Environment
Situation
GPO's can be created, but they can not be edited.
The gpo editor trys to open\\domain.com\sysvol\.... but can not.
When browsing to the \\domain.com the sysvol is seen, but can not be opened.
Resolution
Look in the /var/log/samba/log.smbd
This is what should be seen if one is able to mange a
GPO:
[2009/02/19 09:49:13, 1]
smbd/service.c:make_connection_snum(1033)
164.99.102.6
(164.99.102.6) connect to service sysvol initially as user
SMILE\administrator (uid=1049076, gid=1049089) (pid 27728)
This is what was seen when unable
to mange a GPO:
[2009/02/19 09:50:18, 1]
libads/kerberos_verify.c:ads_secrets_verify_ticket(237)
ads_secrets_verify_ticket:
failed to fetch machine password
[2009/02/19 09:50:18, 1]
smbd/sesssetup.c:reply_spnego_kerberos(316)
Failed to verify
incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2009/02/19
09:50:18, 1]
libads/kerberos_verify.c:ads_secrets_verify_ticket(237)
ads_secrets_verify_ticket:
failed to fetch machine password
[2009/02/19 09:50:18, 1]
smbd/sesssetup.c:reply_spnego_kerberos(316)
Failed to verify
incoming ticket with error NT_STATUS_LOGON_FAILURE!
The issue
is with time being off between the workstation and the server. Change time on the workstation to be in
sync with the server and then try to manage the
GPO. The server should have ntp configured so time is taken from a ntp time server. The workstation can be configured to use a ntp time server also. If time contiues to drift configure ntp on the workstation.