thanks for your advices, especially about global parameters
> # Global parameters
> [global]
>
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> unix extensions = no
> winbind nss info = rfc2307
When I removed the parameter vfs object = acl_xattr and then restart samba,
everything started to work properly
Yes its my bad, samba wiki says:
"
On a Samba Active Directory (AD) domain controller (DC), extended ACL
support is automatically enabled globally. You must not enable the support
manually.
"
Now computer can perform gpupdate correctly.
But i can't understand why is this parameter caused an error of this type:
log.smbd on DC1:
[2017/01/13 13:49:16.075361, 1]
../source4/auth/gensec/gensec_gssapi.c:619(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure
(see text): Failed to find DC1$EXAMPLE.ORG(kvno 7) in keytab
FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
[2017/01/13 13:49:16.075405, 1]
../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Thanks a lot
Regards
Łukasz Sellmann
2017-02-03 17:58 GMT+01:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Fri, 3 Feb 2017 17:39:17 +0100
> Łukasz Sellmann via samba <samba at lists.samba.org> wrote:
>
> > */etc/samba/smb.conf *
> >
> > # Global parameters
> > [global]
> >
> > workgroup = GSBK
> > realm = biuro.gsbk.pl
> > netbios name = DC1
> > server role = active directory domain controller
> > dns forwarder = 192.168.0.1
> >
> > ldap server require strong auth = no
> > allow dns updates = nonsecure and secure
> > require strong key = no
> >
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > store dos attributes = yes
> > unix extensions = no
> > winbind nss info = rfc2307
>
> OK, just who is it that is telling people to add the above five lines to
> a DC smb.conf ???
>
> Whoever it is, will they please stop doing it, or to put it another way:
>
> Remove those lines, they should only be in a Unix domain member smb.conf
>
> > winbind enum users = yes
> > winbind enum groups = yes
> > idmap_ldb:use rfc2307 = yes
> >
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/biuro.gsbk.pl/scripts
> > read only = no
> > browseable = no
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = no
> > browseable = no
>
>
> Again, remove the browseable lines, there is no browsing on a Samba AD
> DC.
>
> > */etc/krb.conf*
> >
> > [libdefaults]
> > default_realm = BIURO.GSBK.PL
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> >
> > */etc/hosts*
> >
> > 192.168.0.3 DC1
> > 127.0.0.1 localhost
> > # The following lines are desirable for IPv6 capable hosts
> > ::1 localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
>
> The 192.168.0.3 line should be:
> 192.168.0.3 dc1.biuro.gsbk.pl dc1
>
> Provided, of course, that DC1 has a fixed IP and it should have a fixed
> IP
>
> > */etc/hostname*
> >
> > DC1
> >
> > */etc/resolv.conf*
> >
> > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> > resolvconf(8)
> > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> > OVERWRITTEN nameserver 192.168.0.3
> > search biuro.gsbk.pl
> >
>
> I personally would remove resolvconf, it is totally unneeded on a
> machine with a fixed IP
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>