Web lists-archives.com

[Samba] Having a trust with Windows domain breaks GPOs in Samba domain




Hi list,

this might be related to my other mail with the subject "Domain trust
and browsing users and groups problem".

We have a forest trust of two domains. One domain in US (us.root.prv)
running exclusively on Windows 2012 R2 and one in EU
(spreadshirt.private) running exclusively Sernet Samba 4.8.3-11. Both
domains run functional level "2008 R2". The trust validates successful
using "samba-tool domain trust validate" and in "Domains and trusts".

Since establishing the trust, processing of group policies fail at all
Windows members in the Samba domain.

Running gpupdate /force produces this error:

C:\Users\tmu>gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy could not be updated successfully. The following errors were
encountered:

The processing of Group Policy failed. Windows could not determine if
the user and computer accounts are in the same forest. Ensure the user
domain name matches the name of a trusted domain that resides in the
same forest as the computer account.

To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from the command line to access information about Group
Policy results.


In system event log this is logged:
Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          7/5/2018 12:18:35 PM
Event ID:      1110
Task Category: None
Level:         Error
Keywords:
User:          SPREADSHIRT\tmu
Computer:      p223.spreadshirt.private
Description:
The processing of Group Policy failed. Windows could not determine if
the user and computer accounts are in the same forest. Ensure the user
domain name matches the name of a trusted domain that resides in the
same forest as the computer account.


Searching the internet to this error only points to a not running
netlogon service at Windows machine, which is the case here.
Removing the trust make GPOs working again at all Windows clients.

My question is: Are trusts ready for production?

>From my experience so far, they produce more trouble than gain.
Thank you for any insights.

Tino

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba