rme at bluemail.ch
2016-Aug-03 11:41 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hello,
I think I really need some help on this.
Since Samba 4.2.11 upgrade my Windows 10 clients are unable to synchronize group
policies. I have asked about this already here
<https://lists.samba.org/archive/samba/2016-April/199226.html>. Now I
re-investigate the issue with Windows 10 1607 update and still face the same
issue which prevents me from rolling out this configuration in production.
My Setup:
- Samba 4.2.14 in active directory domain controller role
- BIND_DLZ DNS backend
- Windows 10 Pro 1607 clients
I am successfully able to join the clients to the Samba AD domain but they fail
to synchronize group policies and therefore fail to apply logon/logoff scripts
as well as important system settings.
Executing 'gpupdate' on the command line yields the following output:
----
The processing of Group Policy failed. Windows could not resolve the computer
name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were
encountered:
The processing of Group Policy failed. Windows could not resolve the user name.
This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
----
On Samba side with log level 10 I get the following errors:
----
[2016/08/03 13:12:41.571366, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 13:12:41.571495, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED
----
I am specifically worried about the "unknonwn mech-code" error which
might
indicate some issues regarding Kerberos crypto. I am running Samba on Gentoo
along with Heimdal 1.5.3-r2.
Does anybody have a clue where to look for a configuration mistake or whether I
should report this as a bug?
Especially I am concerned because this error did not occur in Samba 4.2.9 (last
version before badlock security update).
Any help or hint would be highly appreciated!
When running gpupdate the following block of messages are repeated multiple
times in samba logs:
[2016/08/03 13:12:39.715332, 3]
../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/08/03 13:12:39.716203, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC mechanism spnego
[2016/08/03 13:12:39.716472, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC submechanism gssapi_krb5
[2016/08/03 13:12:39.718868, 5]
../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update)
gensec_gssapi: NO credentials were delegated
[2016/08/03 13:12:39.718993, 5]
../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update)
GSSAPI Connection will be cryptographically sealed
[2016/08/03 13:12:39.728127, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 13:12:39.728261, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED
[2016/08/03 13:12:39.729278, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/08/03 13:12:39.729352, 5]
../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.16428.49
[2016/08/03 13:12:39.729499, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
Here's my compiled parameters as printed by testparm:
# Global parameters
[global]
workgroup = MYDOM
realm = ad.mydom.local
netbios aliases = SOFTWARE
server string = Server
interfaces = 127.0.0.1/8 10.0.1.6/24 fdea:5b48:d4c1:1:1::6/64
bind interfaces only = Yes
server role = active directory domain controller
passdb backend = samba_dsdb
log file = /var/log/samba/smb.%M
max log size = 500
time server = Yes
deadtime = 2
logon script = KIX32.exe logon.kix
logon path = \\%N\profile\.winprofile
logon drive = N:
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
acl:search = no
idmap config * : backend = tdb
veto files =
/*.k/*.encoderpass/*.locky/*.ecc/*.ezz/*.exx/*.zzz/*.xyz/*.aaa/*.abc/*.ccc/*.vvv/*.xxx/*.ttt/*.micro/*.encrypted/*.locked/*.crypto/_crypt/*.crinf/*.r5a/*.xrtn/*.XTBL/*.crypt/*.R16M01D05/*.pzdc/*.good/*.LOL!/*.OMG!/*.RDM/*.RRK/*.encryptedRSA/*.crjoker/*.EnCiPhErEd/*.LeChiffre/*.keybtc
at
inbox_com/*.0x0/*.bleep/*.1999/*.vault/*.HA3/*.toxcrypt/*.magic/*.SUPERCRYPT/*.CTBL/*.CTB2/*.locky/HELPDECRYPT.TXT/HELP_YOUR_FILES.TXT/HELP_TO_DECRYPT_YOUR_FILES.txt/RECOVERY_KEY.txt/HELP_RESTORE_FILES.txt/HELP_RECOVER_FILES.txt/HELP_TO_SAVE_FILES.txt/DecryptAllFiles.txt/DECRYPT_INSTRUCTIONS.TXT/INSTRUCCIONES_DESCIFRADO.TXT/How_To_Recover_Files.txt/YOUR_FILES.HTML/YOUR_FILES.url/encryptor_raas_readme_liesmich.txt/Help_Decrypt.txt/DECRYPT_INSTRUCTION.TXT/HOW_TO_DECRYPT_FILES.TXT/ReadDecryptFilesHere.txt/Coin.Locker.txt/_secret_code.txt/About_Files.txt/Read.txt/DECRYPT_ReadMe.TXT/DecryptAllFiles.txt/FILESAREGONE.TXT/IAMREADYTOPAY.TXT/HELLOTHERE.TXT/READTHISNOW!!!.TXT/SECRETIDHERE.KEY/IHAVEYOURSECRET.KEY/SECRET.KEY/HELPDECYPRT_YOUR_FILES.HTML/help_decrypt_your_files.html/HELP_TO_SAVE_FILES.txt/RECOVERY_FILES.txt/RECOVERY_FILE.TXT/RECOVERY_FILE*.txt/HowtoRESTORE_FILES.txt/HowtoRestore_FILES.txt/howto_recover_file.txt/restorefiles.txt/howrecover+*.txt/_how_recover.txt/recoveryfile*.txt/recoverfile*.txt/recoveryfile*.txt/Howto_Restore_FILES.TXT/help_recover_instructions+*.txt/_Locky_recover_instructions.txt/
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
Many thanks
Rainer
The server expects TLS but you didnt set tls. Read : https://www.samba.org/samba/history/samba-4.2.10.html basicly its now : Default: ldap server require strong auth = yes You can try to add: ldap server require strong auth = no But i do advice to setup the TLS parameters and make everything more secure. Please read these links, MS change some things in GPO also. MS16-072: Security update for Group Policy: June 14, 2016 https://support.microsoft.com/en-gb/kb/3159398 The following page explains the issues and the corrective measures. https://support.microsoft.com/en-gb/kb/3163622 short version: Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission. And last, make sure you updated to the last policy set. https://www.niallbrady.com/2016/02/03/how-can-i-add-new-windows-10-admx-files-to-the-group-policy-central-store-and-then-deploy-them/ To update the policy set, you can also copy the local grouppolicy folder on the windows 10 pc to the server. Greetz. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch > Verzonden: woensdag 3 augustus 2016 13:41 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba 4.2.14 Group Policy (GPO) sync error > > Hello, > > I think I really need some help on this. > > Since Samba 4.2.11 upgrade my Windows 10 clients are unable to synchronize > group > policies. I have asked about this already here > <https://lists.samba.org/archive/samba/2016-April/199226.html>. Now I > re-investigate the issue with Windows 10 1607 update and still face the > same > issue which prevents me from rolling out this configuration in production. > > My Setup: > - Samba 4.2.14 in active directory domain controller role > - BIND_DLZ DNS backend > - Windows 10 Pro 1607 clients > > > I am successfully able to join the clients to the Samba AD domain but they > fail > to synchronize group policies and therefore fail to apply logon/logoff > scripts > as well as important system settings. > > Executing 'gpupdate' on the command line yields the following output: > ---- > The processing of Group Policy failed. Windows could not resolve the > computer > name. This could be caused by one of more of the following: > a) Name Resolution failure on the current domain controller. > b) Active Directory Replication Latency (an account created on another > domain > controller has not replicated to the current domain controller). > User Policy could not be updated successfully. The following errors were > encountered: > > The processing of Group Policy failed. Windows could not resolve the user > name. > This could be caused by one of more of the following: > a) Name Resolution failure on the current domain controller. > b) Active Directory Replication Latency (an account created on another > domain > controller has not replicated to the current domain controller). > ---- > > > On Samba side with log level 10 I get the following errors: > ---- > [2016/08/03 13:12:41.571366, 1] > ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) > gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech- > code 0 > for mech 1 2 840 113554 1 2 2 > [2016/08/03 13:12:41.571495, 0] > ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) > gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) > failed: > NT_STATUS_ACCESS_DENIED > ---- > > > I am specifically worried about the "unknonwn mech-code" error which might > indicate some issues regarding Kerberos crypto. I am running Samba on > Gentoo > along with Heimdal 1.5.3-r2. > > > Does anybody have a clue where to look for a configuration mistake or > whether I > should report this as a bug? > Especially I am concerned because this error did not occur in Samba 4.2.9 > (last > version before badlock security update). > > Any help or hint would be highly appreciated! > > > When running gpupdate the following block of messages are repeated > multiple > times in samba logs: > [2016/08/03 13:12:39.715332, 3] ../lib/ldb- > samba/ldb_wrap.c:321(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2016/08/03 13:12:39.716203, 5] > ../auth/gensec/gensec_start.c:672(gensec_start_mech) > Starting GENSEC mechanism spnego > [2016/08/03 13:12:39.716472, 5] > ../auth/gensec/gensec_start.c:672(gensec_start_mech) > Starting GENSEC submechanism gssapi_krb5 > [2016/08/03 13:12:39.718868, 5] > ../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update) > gensec_gssapi: NO credentials were delegated > [2016/08/03 13:12:39.718993, 5] > ../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update) > GSSAPI Connection will be cryptographically sealed > [2016/08/03 13:12:39.728127, 1] > ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) > gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech- > code 0 > for mech 1 2 840 113554 1 2 2 > [2016/08/03 13:12:39.728261, 0] > ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) > gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) > failed: > NT_STATUS_ACCESS_DENIED > [2016/08/03 13:12:39.729278, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' > [2016/08/03 13:12:39.729352, 5] > ../source4/lib/messaging/messaging.c:550(imessaging_cleanup) > imessaging: cleaning up > /var/lib/samba/private/smbd.tmp/msg/msg.16428.49 > [2016/08/03 13:12:39.729499, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] > > > > > Here's my compiled parameters as printed by testparm: > > # Global parameters > [global] > workgroup = MYDOM > realm = ad.mydom.local > netbios aliases = SOFTWARE > server string = Server > interfaces = 127.0.0.1/8 10.0.1.6/24 fdea:5b48:d4c1:1:1::6/64 > bind interfaces only = Yes > server role = active directory domain controller > passdb backend = samba_dsdb > log file = /var/log/samba/smb.%M > max log size = 500 > time server = Yes > deadtime = 2 > logon script = KIX32.exe logon.kix > logon path = \\%N\profile\.winprofile > logon drive = N: > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap_ldb:use rfc2307 = yes > acl:search = no > idmap config * : backend = tdb > veto files > /*.k/*.encoderpass/*.locky/*.ecc/*.ezz/*.exx/*.zzz/*.xyz/*.aaa/*.abc/*.ccc > /*.vvv/*.xxx/*.ttt/*.micro/*.encrypted/*.locked/*.crypto/_crypt/*.crinf/*. > r5a/*.xrtn/*.XTBL/*.crypt/*.R16M01D05/*.pzdc/*.good/*.LOL!/*.OMG!/*.RDM/*. > RRK/*.encryptedRSA/*.crjoker/*.EnCiPhErEd/*.LeChiffre/*.keybtc at inbox_com/* > .0x0/*.bleep/*.1999/*.vault/*.HA3/*.toxcrypt/*.magic/*.SUPERCRYPT/*.CTBL/* > .CTB2/*.locky/HELPDECRYPT.TXT/HELP_YOUR_FILES.TXT/HELP_TO_DECRYPT_YOUR_FIL > ES.txt/RECOVERY_KEY.txt/HELP_RESTORE_FILES.txt/HELP_RECOVER_FILES.txt/HELP > _TO_SAVE_FILES.txt/DecryptAllFiles.txt/DECRYPT_INSTRUCTIONS.TXT/INSTRUCCIO > NES_DESCIFRADO.TXT/How_To_Recover_Files.txt/YOUR_FILES.HTML/YOUR_FILES.url > /encryptor_raas_readme_liesmich.txt/Help_Decrypt.txt/DECRYPT_INSTRUCTION.T > XT/HOW_TO_DECRYPT_FILES.TXT/ReadDecryptFilesHere.txt/Coin.Locker.txt/_secr > et_code.txt/About_Files.txt/Read.txt/DECRYPT_ReadMe.TXT/DecryptAllFiles.tx > t/FILESAREGONE.TXT/IAMREADYTOPAY.TXT/HELLOTHERE.TXT/READTHISNOW!!!.TXT/SEC > RETIDHERE.KEY/IHAVEYOURSECRET.KEY/SE > > CRET.KEY/HELPDECYPRT_YOUR_FILES.HTML/help_decrypt_your_files.html/HELP_TO_ > SAVE_FILES.txt/RECOVERY_FILES.txt/RECOVERY_FILE.TXT/RECOVERY_FILE*.txt/How > toRESTORE_FILES.txt/HowtoRestore_FILES.txt/howto_recover_file.txt/restoref > iles.txt/howrecover+*.txt/_how_recover.txt/recoveryfile*.txt/recoverfile*. > txt/recoveryfile*.txt/Howto_Restore_FILES.TXT/help_recover_instructions+*. > txt/_Locky_recover_instructions.txt/ > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr > > > > Many thanks > Rainer > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
rme at bluemail.ch
2016-Aug-03 13:19 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hi Louis,
Many many thanks for your very quick and comprehensive reply.
I also found this thread here
<https://lists.samba.org/archive/samba/2016-July/201471.html>
Unfortunately none of the suggestions seem to entirely resolve the issue.
As a first work-around I have inserted
ldap server require strong auth = no
to my smb.conf and re-started Samba.
Unfortunately this didn't change anything. I am still getting the same
errors
from gpupdate.exe (with the same errors logged to event log) claiming name
resolution failure while samba logs report:
[2016/08/03 15:17:45.609250, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 15:17:45.609387, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED
I am not fully sure about the MS changes though. My GPO all list
"Authenticated
Users" in the "Security Filtering" section in Scope tab. I unsure
where to
insert the "Authenticated Users" group in the GPO with read
permissions. Does it
mean I should add "Authenticated Users" in the Delegation tab? If yes,
then all
my GPO already have this entry in Delegation tab:
- Authenticated Users, Read (from Security Filtering)
I also tried inserting Domain Computers with Read permissions to the Delegation
tab. No change in the result though.
I also tried to remove the "Authenticated Users" entry from Security
Filtering
with and without adding it to the Delegation tab at no avail. It still complains
about name resolution failure on domain controller.
I also added the admx templates sucessfully to sysvol but this did not fix the
GPO processing issue (as expected).
In addition also samba-tool ntacl sysvolcheck returns the same error as
indicated in the thread above:
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/ad.cyberdyne.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175,
in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 249, in run
lp)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1730, in checksysvolacl
direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1681, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))
Though according to
<https://lists.samba.org/archive/samba/2016-July/201448.html> this might
be a
samba-tool issue.
Though I don't think it's related to the error as it looks like somehow
it's not
about permissions or issues on sysvol share level but rather crypto/signature
issues.
Moreover I tried a bit more GPO debugging as instructed here:
<https://lists.samba.org/archive/samba/2016-August/201762.html>
Perhaps the following log line points out an error:
GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed with 5.
The full log can be found here:
<http://pastebin.com/vgbhx0cm>
Many thanks again.
Rainer
Can you run on a failing computer : - netdom verify yourpcname - nslookup yourpcname All ok? And is time in sync? Did you install winbind after the update and also and did you change you server services line? Like, i use bind9 dns My smb.conf contains only this : server services = -dns The full line is : samba-tool testparm -vv | grep "server service" server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate The thing you have to look at is : winbindd And not winbind. And best is really to setup TLS/SSL https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC ( missing on that site : add TLS_REQCERT allow to ldap.conf ) Or a simple setup with own cert. https://www.spinics.net/lists/samba/msg134098.html Its debian minded but translate it to your os, most is same. Or make them manually https://www.google.nl/search?q=setup+own+caroot#q=openssl+create+self+signed+certificate pik one. Now, for the other problem, after above is done/checked. You can clear you GPO history on the pc. Its recreated when you reboot/login again, so now worries.. @echo off DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History\*.*” REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb Klist purge gpupdate /force exit now reboot your pc, and check again. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch> Verzonden: woensdag 3 augustus 2016 15:19> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error>> Hi Louis,>> Many many thanks for your very quick and comprehensive reply.> I also found this thread here> <https://lists.samba.org/archive/samba/2016-July/201471.html>>> Unfortunately none of the suggestions seem to entirely resolve the issue.>> As a first work-around I have inserted> ldap server require strong auth = no> to my smb.conf and re-started Samba.>> Unfortunately this didn't change anything. I am still getting the same> errors> from gpupdate.exe (with the same errors logged to event log) claiming name> resolution failure while samba logs report:>> [2016/08/03 15:17:45.609250, 1]> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)> gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-> code 0> for mech 1 2 840 113554 1 2 2> [2016/08/03 15:17:45.609387, 0]> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)> gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)> failed:> NT_STATUS_ACCESS_DENIED>>> I am not fully sure about the MS changes though. My GPO all list> "Authenticated> Users" in the "Security Filtering" section in Scope tab. I unsure where to> insert the "Authenticated Users" group in the GPO with read permissions.> Does it> mean I should add "Authenticated Users" in the Delegation tab? If yes,> then all> my GPO already have this entry in Delegation tab:> - Authenticated Users, Read (from Security Filtering)>> I also tried inserting Domain Computers with Read permissions to the> Delegation> tab. No change in the result though.>> I also tried to remove the "Authenticated Users" entry from Security> Filtering> with and without adding it to the Delegation tab at no avail. It still> complains> about name resolution failure on domain controller.>>>>>> I also added the admx templates sucessfully to sysvol but this did not fix> the> GPO processing issue (as expected).>>> In addition also samba-tool ntacl sysvolcheck returns the same error as> indicated in the thread above:>> # samba-tool ntacl sysvolcheck> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -> ProvisioningError: DB ACL on GPO directory> /var/lib/samba/sysvol/ad.cyberdyne.local/Policies/{31B2F340-016D-11D2-> 945F-00C04FB984F9}> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)> does not match expected value> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)> from GPO object> File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",> line 175,> in _run> return self.run(*args, **kwargs)> File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line> 249, in run> lp)> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",> line> 1730, in checksysvolacl> direct_db_access)> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",> line> 1681, in check_gpos_acl> domainsid, direct_db_access)> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",> line> 1628, in check_dir_acl> raise ProvisioningError('%s ACL on GPO directory %s %s does not match> expected value %s from GPO object' % (acl_type(direct_db_access), path,> fsacl_sddl, acl))>> Though according to> <https://lists.samba.org/archive/samba/2016-July/201448.html> this might> be a> samba-tool issue.>> Though I don't think it's related to the error as it looks like somehow> it's not> about permissions or issues on sysvol share level but rather> crypto/signature> issues.>>>>>> Moreover I tried a bit more GPO debugging as instructed here:> <https://lists.samba.org/archive/samba/2016-August/201762.html>>> Perhaps the following log line points out an error:> GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed> with 5.>> The full log can be found here:> <http://pastebin.com/vgbhx0cm>>>>> Many thanks again.> Rainer>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba