-- 3 samba 4.10.2 DC's, binaries compiled from tarballs on Debian stretch -- 2 DC's are on the same (main office) LAN, one is at another location vpn'ed to the main office -- randomly windows 10 pc's will not be able to complete a gpupdate (repeated tries) with no consistency as to solutions. Sometimes the pc's can't connect to the \\dc\sysvol\local.somedomain.com -- we've tried (and thought we had it) -- samba-tool ntacl sysvolreset -- synchronizing time (again) between servers, and between servers and pc's -- rebooting pc's sometimes any of these measures seem to suddenly work and then not. any pointers? Ray
oh and we also did samba-tool dbcheck --cross-ncs --fix on all dc's On 2019-04-16 3:00 p.m., Ray Klassen via samba wrote:> -- 3 samba 4.10.2 DC's, binaries compiled from tarballs on Debian stretch > -- 2 DC's are on the same (main office) LAN, one is at another location > vpn'ed to the main office > > -- randomly windows 10 pc's will not be able to complete a gpupdate > (repeated tries) with no consistency as to solutions. Sometimes the pc's > can't connect to the \\dc\sysvol\local.somedomain.com > -- we've tried (and thought we had it) > -- samba-tool ntacl sysvolreset > -- synchronizing time (again) between servers, and between servers > and pc's > -- rebooting pc's > > sometimes any of these measures seem to suddenly work and then not. > > any pointers? > > Ray > >
On 4/16/2019 6:00 PM, Ray Klassen via samba wrote:> -- 3 samba 4.10.2 DC's, binaries compiled from tarballs on Debian stretch > -- 2 DC's are on the same (main office) LAN, one is at another > location vpn'ed to the main office > > -- randomly windows 10 pc's will not be able to complete a gpupdate > (repeated tries) with no consistency as to solutions. Sometimes the > pc's can't connect to the \\dc\sysvol\local.somedomain.com > -- we've tried (and thought we had it) > -- samba-tool ntacl sysvolreset > -- synchronizing time (again) between servers, and between servers > and pc's > -- rebooting pc's > > sometimes any of these measures seem to suddenly work and then not. > > any pointers? > > Ray > >How are you synchronizing sysvol?
On Tue, 2019-04-16 at 15:00 -0700, Ray Klassen via samba wrote:> -- 3 samba 4.10.2 DC's, binaries compiled from tarballs on Debian > stretch > -- 2 DC's are on the same (main office) LAN, one is at another > location > vpn'ed to the main office > > -- randomly windows 10 pc's will not be able to complete a gpupdate > (repeated tries) with no consistency as to solutions. Sometimes the > pc's > can't connect to the \\dc\sysvol\local.somedomain.com > -- we've tried (and thought we had it) > -- samba-tool ntacl sysvolreset > -- synchronizing time (again) between servers, and between > servers and pc's > -- rebooting pc's > > sometimes any of these measures seem to suddenly work and then not. > > any pointers?(copy and paste from another email ) My experience was : 1. Mit kbr doesn't support it, we need to use the old kbr system. 2. We need disable selinux , selinux permissive is not enough to allow to write on shared folder sysvol. it cause crashes on windows. 3. When we have 2 or more DC(s) we need to force client tools like RAST only write in the first DC because "Samba in its current state doesn't support SysVol replication" [1], if RAST write randomly on DC(s) we may have errors like: samba-tool ntacl sysvolreset, - open: error=2 (No such file or directory) [2] 4. With an efficient replication and writing POL(s) just in first DC , seems that works well. Best Regards, [1] https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) https://www.tecmint.com/samba4-ad-dc-sysvol-replication/ [2] https://lists.samba.org/archive/samba/2018-September/218137.html> Ray > >-- Sérgio M. B.
On Wed, 17 Apr 2019 18:29:19 +0100 Sérgio Basto via samba <samba at lists.samba.org> wrote:> My experience was : > > 1. Mit kbr doesn't support it, we need to use the old kbr system.Do not use MIT, it is, at best, experimental.> 2. We need disable selinux , selinux permissive is not enough to allow > to write on shared folder sysvol. it cause crashes on windows.Selinux is not part of Samba, perhaps asking Fedora about this.> 3. When we have 2 or more DC(s) we need to force client tools like > RAST only write in the first DC because "Samba in its current state > doesn't support SysVol replication" [1], if RAST write randomly on > DC(s) we may have errors like: samba-tool ntacl sysvolreset, - open: > error=2 (No such file or directory) [2]This is mis-configuration of your DC's. Yes, Sysvol isn't replicated (yet) but there are ways around this.> 4. With an efficient replication and writing POL(s) just in first DC , > seems that works well.Provide you use some form of two way sync, you should be able to create GPO's on any Samba AD DC, but it is probably best practice to just create them on the PDC-Emulator DC. Rowland
On 2019-04-17 5:49 a.m., James Atwell via samba wrote:> > On 4/16/2019 6:00 PM, Ray Klassen via samba wrote: >> -- 3 samba 4.10.2 DC's, binaries compiled from tarballs on Debian stretch >> -- 2 DC's are on the same (main office) LAN, one is at another >> location vpn'ed to the main office >> >> -- randomly windows 10 pc's will not be able to complete a gpupdate >> (repeated tries) with no consistency as to solutions. Sometimes the >> pc's can't connect to the \\dc\sysvol\local.somedomain.com >> -- we've tried (and thought we had it) >> -- samba-tool ntacl sysvolreset >> -- synchronizing time (again) between servers, and between servers >> and pc's >> -- rebooting pc's >> >> sometimes any of these measures seem to suddenly work and then not. >> >> any pointers? >> >> Ray >> >> > How are you synchronizing sysvol?rsync as prescribed by the wiki. Actually we might have found the problem. There were some stale dns records, especially A records that resolve the domain itself, pointing to a non-existent DC. also a whole slew of other records that existed for two of the dc's but not the third we had recently installed. so a major dns edit may have fixed the issue. I will update this if the problem is completely gone.