Bug 11517 - Samba 4.3 GPO issue when Trust is enabled
Samba 4.3 GPO issue when Trust is enabled
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
All All
: P5 critical
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2015-09-14 08:41 UTC by Brascon
Modified: 2016-02-25 10:52 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Brascon 2015-09-14 08:41:05 UTC
Hi Experts

We are testing Samba 4.3 and we are having somes isssues with GPO when the external trust (Windows AD and Samba) is established to gpo will not work with the error below:

User policy could not be updated successfully. The following errors were encount ered:

The processing of Group Policy failed. Windows could not determine if the user a nd computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer ac count. Computer Policy update has completed successfully. 

When we remove the trust the gpo works, also when the trust is established i can enumerate users from Windows AD, but not from Samba AD except when i issue wbinfo -u --domain=windowsAD.net 

can someone asist if it is a known issue? smb.conf below



# Global parameters
        workgroup = TEST
        realm = TEST.NET
        server role = active directory domain controller
        passdb backend = samba_dsdb
        dns forwarder =
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        map readonly = no
        store dos attributes = Yes
        vfs objects = dfs_samba4 acl_xattr

        path = /usr/local/samba/var/locks/sysvol/cnx.net/scripts
        read only = No
        write ok = Yes

        path = /usr/local/samba/var/locks/sysvol
        read only = No
        write ok = Yes
Comment 1 Stefan Metzmacher 2015-09-14 08:50:39 UTC
While a lot of things regarding trusts have been implemented and tested,
there's still some development effort required to implement full support
for trusts. This is mainly related to winbindd and NTLMSSP, but maybe more.
Comment 2 Brascon 2015-09-14 09:19:42 UTC
Many thanks Stephan, does this mean we cannot use the trust now? is there a work around?, strange thing when i issue wbinfo -u --domain=windowsAD.net  i can enumerate all users in the Windows AD but not from ADUC.