We can login just fine but Group Policy Update is throwing an error
gpupdate
Updating Policy...
User policy could not be updated successfully. The following errors
were encount
ered:
The processing of Group Policy failed. Windows could not determine if
the user a
nd computer accounts are in the same forest. Ensure the user domain
name matches
the name of a trusted domain that resides in the same forest as the
computer ac
count.
Computer Policy update has completed successfully.
Windows Event Viewer Log shows:
EventID 1110
ErrorCode 1311
ErrorDescription There are currently no logon servers available to
service the logon request.
Ive tried "samba-tool ntacl sysvolreset"
gpresult /r
INFO: The user does not have RSOP data.
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : guymcfearsome
Primary Dns Suffix . . . . . . . : ad.poopybutthole.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : poopybutthole.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Qualcomm Atheros AR8161/8165
PCI-E Gigabi
t Ethernet Controller (NDIS 6.20)
Physical Address. . . . . . . . . : 94-DE-80-2F-D5-A2
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::f94d:55d6:8406:f24%11(Preferred)
IPv4 Address. . . . . . . . . . . : 10.243.0.47(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.243.0.4
DHCPv6 IAID . . . . . . . . . . . : 244637312
DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-19-30-AE-C5-94-DE-80-2F-D5-A2
DNS Servers . . . . . . . . . . . : 10.243.0.90
10.243.0.91
Primary WINS Server . . . . . . . : 10.243.0.103
NetBIOS over Tcpip. . . . . . . . : Enabled
cat /etc/resolve.conf
search ad.poopybutthole.com poopybutthole.com
nameserver 10.243.0.91
nameserver 10.243.0.90
Can telnet to 53 on dns server also can get to port 389 and 636 on the DC
[root at dc1 samba]# cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = AD
realm = AD.poopybutthole.COM
netbios name = DC1
interfaces = 10.243.0.90/16
bind interfaces only = Yes
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
time server = yes
server services = -dns
[netlogon]
path = /var/lib/samba/sysvol/ad.poopybutthole.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
I can also get to the sysvol shares and netlogon shares just fine.
[root at dc1 samba]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
This looks all good. Can you check you database replication with my script. http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh It does some basic checked to detect the AD DC's. And it compaires the ad db database in 2 ways. And can you try it again but unselect the IPV6 in the computer its network settings. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens John Farmer via > samba > Verzonden: donderdag 17 november 2016 23:01 > Aan: samba at lists.samba.org > Onderwerp: [Samba] group policy update fails > > We can login just fine but Group Policy Update is throwing an error > > gpupdate > Updating Policy... > > User policy could not be updated successfully. The following errors > were encount > ered: > > The processing of Group Policy failed. Windows could not determine if > the user a > nd computer accounts are in the same forest. Ensure the user domain > name matches > the name of a trusted domain that resides in the same forest as the > computer ac > count. > Computer Policy update has completed successfully. > > Windows Event Viewer Log shows: > > EventID 1110 > ErrorCode 1311 > ErrorDescription There are currently no logon servers available to > service the logon request. > > > Ive tried "samba-tool ntacl sysvolreset" > > > > gpresult /r > INFO: The user does not have RSOP data. > > > > > ipconfig /all > > Windows IP Configuration > > Host Name . . . . . . . . . . . . : guymcfearsome > Primary Dns Suffix . . . . . . . : ad.poopybutthole.com > Node Type . . . . . . . . . . . . : Hybrid > IP Routing Enabled. . . . . . . . : No > WINS Proxy Enabled. . . . . . . . : No > DNS Suffix Search List. . . . . . : poopybutthole.com > > Ethernet adapter Local Area Connection: > > Connection-specific DNS Suffix . : > Description . . . . . . . . . . . : Qualcomm Atheros AR8161/8165 > PCI-E Gigabi > t Ethernet Controller (NDIS 6.20) > Physical Address. . . . . . . . . : 94-DE-80-2F-D5-A2 > DHCP Enabled. . . . . . . . . . . : No > Autoconfiguration Enabled . . . . : Yes > Link-local IPv6 Address . . . . . : > fe80::f94d:55d6:8406:f24%11(Preferred) > IPv4 Address. . . . . . . . . . . : 10.243.0.47(Preferred) > Subnet Mask . . . . . . . . . . . : 255.255.0.0 > Default Gateway . . . . . . . . . : 10.243.0.4 > DHCPv6 IAID . . . . . . . . . . . : 244637312 > DHCPv6 Client DUID. . . . . . . . : > 00-01-00-01-19-30-AE-C5-94-DE-80-2F-D5-A2 > > DNS Servers . . . . . . . . . . . : 10.243.0.90 > 10.243.0.91 > Primary WINS Server . . . . . . . : 10.243.0.103 > NetBIOS over Tcpip. . . . . . . . : Enabled > > > > cat /etc/resolve.conf > > search ad.poopybutthole.com poopybutthole.com > nameserver 10.243.0.91 > nameserver 10.243.0.90 > > > Can telnet to 53 on dns server also can get to port 389 and 636 on the DC > > > > [root at dc1 samba]# cat /etc/samba/smb.conf > # Global parameters > [global] > workgroup = AD > realm = AD.poopybutthole.COM > netbios name = DC1 > interfaces = 10.243.0.90/16 > bind interfaces only = Yes > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > time server = yes > server services = -dns > [netlogon] > path = /var/lib/samba/sysvol/ad.poopybutthole.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > > I can also get to the sysvol shares and netlogon shares just fine. > > [root at dc1 samba]# cat /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > dns_lookup_realm = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > # default_realm = EXAMPLE.COM > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > # EXAMPLE.COM = { > # kdc = kerberos.example.com > # admin_server = kerberos.example.com > # } > > [domain_realm] > # .example.com = EXAMPLE.COM > # example.com = EXAMPLE.COM > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Ok just to verify. DC name= ad41.dc.samges.ru dnsdomain= dc.samges.ru Kerberos domain ?? Im guessing you kerberos to dnsdomain mapping is wrong. Can you post the /etc/hosts /etc/resolv.conf /etc/krb5.conf And, can you post this line u used for provisioning? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Mike Lykov [mailto:combr at samges.ru] > Verzonden: vrijdag 18 november 2016 12:20 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] group policy update fails > > 18.11.2016 12:04, L.P.H. van Belle via samba ??????????: > > This looks all good. > > > > Can you check you database replication with my script. > > http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh > > It does some basic checked to detect the AD DC's. > > And it compaires the ad db database in 2 ways. > > May I ask you about my results interpretation? > > ------------- > Result for [DOMAIN]: FAILURE > Attributes found only in ldap://ad41.dc.samges.ru: > msDS-NcType > serverState > Result for [CONFIGURATION]: FAILURE > Attributes found only in ldap://ad41.dc.samges.ru: > msDS-NcType > subRefs > > Result for [SCHEMA]: FAILURE > Attributes found only in ldap://ad41.dc.samges.ru: > msDS-NcType > --------------- > > What is this attributes means, why they could not replicate? > And how to fix this case? > "samba drs showrepl" show all is ok. > > ----------- > * Comparing [DNSDOMAIN] context... > Failed search of base=DC=DomainDnsZones,DC=dc,DC=samges,DC=ru > ------------ > > Why it can happen? > > > -- > Mike Lykov, system administrator
Got a lot of
" Attributes found only in ldap://dc1.ad.poopybutthole.com:
cn
Attributes found only in ldap://dc2.ad.poopybutthole.com.:
CN
FAILED"
[33mNo debconf-set-selections tool found, running apt-get update and
install debconf , please wait..[0;10m
[37m[1mRunning with with console output[0;10m
[37m[1mRunning : /usr/bin/samba-tool ldapcmp --filter='whenChanged'
ldap://dc1.ad.poopybutthole.com ldap://mode.[0;10m
[37m[1mPlease wait.. this can take a while..[0;10m
Failed to connect to ldap URL 'ldap://mode.' - LDAP client internal
error: NT_STATUS_OBJECT_NAME_NOT_FOUND
Failed to connect to 'ldap://mode.' with backend 'ldap': (null)
ERROR(ldb): uncaught exception - None
File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ldapcmp.py",
line 968, in run
outf=self.outf, errf=self.errf)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ldapcmp.py",
line 64, in __init__
options=ldb_options)
File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line
115, in __init__
self.connect(url, flags, options)
[32m[0;10m
[37m[1mRunning : /usr/bin/samba-tool ldapcmp --filter='whenChanged'
ldap://dc1.ad.poopybutthole.com ldap://dc2.ad.poopybutthole.com.[0;10m
[37m[1mPlease wait.. this can take a while..[0;10m
ERROR: Compare failed: -1
[33m
* Comparing [DOMAIN] context...
* Objects to be compared: 1111
Comparing:
'CN=0b7fb422-3609-4587-8c2e-94b10f67d1bf,CN=Operations,CN=DomainUpdates,CN=System,DC=ad,DC=poopybutthole,DC=com'
[ldap://dc1.ad.poopybutthole.com]
'CN=0b7fb422-3609-4587-8c2e-94b10f67d1bf,CN=Operations,CN=DomainUpdates,CN=System,DC=ad,DC=poopybutthole,DC=com'
[ldap://dc2.ad.poopybutthole.com.]
Attributes found only in ldap://dc1.ad.poopybutthole.com:
cn
Attributes found only in ldap://dc2.ad.poopybutthole.com.:
CN
FAILED
Comparing:
'DC=4257423d-4a8c-4ed5-a859-4c763dcfc842,DC=_msdcs.ad.poopybutthole.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ad,DC=poopybutthole,DC=com'
[ldap://dc1.ad.poopybutthole.com]
'DC=4257423d-4a8c-4ed5-a859-4c763dcfc842,DC=_msdcs.ad.poopybutthole.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ad,DC=poopybutthole,DC=com'
[ldap://dc2.ad.poopybutthole.com.]
Attributes found only in ldap://dc1.ad.poopybutthole.com:
dc
Attributes found only in ldap://dc2.ad.poopybutthole.com.:
DC
FAILED
...skipping...
* Result for [DNSFOREST]: FAILURE
SUMMARY
---------
Attributes found only in ldap://dc1.ad.poopybutthole.com:
ou
cn
dc
CN
Attributes found only in ldap://dc2.ad.poopybutthole.com.:
DC
OU
serverReferenceBL
CN
cn
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1719
Comparing:
'CN=002fb291-0d00-4b0c-8c00-fe7f50ce6f8d,CN=Operations,CN=ForestUpdates,CN=Configuration,DC=ad,DC=poopybutthole,DC=com'
[ldap://dc1.ad.poopybutthole.com]
'CN=002fb291-0d00-4b0c-8c00-fe7f50ce6f8d,CN=Operations,CN=ForestUpdates,CN=Configuration,DC=ad,DC=poopybutthole,DC=com'
[ldap://dc2.ad.poopybutthole.com.]
Attributes found only in ldap://dc1.ad.poopybutthole.com:
cn
Attributes found only in ldap://dc2.ad.poopybutthole.com.:
CN
FAILED
* Result for [DOMAIN]: FAILURE
At 02:04 AM 11/18/2016, L.P.H. van Belle via samba
wrote:>This looks all good.
>
>Can you check you database replication with my script.
>http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh
>It does some basic checked to detect the AD DC's.
>And it compaires the ad db database in 2 ways.
>
>And can you try it again but unselect the IPV6 in the computer its
>network settings.
>
>Greetz,
>
>Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens John
Farmer via
> > samba
> > Verzonden: donderdag 17 november 2016 23:01
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] group policy update fails
> >
> > We can login just fine but Group Policy Update is throwing an error
> >
> > gpupdate
> > Updating Policy...
> >
> > User policy could not be updated successfully. The following errors
> > were encount
> > ered:
> >
> > The processing of Group Policy failed. Windows could not determine if
> > the user a
> > nd computer accounts are in the same forest. Ensure the user domain
> > name matches
> > the name of a trusted domain that resides in the same forest as the
> > computer ac
> > count.
> > Computer Policy update has completed successfully.
> >
> > Windows Event Viewer Log shows:
> >
> > EventID 1110
> > ErrorCode 1311
> > ErrorDescription There are currently no logon servers available to
> > service the logon request.
> >
> >
> > Ive tried "samba-tool ntacl sysvolreset"
> >
> >
> >
> > gpresult /r
> > INFO: The user does not have RSOP data.
> >
> >
> >
> >
> > ipconfig /all
> >
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : guymcfearsome
> > Primary Dns Suffix . . . . . . . : ad.poopybutthole.com
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : poopybutthole.com
> >
> > Ethernet adapter Local Area Connection:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Qualcomm Atheros AR8161/8165
> > PCI-E Gigabi
> > t Ethernet Controller (NDIS 6.20)
> > Physical Address. . . . . . . . . : 94-DE-80-2F-D5-A2
> > DHCP Enabled. . . . . . . . . . . : No
> > Autoconfiguration Enabled . . . . : Yes
> > Link-local IPv6 Address . . . . . :
> > fe80::f94d:55d6:8406:f24%11(Preferred)
> > IPv4 Address. . . . . . . . . . . : 10.243.0.47(Preferred)
> > Subnet Mask . . . . . . . . . . . : 255.255.0.0
> > Default Gateway . . . . . . . . . : 10.243.0.4
> > DHCPv6 IAID . . . . . . . . . . . : 244637312
> > DHCPv6 Client DUID. . . . . . . . :
> > 00-01-00-01-19-30-AE-C5-94-DE-80-2F-D5-A2
> >
> > DNS Servers . . . . . . . . . . . : 10.243.0.90
> > 10.243.0.91
> > Primary WINS Server . . . . . . . : 10.243.0.103
> > NetBIOS over Tcpip. . . . . . . . : Enabled
> >
> >
> >
> > cat /etc/resolve.conf
> >
> > search ad.poopybutthole.com poopybutthole.com
> > nameserver 10.243.0.91
> > nameserver 10.243.0.90
> >
> >
> > Can telnet to 53 on dns server also can get to port 389 and 636 on the
DC
> >
> >
> >
> > [root at dc1 samba]# cat /etc/samba/smb.conf
> > # Global parameters
> > [global]
> > workgroup = AD
> > realm = AD.poopybutthole.COM
> > netbios name = DC1
> > interfaces = 10.243.0.90/16
> > bind interfaces only = Yes
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> > time server = yes
> > server services = -dns
> > [netlogon]
> > path = /var/lib/samba/sysvol/ad.poopybutthole.com/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> >
> >
> > I can also get to the sysvol shares and netlogon shares just fine.
> >
> > [root at dc1 samba]# cat /etc/krb5.conf
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > dns_lookup_realm = false
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > forwardable = true
> > rdns = false
> > # default_realm = EXAMPLE.COM
> > default_ccache_name = KEYRING:persistent:%{uid}
> >
> > [realms]
> > # EXAMPLE.COM = {
> > # kdc = kerberos.example.com
> > # admin_server = kerberos.example.com
> > # }
> >
> > [domain_realm]
> > # .example.com = EXAMPLE.COM
> > # example.com = EXAMPLE.COM
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
John Farmer
Systems Manager
www.industrialinfo.com
P. (713) 980 3459
F. (713) 735 8080
The information contained in this e-mail message is legally
privileged and may include proprietary and confidential
information. This message is intended for the recipient(s) only. If
an error has misdirected this email, please notify the author by
replying to this email and then delete it from your system
immediately. If you are not the intended recipient then disclosure,
distribution, copying or printing of this email is strictly
prohibited. Information or opinions in this message that do not
relate to the business of Industrial Information Resources shall be
treated as neither given nor endorsed by it. No liability will be
accepted by Industrial Information Resources for any defamatory
statement or infringement of copyright which is contrary to our
employment policies and outside the scope of the employment of the
author. Neither Industrial Information Resources nor the author
accepts any responsibility for viruses or other destructive elements
and it is the recipients' responsibility to scan any
attachments.Please note we intercept and monitor incoming/outgoing
e-mail and therefore you should neither expect nor intend any e-mail
to be private in nature.