-
Title
vgptool appy: Check that SMB is enabled on the server -
Description
Group policies fail to apply and debug of the vgptool apply command shows: Check that SMB is enabled on the server -
Cause
SMB1 has been disabled in Active Directory. -
Resolution
In Authentication Services versions 4.1.0.22739 to versions 4.1.2.x run the following to increase the range of smb support in the vas.conf configuration file:
# /opt/quest/bin/vastool configure vas libvas smb-dialect-range 1-2.1
In the latest version 4.1.3 it uses SMB2+ by default, as opposed to the SMB1 which the older versions use by default therefore upgrading to version 4.1.3 and above will also resolve the issue.
Note that you may not always see this issue on all systems this is because vgptool doesn't always download from the CIFS/SMB side of things. It checks the LDAP side first, and only downloads if it has changed.
So if the working system downloaded the policies when SMB1 worked, it wouldn't notice the SMB1 issue until a policy changed and it tries to download it again.
The systems that appear to work only do so due to caching. It isn't doing that query every time, only when the policy changes. Once it does, they ALL will break.
You should be able to see it from on a working system by running:
/opt/quest/bin/vgptool clean 0
/opt/quest/bin/vgptool apply
The vgptool clean 0 command clears the cache, and next apply it will have to download the policies again, and should fail.