On 6/19/22 2:37 AM, samba-ml-en via samba wrote:> Hi all,
>
> I seem to have an issue with applying GPOs to a DC:
>
> Symptoms:
> Manual application works from ssh (samba-gpupdate --force)
> Automatic application will always fail (apply group policies = true)
>
> GPO linked to DC OU contains one setting for motd (Hello the world)
> ssh to the server, run samba-gpupdate --force, samba-gpupdate --rsop
>
> Policy Type: /etc/motd
>
------------------------------------------------------------------------------Hello
the world
>
> cat /etc/motd
> Hello the world
>
> now samba-gpupdate --unapply
> cat /etc/motd -->empty this correct
>
> Reboot the server
> cat /etc/motd -->empty this is wrong
> look in the logs
>
> <27>1 2022-06-19T08:23:34.844029+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:34.843691, 0] ../../source3/winbindd/winbindd.c:1722(main)
> <27>1 2022-06-19T08:23:34.844236+00:00 tristsnpa43 winbindd 1446 - -
winbindd version 4.15.5-Ubuntu started.
> <27>1 2022-06-19T08:23:34.844303+00:00 tristsnpa43 winbindd 1446 - -
Copyright Andrew Tridgell and the Samba Team 1992-2021
> <28>1 2022-06-19T08:23:34.933431+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:34.933287, 1]
../../source3/lib/tdb_validate.c:480(tdb_validate_and_backup)
> <28>1 2022-06-19T08:23:34.933558+00:00 tristsnpa43 winbindd 1446 - -
tdb '/var/lib/samba/winbindd_cache.tdb' is valid
> <28>1 2022-06-19T08:23:34.934074+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:34.934009, 1]
../../source3/lib/tdb_validate.c:489(tdb_validate_and_backup)
> <28>1 2022-06-19T08:23:34.934186+00:00 tristsnpa43 winbindd 1446 - -
Created backup '/var/lib/samba/winbindd_cache.tdb.bak' of tdb
'/var/lib/samba/winbindd_cache.tdb'
> <28>1 2022-06-19T08:23:34.941167+00:00 tristsnpa43 winbindd 1473 - -
[2022/06/19 08:23:34.940986, 1]
../../lib/util/tevent_debug.c:66(samba_tevent_debug)
> <28>1 2022-06-19T08:23:34.941284+00:00 tristsnpa43 winbindd 1473 - -
samba_tevent: EPOLL_CTL_ADD failed (Invalid argument) replay[0] - calling
panic_fallback
> <29>1 2022-06-19T08:23:35.042191+00:00 tristsnpa43 samba 1450 - -
[2022/06/19 08:23:35.041983, 3]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> <29>1 2022-06-19T08:23:35.042315+00:00 tristsnpa43 samba 1450 - -
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[TRISTSNPA43$@AD2.TESTDOMAIN.EU] at [Sun, 19 Jun 2022 08:23:35.041974
UTC] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
remote host [ipv4:10.10.20.43:39325] became [AD2TESTDOMAIN]\[TRISTSNPA43$]
[S-1-5-21-2411287637-2672124256-485923657-1000]. local host [NULL]
> <29>1 2022-06-19T08:23:35.042355+00:00 tristsnpa43 samba 1450 - -
{"timestamp": "2022-06-19T08:23:35.042232+0000",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4624, "logonId": "17743f319e7720c5",
"logonType": 3, "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
"ipv4:10.10.20.43:39325", "serviceDescription":
"Kerberos KDC", "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
"clientAccount": "TRISTSNPA43$@AD2.TESTDOMAIN.EU",
"workstation": null, "becameAccount":
"TRISTSNPA43$", "becameDomain": "AD2TESTDOMAIN",
"becameSid":
"S-1-5-21-2411287637-2672124256-485923657-1000",
"mappedAccount": "TRISTSNPA43$", "mappedDomain":
"AD2TESTDOMAIN", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 1833}}
> <29>1 2022-06-19T08:23:35.074704+00:00 tristsnpa43 samba 1447 - -
[2022/06/19 08:23:35.074468, 3]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
> <29>1 2022-06-19T08:23:35.074836+00:00 tristsnpa43 samba 1447 - -
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[TRISTSNPA43$@AD2.TESTDOMAIN.EU] at [Sun, 19 Jun 2022 08:23:35.074460
UTC] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
remote host [ipv4:10.10.20.43:36210] became [AD2TESTDOMAIN]\[TRISTSNPA43$]
[S-1-5-21-2411287637-2672124256-485923657-1000]. local host [NULL]
> <29>1 2022-06-19T08:23:35.074897+00:00 tristsnpa43 samba 1447 - -
{"timestamp": "2022-06-19T08:23:35.074594+0000",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4624, "logonId": "20e4e3df88368059",
"logonType": 3, "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress":
"ipv4:10.10.20.43:36210", "serviceDescription":
"Kerberos KDC", "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null,
"clientAccount": "TRISTSNPA43$@AD2.TESTDOMAIN.EU",
"workstation": null, "becameAccount":
"TRISTSNPA43$", "becameDomain": "AD2TESTDOMAIN",
"becameSid":
"S-1-5-21-2411287637-2672124256-485923657-1000",
"mappedAccount": "TRISTSNPA43$", "mappedDomain":
"AD2TESTDOMAIN", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 1272}}
> <27>1 2022-06-19T08:23:35.179652+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:35.179512, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.179736+00:00 tristsnpa43 winbindd 1446 - -
/usr/sbin/samba-gpupdate: add_local_groups: SID
S-1-5-21-2411287637-2672124256-485923657-1000 -> getpwuid(3000029) failed, is
nsswitch configured?
> <27>1 2022-06-19T08:23:35.210940+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:35.210811, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211019+00:00 tristsnpa43 winbindd 1446 - -
/usr/sbin/samba-gpupdate: Traceback (most recent call last):
> <27>1 2022-06-19T08:23:35.211078+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:35.210882, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211142+00:00 tristsnpa43 winbindd 1446 - -
/usr/sbin/samba-gpupdate: File "/usr/sbin/samba-gpupdate", line 119,
in <module>
> <27>1 2022-06-19T08:23:35.211201+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:35.210914, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211261+00:00 tristsnpa43 winbindd 1446 - -
/usr/sbin/samba-gpupdate: apply_gp(lp, creds, logger, store, gp_extensions,
opts.force)
> <27>1 2022-06-19T08:23:35.211327+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:35.210923, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211363+00:00 tristsnpa43 winbindd 1446 - -
/usr/sbin/samba-gpupdate: File
"/usr/lib/python3/dist-packages/samba/gpclass.py", line 438, in
apply_gp
> <27>1 2022-06-19T08:23:35.211401+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:35.210932, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211459+00:00 tristsnpa43 winbindd 1446 - -
/usr/sbin/samba-gpupdate: gpos = get_gpo_list(dc_hostname, creds, lp)
> <27>1 2022-06-19T08:23:35.211524+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:35.210951, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211571+00:00 tristsnpa43 winbindd 1446 - -
/usr/sbin/samba-gpupdate: File
"/usr/lib/python3/dist-packages/samba/gpclass.py", line 370, in
get_gpo_list
> <27>1 2022-06-19T08:23:35.211622+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:35.210972, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211693+00:00 tristsnpa43 winbindd 1446 - -
/usr/sbin/samba-gpupdate: gpos = ads.get_gpo_list(creds.get_username())
> <27>1 2022-06-19T08:23:35.211768+00:00 tristsnpa43 winbindd 1446 - -
[2022/06/19 08:23:35.210986, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)<27>1
2022-06-19T08:23:35.211841+00:00 tristsnpa43 winbindd 1446 - -
/usr/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for
'TRISTSNPA43$'(CN=TRISTSNPA43,OU=Domain
Controllers,DC=ad2,DC=TESTDOMAIN,DC=eu): The specified account does not exist.
>
> This is repeated each time GPOs are applied with "apply group policies
= true"
>
> I am worried about the following message:
> samba_tevent: EPOLL_CTL_ADD failed (Invalid argument) replay[0] - calling
panic_fallback
> However I could not find much about it.
>
> The computer account seems to auth ok and:
> getent passwd AD2TESTDOMAIN\\TRISTSNPA43$
>
AD2TESTDOMAIN\tristsnpa43$:*:3000029:100::/home/AD2TESTDOMAIN/tristsnpa43_:/bin/bash
>
> Here is my config:
>
> uname -a
> Linux tristsnpa43 5.15.0-37-generic #39-Ubuntu SMP Wed Jun 1 19:16:45 UTC
2022 x86_64 x86_64 x86_64 GNU/Linux
>
> smbd -V
> Version 4.15.5-Ubuntu
>
> smb.conf
> [global]
> bind interfaces only = Yes
> disable netbios = Yes
> disable spoolss = Yes
> dns zone transfer clients allow = 127.0.0.1 10.10.20.9
> interfaces = lo vlan20
> kerberos encryption types = strong
> kerberos method = secrets and keytab
> ldap server require strong auth = Yes
> logging = syslog at 3 file at 3
> log level = 1 auth_audit:3@/var/log/samba/auth_audit.log
auth_json_audit:3@/var/log/samba/auth_audit.json
> name resolve order = host lmhosts wins bcast
> netbios name = TRISTSNPA43
> ntlm auth = mschapv2-and-ntlmv2-only
> password hash userPassword schemes = CryptSHA256 CryptSHA512
> printcap name = /dev/null
> realm = AD2.TESTDOMAIN.EU
> restrict anonymous = 2
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
> smb ports = 445
> template homedir = /home/%D/%U
> template shell = /bin/bash
> tls cafile = tls/ca.pem
> tls certfile = tls/cert.pem
> tls enabled = Yes
> tls keyfile = tls/key.pem
> tls priority = NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> workgroup = AD2TESTDOMAIN
> idmap_ldb:use rfc2307 = no
> acl:search = true
> apply group policies = true
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad2.testdomain.eu/scripts
> read only = No
> [dfs]
> comment = DFS Proxy Share
> msdfs proxy = \tristsnpa43.ad2.testdomain.eu\dfsroot
> read only = No
> msdfs root = Yes
> vfs objects = dfs_samba4 acl_xattr recycle
> browsable = Yes
>
> [dfsroot]
> comment = DFS Root Share
> path = /var/lib/samba/dfsroot
> read only = No
> msdfs root = Yes
> vfs objects = dfs_samba4 acl_xattr recycle browsable = No
>
> krb5.conf:
> [libdefaults]
> default_realm = AD2.TESTDOMAIN.EU
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> AD2.TESTDOMAIN.EU = {
> default_domain = ad2.testdomain.eu
> }
>
> [domain_realm] tristsnpa43 = AD2.TESTDOMAIN.EU
>
> nsswitch.conf:
> passwd: files systemd winbind
> group: files systemd winbind
This is the relevant error (from your debug):
Traceback (most recent call last):
File "/usr/sbin/samba-gpupdate", line 119, in <module>
apply_gp(lp, creds, logger, store, gp_extensions, opts.force)
File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 438, in
apply_gp
gpos = get_gpo_list(dc_hostname, creds, lp)
File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 370, in
get_gpo_list
gpos = ads.get_gpo_list(creds.get_username())
RuntimeError: Failed to get machine token for
'TRISTSNPA43$'(CN=TRISTSNPA43,OU=Domain
Controllers,DC=ad2,DC=TESTDOMAIN,DC=eu): The specified account does not
exist.
Does 'CN=TRISTSNPA43,OU=Domain Controllers,DC=ad2,DC=TESTDOMAIN,DC=eu'
exist?
--
*David Mulder*
Labs Software Engineer, Samba
SUSE
1221 Valley Grove Way
Pleasant Grove, UT 84062
dmulder at suse.com
http://www.suse.com