Hi, I found all our Windows 10 workstation are not able to update group policy. I tried manually using gpupdate /force also fails. The following error display after I execute gpupdate command. The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful. Also tried the following registry but no helps. \\*\SYSVOL RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0 \\*\NETLOGON RequireMutualAuthentication=1,RequireIntegrity=1 I also discover that when I use group policy editor and navigate to Computer Configuration->Windows Settings->Security Settings, it will display an error about "Wired Network Management".
Hi Kelvin, Do you mean that it's only going wrong on Windows 10? Or that you only have Windows 10 workstations? Do other things, like logging in on the workstations, or browsing on file shares, or running "wbinfo -i <username>" on the server still work? If you shut down samba the normal way (using an init.d script or whatever you're using on your OS) does it actually stop, or do several 'smb' or 'samba' processes keep on running? The reason i'm asking is that i'm seeing somewhat similar symptoms and i'm wondering wether it's the same problem or something entirely different. Sander
(In reply to Sander Plas from comment #1) Hi, Most of Workstations in my company are Windows 7. All windows 7 workstations works normally. They can login, browse the share, use RSAT without any error message, execute gpupdate without any errors.
(In reply to Kelvin Yip from comment #2) I find another problem of Windows 10 which may be related. When I try to add a domain user to local administrator group. I cannot lookup a domain user when I click "check user" button. Again, all Windows 7 workstation behave normal. Thanks.
(In reply to Kelvin Yip from comment #3) Finally, I figure out all these problems are related to these setting:restrict anonymous = 2, setting this value to 0 or 1 does not have this problem. I think I use this setting from SambaV 4.0 Is it an expected behaviour ?
All the mentioned problems seems fixed in 4.5.2 However, some workstations(Windows 7 so far) failed to update group policy. After running this command samba-tool ntacl sysvolreset, the following message are shown. open: error=2 (No such file or directory) ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1514, in set_gpos_acl passdb=passdb) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1477, in set_dir_acl setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) File "/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py", line 128, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd2, service=service)
I added a debug message in /usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py, it shows that a folder is missing during processing. After I create the folder. The message is no longer exists. Even through there is still a workstation cannot perform gpupdate successfully. I believe it may not related to samba4. Thanks all.
Sorry, I find that after reboot Windows 7 machine. The group policy cannot be update on Windows 7. The following error message appear after I execute gpupdate /force. User policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=xxxxx,DC=local. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure. Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=xxxxx,DC=local. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure. The following warnings were encountered during computer policy processing: Windows failed to apply the Scripts settings. Scripts settings might have its own log file. Please click on the "More information" link. Windows failed to apply the Group Policy Services settings. Group Policy Services settings might have its own log file. Please click on the "More information" link. Windows failed to apply the Group Policy Scheduled Tasks settings. Group Policy Scheduled Tasks settings might have its own log file. Please click on the "More information" link. Windows failed to apply the Group Policy Registry settings. Group Policy Registry settings might have its own log file. Please click on the "More information" link. To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
in case the ACLs on the sysvol had been set correct, this doesn't look like a samba but like a windows issue