-create as I would have to inform the users and since I am using roaming profiles they should keep their SID as the user profile backup (mainly ntuser.dat registry hive) refers to the SID for security descriptors. So I would run into trouble if the user is assigned a new SID. Moreover some users have Unix attributes (UID, home directory, shell) attributes which I should keep as some of them need to log in to the shell too. Needless to say that changing the owner of all files owned by specific UID would be troublesome. But assuming I could export the complete user/group database and re-import them (all users except built-in ones like Administrator, service accounts etc.) I would be fine with it. I already tried pdbedit -e smbpasswd:/mydir/myfile pdbedit -i smbpasswd:/mydir/myfile but it didn't work. The export was fine and the dump was created but import fails with an obscure message: build_sam_account: smbpasswd database is corrupt! username <user> with uid <uid> is not in unix passwd database! Username not found! Which is weird as of course the user does not exist when I try to import it. Moreover looking at the exported file it looks like only the plain Windows attributes are exported and especially the SID is not retained. So even when the user is restored it would be an issue to log on with its old profile assigning permissions to the old SID (e.g. in user registry hive). And I certainly don't want the users to start configuring all their profiles from scratch. Honestly I was a bit busy restoring my Samba installation after accidentally scratching it and I didn't do any test on GPO sync after I accidentally scratched it - my bad. I will do this again and verify whether I can sync GPO properly on a freshly initialized installation using 'samba-tool domain provision' with my current smb.conf left intact. Does anybody know whether such a migration of users and machine accounts to a new installation is possible? Thanks Rainer
Hai,
Ive tested the following, i use static and dhcp ip here.
Everything on static ip works perfect on win7 and win10.
And at the domain join the a and ptr is created automaticly.
GPO works fine for both.
Dhcp ip.
Win 7 works fine, AD join A and PTR is created and updated when the ip is
changes. GPO works fine.
Win 10 works, AD join A and PTR is created and but not updated when the ip is
changes. GPO works fine until the ip is updated
So i'll look into the "why" the ptr is not updated on win10.
Besides that it looks normal here.
Rainer,
I dont think there is an inssue with your install.
But i would change the krb5.conf to but im no kerberos guru, i would think its
something like below what you need.
[libdefaults]
default_realm = AD.CYBERDYNE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
AD.CYBERDYNE.LOCAL = {
default_domain = ad.cyberdne.local
kdc = skynet.ad.cyberdyne.local
admin_server = skynet.ad.cyberdyne.local
}
[domain_realm]
.ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
.cyberdyne.local = AD.CYBERDYNE.LOCAL
cyberdyne.local = AD.CYBERDYNE.LOCAL
or
[libdefaults]
default_realm = AD.CYBERDYNE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
[domain_realm]
.ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
.cyberdyne.local = AD.CYBERDYNE.LOCAL
cyberdyne.local = AD.CYBERDYNE.LOCAL
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at
bluemail.ch
> Verzonden: vrijdag 5 augustus 2016 22:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
>
> Hello Louis,
>
> > Win 10, im configureing a pc now and settting up the gpo.
> > When done, i'll test that and report back how that goes.
>
> I actually set up a Win7 VM to test whether GPO sync works fine with it.
> So I installed Windows 7 Professional with the last update rollup
> installed.
> Unfortunately I get exaclty the same errors as I get in Windows 10 Pro.
>
> I am seriously thinking about an issue with my Samba installation or
> something which was broken during classicupgrade. I am facing the same
> issues on two additional Samba 4.2 installations, both were
> classic-upgraded.
>
> Then I started investigating whether Samba provides some kind of
> "verification" tool.
> Unfortunately I tried 'samba-tool domain provision' once where I
found
> it's not only verifying but actually resetting the Samba configuration
> (Privileges, User Accounts, Machine Accounts etc.).
>
>
> In fact I would be willing to re-configure my Samba installation from
> scratch. Actually there is only little data I would have to re-do and I
> did some research on whether it's possible to export this data and
> re-import it later. I did find a couple of transfer guides (how to
> transfer from one hardware to another) but here I think I would simply
> copy the /var/lib/samba and /etc/samba folders which should work.
>
> In my case I am lookning for
> - Export user database (including passwords, SID(!!), unix LDAP
> attributes etc.)
> - Export group database (including SID)
> - Export machine accounts (optional, I might re-join the machines)
> - Keep domain SID (net getlocalsid / net setlocalsid)
> - Anything else?
>
>
> Actually especially the users database would be a hassle to re-create as
> I would have to inform the users and since I am using roaming profiles
> they should keep their SID as the user profile backup (mainly ntuser.dat
> registry hive) refers to the SID for security descriptors. So I would
> run into trouble if the user is assigned a new SID. Moreover some users
> have Unix attributes (UID, home directory, shell) attributes which I
> should keep as some of them need to log in to the shell too. Needless to
> say that changing the owner of all files owned by specific UID would be
> troublesome.
> But assuming I could export the complete user/group database and
> re-import them (all users except built-in ones like Administrator,
> service accounts etc.) I would be fine with it.
>
> I already tried
> pdbedit -e smbpasswd:/mydir/myfile
> pdbedit -i smbpasswd:/mydir/myfile
> but it didn't work. The export was fine and the dump was created but
> import fails with an obscure message:
> build_sam_account: smbpasswd database is corrupt! username
<user>
> with uid <uid> is not in unix passwd database!
> Username not found!
>
> Which is weird as of course the user does not exist when I try to import
> it. Moreover looking at the exported file it looks like only the plain
> Windows attributes are exported and especially the SID is not retained.
> So even when the user is restored it would be an issue to log on with
> its old profile assigning permissions to the old SID (e.g. in user
> registry hive). And I certainly don't want the users to start
> configuring all their profiles from scratch.
>
>
> Honestly I was a bit busy restoring my Samba installation after
> accidentally scratching it and I didn't do any test on GPO sync after I
> accidentally scratched it - my bad. I will do this again and verify
> whether I can sync GPO properly on a freshly initialized installation
> using 'samba-tool domain provision' with my current smb.conf left
intact.
>
>
> Does anybody know whether such a migration of users and machine accounts
> to a new installation is possible?
>
> Thanks
> Rainer
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
rme at bluemail.ch
2016-Aug-08 20:44 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hi Louis,> Ive tested the following, i use static and dhcp ip here.I am using DHCP only.> Everything on static ip works perfect on win7 and win10. > And at the domain join the a and ptr is created automaticly. > GPO works fine for both.Can't tell about static setup as it's impractical in my networks.> Dhcp ip. > Win 7 works fine, AD join A and PTR is created and updated when the ip is changes. GPO works fine.Was it a fully patched Widndows 7 Pro? As my one still complains about being unable to hange the name on domain join and also it fails to update GPO.> Win 10 works, AD join A and PTR is created and but not updated when the ip is changes. GPO works fine until the ip is updated > So i'll look into the "why" the ptr is not updated on win10. > Besides that it looks normal here.Alright, but I doubt this will solve my problem. It probebly just showed another problem with Samba which is only partially related. Because my IPs don't change very often even with DHCP setup it should actually work for me at least right after Domain join.>Rainer, > I dont think there is an inssue with your install. > But i would change the krb5.conf to but im no kerberos guru, i would think its something like below what you need.I did change my krb5.conf exactly to what you proposed (first proposal with dns_lookup_realm = false and realm defined), then restarted Samba and still renter into the same issue. gpupdate: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). User Policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results. This happens on at least 3 classicupgraded Samba installations here. Any idea how to trace it down? best regards, Rainer