Bug 11517 - Samba 4.3 GPO issue when Trust is enabled
Samba 4.3 GPO issue when Trust is enabled
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
All All
: P5 critical
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2015-09-14 08:41 UTC by Brascon
Modified: 2017-11-03 09:41 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Brascon 2015-09-14 08:41:05 UTC
Hi Experts

We are testing Samba 4.3 and we are having somes isssues with GPO when the external trust (Windows AD and Samba) is established to gpo will not work with the error below:

User policy could not be updated successfully. The following errors were encount ered:

The processing of Group Policy failed. Windows could not determine if the user a nd computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer ac count. Computer Policy update has completed successfully. 

When we remove the trust the gpo works, also when the trust is established i can enumerate users from Windows AD, but not from Samba AD except when i issue wbinfo -u --domain=windowsAD.net 

can someone asist if it is a known issue? smb.conf below



# Global parameters
        workgroup = TEST
        realm = TEST.NET
        server role = active directory domain controller
        passdb backend = samba_dsdb
        dns forwarder =
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        map readonly = no
        store dos attributes = Yes
        vfs objects = dfs_samba4 acl_xattr

        path = /usr/local/samba/var/locks/sysvol/cnx.net/scripts
        read only = No
        write ok = Yes

        path = /usr/local/samba/var/locks/sysvol
        read only = No
        write ok = Yes
Comment 1 Stefan Metzmacher 2015-09-14 08:50:39 UTC
While a lot of things regarding trusts have been implemented and tested,
there's still some development effort required to implement full support
for trusts. This is mainly related to winbindd and NTLMSSP, but maybe more.
Comment 2 Brascon 2015-09-14 09:19:42 UTC
Many thanks Stephan, does this mean we cannot use the trust now? is there a work around?, strange thing when i issue wbinfo -u --domain=windowsAD.net  i can enumerate all users in the Windows AD but not from ADUC.


Comment 3 Clive Ferreira 2016-11-09 01:20:50 UTC

Are you trying to edit the GPO of the Samba or Windows domain?

What credentials are you using and which machine or domain are you accessing from?

We have set up a Windows AD and Samba trust ourselves on upstream Samba but have yet to run into any issues yet.
Comment 4 SATOH Fumiyasu 2017-02-12 15:08:35 UTC
(In reply to Brascon from comment #0)
Comment 5 Denis Shestov 2017-11-03 09:41:15 UTC
Same bug. Two AD (one Samba and other Windows) with trusts. When I try to update user policies with gpupdate /force Target: User the same error appears. Computer policy works fine.
Workstation and User accounts are in the same domain.
Samba version 4.6.7-Ubuntu