samba - Aug 2016 - Samba 4.2.14 Group Policy (GPO) sync error

Hi Achim,

Thanks a lot for your reply.

> I remember this error. In my case the pc tried to connect to the gpo
> share not via the server name but via the domain name. In your case
> ad.cyberdyne.local.

Well, I am even able to browser the policies via the domain name:
\\ad.cyberdyne.local\sysvol\ad.cyberdyne.local\Policies
Or via hostname:
\\skynet.ad.cyberdyne.local\sysvol\ad.cyberdyne.local\Policies

It's all working just fine.

> In my case the domain name sometimes  resolved to ad dc servers in
> subnet whom where not reachable from the client pc so the connection
failed.
> Can you browse ad.cyberdyne.local from your client pc? And can it be you
> also have addc servers in other non reachable subnets.
Actually my trusted clients are in 10.0.1.0/24 subnet.
Untrusted clients are in 10.0.2.0/24 subnet but this subnet does not 
contain ad-joined hosts.
Samba listens on 3 IPs:
- 10.0.1.6
- 10.0.1.6
- fdea:5b48:d4c1:1:1::6

DNS also resolves those hosts:
>nslookup skynet
Server:  skynet.ad.cyberdyne.local
Address:  fdea:5b48:d4c1:1:1::6

Name:    skynet.ad.cyberdyne.local
Addresses:  fdea:5b48:d4c1:1:1::6
           10.0.2.6
           10.0.0.6
           10.0.1.6


Actually the routes and firewalls also allo unlimited connection from 
10.0.1.0/24 to 10.0.2.0/24.

Though as you brought up the topic I tested to connect to 
\\10.0.2.6\sysvol from my 10.0.1.x machine. The connection works OK but 
somehow I am prompted to enter the password and it does not accept it. 
However I don't know why yet.
The same applies to the IPv6 connection at 
\\fdea-5b48-d4c1-1-1--6.ipv6-literal.net\sysvol.
It seems I cannot authenticate on any listener interface other than the 
main 10.0.1.6 listening address.

I don't know yet what the reason for this is. I also tried this in smb.conf:
     interfaces = 10.0.1.6/24
     bind interfaces only = true

Now samba only listens on 10.0.1.6 but still samba_dlz resolves all IP 
adresses for skynet.ad.cyberdyne.local.
Then I reset my complete samba_dlz installation (removing keytab, user 
and private/dns folder entirely) and re-initialized it. Then restarted 
named too and run "samba_dnsupdate --all-names".

Now DNS resolved as follows:
>nslookup skynet.ad.cyberdyne.local
Server:  skynet.ad.cyberdyne.local
Address:  fdea:5b48:d4c1:1:1::6

Name:    skynet.ad.cyberdyne.local
Address:  10.0.1.6
           10.0.0.6

I have no idea at all why Samba still resolves to 10.0.0.6 as it does 
not listen on this interface. Yes this inteface exists and 10.0.0.0/24 
is used on a dedicated physical network interface. But I don't want 
Samba to listen on it and the interfaces line (see above) does not list 
it. Netstat confirms Samba does not listen on this interface.

So I removed the entry manually:
     samba-tool dns delete skynet.ad.cyberdyne.local ad.cyberdyne.local 
skynet A 10.0.0.6

Now DNS looks alright, IPv4 only:
>nslookup skynet.ad.cyberdyne.local
Server:  skynet.ad.cyberdyne.local
Address:  fdea:5b48:d4c1:1:1::6

Name:    skynet.ad.cyberdyne.local
Address:  10.0.1.6


To also exclude any possible issue with IPv6 I also disabled IPv6 on my 
testing client.
Now from the client I am able to connect to 
\\skynet.ad.cyberdyne.local\sysvol, but get access-denied on 
\\10.0.1.6\sysvol, no matter which account I try.


Also when I do 'samba_dnsupdate --all-names' I see the following in the 
logs (repeated) but no error reported.

[2016/08/09 20:41:33.748195,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ named at AD.CYBERDYNE.LOCAL from ipv4:10.0.1.6:33531 
for krbtgt/AD.CYBERDYNE.LOCAL at AD.CYBERDYNE.LOCAL
[2016/08/09 20:41:33.749880,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: UNKNOWN -- named at AD.CYBERDYNE.LOCAL: no such entry found in hdb


So something might be fishy in samba code to bind to multiple network 
interaces:
- Samba partially ignores the intefaces directive
- Somehow I can only connect to the first interface, not to any other IP


best regards,
Rainer

Am 09.08.2016 um 20:48 schrieb Rainer Meier via samba:
> I have no idea at all why Samba still resolves to 10.0.0.6 as it does 
> not listen on this interface. Yes this inteface exists and 10.0.0.0/24 
> is used on a dedicated physical network interface. But I don't want 
> Samba to listen on it and the interfaces line (see above) does not 
> list it. Netstat confirms Samba does not listen on this interface.
>
> So I removed the entry manually:
>     samba-tool dns delete skynet.ad.cyberdyne.local ad.cyberdyne.local 
> skynet A 10.0.0.6
>
> Now DNS looks alright, IPv4 only:
>> nslookup skynet.ad.cyberdyne.local
> Server:  skynet.ad.cyberdyne.local
> Address:  fdea:5b48:d4c1:1:1::6
>
> Name:    skynet.ad.cyberdyne.local
> Address:  10.0.1.6 
I think the 10.0.06 entry was created during domain creation. I'd skim 
thru dns records from an windows machine if possible and delete all 
occurences of unwanted ip adresses. I assume the gpo's still can not be 
loaded during logon on the client? Did you inspect gpresult /h result.html?

> I think the 10.0.06 entry was created during domain creation. I'd skim
> thru dns records from an windows machine if possible and delete all
> occurences of unwanted ip adresses. I assume the gpo's still can not be
> loaded during logon on the client? Did you inspect gpresult /h result.html?
I did remove the record for 10.0.0.6 now. Currently I only have 10.0.1.6 
in the DNS and Samba listening only on 10.0.1.6. Though it still fails 
to sync with exactly the same error.

gpresult /h result.html does not do anything as GPO has never been 
synced. It seems to provide results only if the sync at least completed 
once.