Rodrigo Jauregui
2018-Jul-09 17:17 UTC
[Samba] Computer members on AD are not identified and don´t have group mebership applied
I´m trying to set up a Fedora 27 server with samba 4.7 as a AD DC for a windows network. I followed the tutorial from the samba wiki and the arch linux wiki and currently have things working to the point where I can join windows machines, add users, create GPOs and apply them to users. The problem occurs when trying to apply computer GPOs. The windows machines just don't get affected by them. After running GPResult, I noticed that computer GPOs are denied on the base of security filtering. Also while the user is correctly identified and added to the gruops it belongs, the machine itself is recognized as belonging only to 'NULL SID', 'NT AUTHORITY\NETWORK', 'This company', and something like 'Obligatory level of no trust'. That's it, 'Authenticated users' or 'Domain Computers' don´t appear anywhere. This explains why the policies are being filtered, the GPOs only apply to 'authenticated users' by default, and according to GPResult, the machine doesn't belong to the group. What I don´t understand is why the group membership is not being correctly resolved. This happens to ALL windows machines I join to the domain, and rejoining doesn't do anytihng. Purging kerberos tickets for 0x3e7 and trying to access a network share as LocalSystem (psexec -s -i -d cmd) to get a new one doesn´t work. I ran wireshark to examine the AS_REP and AS_REQ, and decrypted the TGT using an exported keytab from the linux server to check if the machine was being correctly identified and it was, even group membership was correctly included. wbinfo and getent from another linux server in the domain show correct id and group membership for the windows machine accounts. At this point I am lost, I checked every possible variation of this problem for more than a week on google and only found 2 threads with people experiencing the same problem. Both were dead ends. The only wierd thing I found was after enabling kerberos logging on the windows machines. All show an 0x1A error, KDC_ERR_SERVER_NOMATCH saying EVIDENCE_TICKET_MISSMATCH. This error also appears on the mit_kdc.log file on the DC. Googling that error shows nothing, just a few 1 setentence descriptions that don´t really help. Please guys, you are my only hope at this point. I can provide all config files, log files (both windows and linux), and even the wireshark record i took.
Andrew Bartlett
2018-Jul-10 04:21 UTC
[Samba] Computer members on AD are not identified and don´t have group mebership applied
On Mon, 2018-07-09 at 14:17 -0300, Rodrigo Jauregui via samba wrote:> > The only wierd thing I found was after enabling kerberos logging on the > windows machines. All show an 0x1A error, KDC_ERR_SERVER_NOMATCH saying > EVIDENCE_TICKET_MISSMATCH. > This error also appears on the mit_kdc.log file on the DC. Googling that > error shows nothing, just a few 1 setentence descriptions that don´t really > help. > > Please guys, you are my only hope at this point. I can provide all config > files, log files (both windows and linux), and even the wireshark record i > took.This sounds like https://bugzilla.samba.org/show_bug.cgi?id=13516 Can you rebuild with Heimdal and try again? Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba