rme at bluemail.ch
2016-Aug-03 11:41 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hello, I think I really need some help on this. Since Samba 4.2.11 upgrade my Windows 10 clients are unable to synchronize group policies. I have asked about this already here <https://lists.samba.org/archive/samba/2016-April/199226.html>. Now I re-investigate the issue with Windows 10 1607 update and still face the same issue which prevents me from rolling out this configuration in production. My Setup: - Samba 4.2.14 in active directory domain controller role - BIND_DLZ DNS backend - Windows 10 Pro 1607 clients I am successfully able to join the clients to the Samba AD domain but they fail to synchronize group policies and therefore fail to apply logon/logoff scripts as well as important system settings. Executing 'gpupdate' on the command line yields the following output: ---- The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). User Policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). ---- On Samba side with log level 10 I get the following errors: ---- [2016/08/03 13:12:41.571366, 1] ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2 [2016/08/03 13:12:41.571495, 0] ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed: NT_STATUS_ACCESS_DENIED ---- I am specifically worried about the "unknonwn mech-code" error which might indicate some issues regarding Kerberos crypto. I am running Samba on Gentoo along with Heimdal 1.5.3-r2. Does anybody have a clue where to look for a configuration mistake or whether I should report this as a bug? Especially I am concerned because this error did not occur in Samba 4.2.9 (last version before badlock security update). Any help or hint would be highly appreciated! When running gpupdate the following block of messages are repeated multiple times in samba logs: [2016/08/03 13:12:39.715332, 3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2016/08/03 13:12:39.716203, 5] ../auth/gensec/gensec_start.c:672(gensec_start_mech) Starting GENSEC mechanism spnego [2016/08/03 13:12:39.716472, 5] ../auth/gensec/gensec_start.c:672(gensec_start_mech) Starting GENSEC submechanism gssapi_krb5 [2016/08/03 13:12:39.718868, 5] ../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update) gensec_gssapi: NO credentials were delegated [2016/08/03 13:12:39.718993, 5] ../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update) GSSAPI Connection will be cryptographically sealed [2016/08/03 13:12:39.728127, 1] ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2 [2016/08/03 13:12:39.728261, 0] ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed: NT_STATUS_ACCESS_DENIED [2016/08/03 13:12:39.729278, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2016/08/03 13:12:39.729352, 5] ../source4/lib/messaging/messaging.c:550(imessaging_cleanup) imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.16428.49 [2016/08/03 13:12:39.729499, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] Here's my compiled parameters as printed by testparm: # Global parameters [global] workgroup = MYDOM realm = ad.mydom.local netbios aliases = SOFTWARE server string = Server interfaces = 127.0.0.1/8 10.0.1.6/24 fdea:5b48:d4c1:1:1::6/64 bind interfaces only = Yes server role = active directory domain controller passdb backend = samba_dsdb log file = /var/log/samba/smb.%M max log size = 500 time server = Yes deadtime = 2 logon script = KIX32.exe logon.kix logon path = \\%N\profile\.winprofile logon drive = N: server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external winbindd:use external pipes = true idmap_ldb:use rfc2307 = yes acl:search = no idmap config * : backend = tdb veto files = /*.k/*.encoderpass/*.locky/*.ecc/*.ezz/*.exx/*.zzz/*.xyz/*.aaa/*.abc/*.ccc/*.vvv/*.xxx/*.ttt/*.micro/*.encrypted/*.locked/*.crypto/_crypt/*.crinf/*.r5a/*.xrtn/*.XTBL/*.crypt/*.R16M01D05/*.pzdc/*.good/*.LOL!/*.OMG!/*.RDM/*.RRK/*.encryptedRSA/*.crjoker/*.EnCiPhErEd/*.LeChiffre/*.keybtc at inbox_com/*.0x0/*.bleep/*.1999/*.vault/*.HA3/*.toxcrypt/*.magic/*.SUPERCRYPT/*.CTBL/*.CTB2/*.locky/HELPDECRYPT.TXT/HELP_YOUR_FILES.TXT/HELP_TO_DECRYPT_YOUR_FILES.txt/RECOVERY_KEY.txt/HELP_RESTORE_FILES.txt/HELP_RECOVER_FILES.txt/HELP_TO_SAVE_FILES.txt/DecryptAllFiles.txt/DECRYPT_INSTRUCTIONS.TXT/INSTRUCCIONES_DESCIFRADO.TXT/How_To_Recover_Files.txt/YOUR_FILES.HTML/YOUR_FILES.url/encryptor_raas_readme_liesmich.txt/Help_Decrypt.txt/DECRYPT_INSTRUCTION.TXT/HOW_TO_DECRYPT_FILES.TXT/ReadDecryptFilesHere.txt/Coin.Locker.txt/_secret_code.txt/About_Files.txt/Read.txt/DECRYPT_ReadMe.TXT/DecryptAllFiles.txt/FILESAREGONE.TXT/IAMREADYTOPAY.TXT/HELLOTHERE.TXT/READTHISNOW!!!.TXT/SECRETIDHERE.KEY/IHAVEYOURSECRET.KEY/SECRET.KEY/HELPDECYPRT_YOUR_FILES.HTML/help_decrypt_your_files.html/HELP_TO_SAVE_FILES.txt/RECOVERY_FILES.txt/RECOVERY_FILE.TXT/RECOVERY_FILE*.txt/HowtoRESTORE_FILES.txt/HowtoRestore_FILES.txt/howto_recover_file.txt/restorefiles.txt/howrecover+*.txt/_how_recover.txt/recoveryfile*.txt/recoverfile*.txt/recoveryfile*.txt/Howto_Restore_FILES.TXT/help_recover_instructions+*.txt/_Locky_recover_instructions.txt/ map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4 acl_xattr Many thanks Rainer
The server expects TLS but you didnt set tls. Read : https://www.samba.org/samba/history/samba-4.2.10.html basicly its now : Default: ldap server require strong auth = yes You can try to add: ldap server require strong auth = no But i do advice to setup the TLS parameters and make everything more secure. Please read these links, MS change some things in GPO also. MS16-072: Security update for Group Policy: June 14, 2016 https://support.microsoft.com/en-gb/kb/3159398 The following page explains the issues and the corrective measures. https://support.microsoft.com/en-gb/kb/3163622 short version: Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission. And last, make sure you updated to the last policy set. https://www.niallbrady.com/2016/02/03/how-can-i-add-new-windows-10-admx-files-to-the-group-policy-central-store-and-then-deploy-them/ To update the policy set, you can also copy the local grouppolicy folder on the windows 10 pc to the server. Greetz. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch > Verzonden: woensdag 3 augustus 2016 13:41 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba 4.2.14 Group Policy (GPO) sync error > > Hello, > > I think I really need some help on this. > > Since Samba 4.2.11 upgrade my Windows 10 clients are unable to synchronize > group > policies. I have asked about this already here > <https://lists.samba.org/archive/samba/2016-April/199226.html>. Now I > re-investigate the issue with Windows 10 1607 update and still face the > same > issue which prevents me from rolling out this configuration in production. > > My Setup: > - Samba 4.2.14 in active directory domain controller role > - BIND_DLZ DNS backend > - Windows 10 Pro 1607 clients > > > I am successfully able to join the clients to the Samba AD domain but they > fail > to synchronize group policies and therefore fail to apply logon/logoff > scripts > as well as important system settings. > > Executing 'gpupdate' on the command line yields the following output: > ---- > The processing of Group Policy failed. Windows could not resolve the > computer > name. This could be caused by one of more of the following: > a) Name Resolution failure on the current domain controller. > b) Active Directory Replication Latency (an account created on another > domain > controller has not replicated to the current domain controller). > User Policy could not be updated successfully. The following errors were > encountered: > > The processing of Group Policy failed. Windows could not resolve the user > name. > This could be caused by one of more of the following: > a) Name Resolution failure on the current domain controller. > b) Active Directory Replication Latency (an account created on another > domain > controller has not replicated to the current domain controller). > ---- > > > On Samba side with log level 10 I get the following errors: > ---- > [2016/08/03 13:12:41.571366, 1] > ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) > gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech- > code 0 > for mech 1 2 840 113554 1 2 2 > [2016/08/03 13:12:41.571495, 0] > ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) > gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) > failed: > NT_STATUS_ACCESS_DENIED > ---- > > > I am specifically worried about the "unknonwn mech-code" error which might > indicate some issues regarding Kerberos crypto. I am running Samba on > Gentoo > along with Heimdal 1.5.3-r2. > > > Does anybody have a clue where to look for a configuration mistake or > whether I > should report this as a bug? > Especially I am concerned because this error did not occur in Samba 4.2.9 > (last > version before badlock security update). > > Any help or hint would be highly appreciated! > > > When running gpupdate the following block of messages are repeated > multiple > times in samba logs: > [2016/08/03 13:12:39.715332, 3] ../lib/ldb- > samba/ldb_wrap.c:321(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2016/08/03 13:12:39.716203, 5] > ../auth/gensec/gensec_start.c:672(gensec_start_mech) > Starting GENSEC mechanism spnego > [2016/08/03 13:12:39.716472, 5] > ../auth/gensec/gensec_start.c:672(gensec_start_mech) > Starting GENSEC submechanism gssapi_krb5 > [2016/08/03 13:12:39.718868, 5] > ../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update) > gensec_gssapi: NO credentials were delegated > [2016/08/03 13:12:39.718993, 5] > ../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update) > GSSAPI Connection will be cryptographically sealed > [2016/08/03 13:12:39.728127, 1] > ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) > gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech- > code 0 > for mech 1 2 840 113554 1 2 2 > [2016/08/03 13:12:39.728261, 0] > ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) > gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) > failed: > NT_STATUS_ACCESS_DENIED > [2016/08/03 13:12:39.729278, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' > [2016/08/03 13:12:39.729352, 5] > ../source4/lib/messaging/messaging.c:550(imessaging_cleanup) > imessaging: cleaning up > /var/lib/samba/private/smbd.tmp/msg/msg.16428.49 > [2016/08/03 13:12:39.729499, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] > > > > > Here's my compiled parameters as printed by testparm: > > # Global parameters > [global] > workgroup = MYDOM > realm = ad.mydom.local > netbios aliases = SOFTWARE > server string = Server > interfaces = 127.0.0.1/8 10.0.1.6/24 fdea:5b48:d4c1:1:1::6/64 > bind interfaces only = Yes > server role = active directory domain controller > passdb backend = samba_dsdb > log file = /var/log/samba/smb.%M > max log size = 500 > time server = Yes > deadtime = 2 > logon script = KIX32.exe logon.kix > logon path = \\%N\profile\.winprofile > logon drive = N: > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap_ldb:use rfc2307 = yes > acl:search = no > idmap config * : backend = tdb > veto files > /*.k/*.encoderpass/*.locky/*.ecc/*.ezz/*.exx/*.zzz/*.xyz/*.aaa/*.abc/*.ccc > /*.vvv/*.xxx/*.ttt/*.micro/*.encrypted/*.locked/*.crypto/_crypt/*.crinf/*. > r5a/*.xrtn/*.XTBL/*.crypt/*.R16M01D05/*.pzdc/*.good/*.LOL!/*.OMG!/*.RDM/*. > RRK/*.encryptedRSA/*.crjoker/*.EnCiPhErEd/*.LeChiffre/*.keybtc at inbox_com/* > .0x0/*.bleep/*.1999/*.vault/*.HA3/*.toxcrypt/*.magic/*.SUPERCRYPT/*.CTBL/* > .CTB2/*.locky/HELPDECRYPT.TXT/HELP_YOUR_FILES.TXT/HELP_TO_DECRYPT_YOUR_FIL > ES.txt/RECOVERY_KEY.txt/HELP_RESTORE_FILES.txt/HELP_RECOVER_FILES.txt/HELP > _TO_SAVE_FILES.txt/DecryptAllFiles.txt/DECRYPT_INSTRUCTIONS.TXT/INSTRUCCIO > NES_DESCIFRADO.TXT/How_To_Recover_Files.txt/YOUR_FILES.HTML/YOUR_FILES.url > /encryptor_raas_readme_liesmich.txt/Help_Decrypt.txt/DECRYPT_INSTRUCTION.T > XT/HOW_TO_DECRYPT_FILES.TXT/ReadDecryptFilesHere.txt/Coin.Locker.txt/_secr > et_code.txt/About_Files.txt/Read.txt/DECRYPT_ReadMe.TXT/DecryptAllFiles.tx > t/FILESAREGONE.TXT/IAMREADYTOPAY.TXT/HELLOTHERE.TXT/READTHISNOW!!!.TXT/SEC > RETIDHERE.KEY/IHAVEYOURSECRET.KEY/SE > > CRET.KEY/HELPDECYPRT_YOUR_FILES.HTML/help_decrypt_your_files.html/HELP_TO_ > SAVE_FILES.txt/RECOVERY_FILES.txt/RECOVERY_FILE.TXT/RECOVERY_FILE*.txt/How > toRESTORE_FILES.txt/HowtoRestore_FILES.txt/howto_recover_file.txt/restoref > iles.txt/howrecover+*.txt/_how_recover.txt/recoveryfile*.txt/recoverfile*. > txt/recoveryfile*.txt/Howto_Restore_FILES.TXT/help_recover_instructions+*. > txt/_Locky_recover_instructions.txt/ > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr > > > > Many thanks > Rainer > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
rme at bluemail.ch
2016-Aug-03 13:19 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hi Louis, Many many thanks for your very quick and comprehensive reply. I also found this thread here <https://lists.samba.org/archive/samba/2016-July/201471.html> Unfortunately none of the suggestions seem to entirely resolve the issue. As a first work-around I have inserted ldap server require strong auth = no to my smb.conf and re-started Samba. Unfortunately this didn't change anything. I am still getting the same errors from gpupdate.exe (with the same errors logged to event log) claiming name resolution failure while samba logs report: [2016/08/03 15:17:45.609250, 1] ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet) gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2 [2016/08/03 15:17:45.609387, 0] ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet) gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed: NT_STATUS_ACCESS_DENIED I am not fully sure about the MS changes though. My GPO all list "Authenticated Users" in the "Security Filtering" section in Scope tab. I unsure where to insert the "Authenticated Users" group in the GPO with read permissions. Does it mean I should add "Authenticated Users" in the Delegation tab? If yes, then all my GPO already have this entry in Delegation tab: - Authenticated Users, Read (from Security Filtering) I also tried inserting Domain Computers with Read permissions to the Delegation tab. No change in the result though. I also tried to remove the "Authenticated Users" entry from Security Filtering with and without adding it to the Delegation tab at no avail. It still complains about name resolution failure on domain controller. I also added the admx templates sucessfully to sysvol but this did not fix the GPO processing issue (as expected). In addition also samba-tool ntacl sysvolcheck returns the same error as indicated in the thread above: # samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/ad.cyberdyne.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1730, in checksysvolacl direct_db_access) File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1681, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1628, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Though according to <https://lists.samba.org/archive/samba/2016-July/201448.html> this might be a samba-tool issue. Though I don't think it's related to the error as it looks like somehow it's not about permissions or issues on sysvol share level but rather crypto/signature issues. Moreover I tried a bit more GPO debugging as instructed here: <https://lists.samba.org/archive/samba/2016-August/201762.html> Perhaps the following log line points out an error: GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed with 5. The full log can be found here: <http://pastebin.com/vgbhx0cm> Many thanks again. Rainer
Can you run on a failing computer : - netdom verify yourpcname - nslookup yourpcname All ok? And is time in sync? Did you install winbind after the update and also and did you change you server services line? Like, i use bind9 dns My smb.conf contains only this : server services = -dns The full line is : samba-tool testparm -vv | grep "server service" server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate The thing you have to look at is : winbindd And not winbind. And best is really to setup TLS/SSL https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC ( missing on that site : add TLS_REQCERT allow to ldap.conf ) Or a simple setup with own cert. https://www.spinics.net/lists/samba/msg134098.html Its debian minded but translate it to your os, most is same. Or make them manually https://www.google.nl/search?q=setup+own+caroot#q=openssl+create+self+signed+certificate pik one. Now, for the other problem, after above is done/checked. You can clear you GPO history on the pc. Its recreated when you reboot/login again, so now worries.. @echo off DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History\*.*” REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb Klist purge gpupdate /force exit now reboot your pc, and check again. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch> Verzonden: woensdag 3 augustus 2016 15:19> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error>> Hi Louis,>> Many many thanks for your very quick and comprehensive reply.> I also found this thread here> <https://lists.samba.org/archive/samba/2016-July/201471.html>>> Unfortunately none of the suggestions seem to entirely resolve the issue.>> As a first work-around I have inserted> ldap server require strong auth = no> to my smb.conf and re-started Samba.>> Unfortunately this didn't change anything. I am still getting the same> errors> from gpupdate.exe (with the same errors logged to event log) claiming name> resolution failure while samba logs report:>> [2016/08/03 15:17:45.609250, 1]> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)> gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-> code 0> for mech 1 2 840 113554 1 2 2> [2016/08/03 15:17:45.609387, 0]> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)> gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)> failed:> NT_STATUS_ACCESS_DENIED>>> I am not fully sure about the MS changes though. My GPO all list> "Authenticated> Users" in the "Security Filtering" section in Scope tab. I unsure where to> insert the "Authenticated Users" group in the GPO with read permissions.> Does it> mean I should add "Authenticated Users" in the Delegation tab? If yes,> then all> my GPO already have this entry in Delegation tab:> - Authenticated Users, Read (from Security Filtering)>> I also tried inserting Domain Computers with Read permissions to the> Delegation> tab. No change in the result though.>> I also tried to remove the "Authenticated Users" entry from Security> Filtering> with and without adding it to the Delegation tab at no avail. It still> complains> about name resolution failure on domain controller.>>>>>> I also added the admx templates sucessfully to sysvol but this did not fix> the> GPO processing issue (as expected).>>> In addition also samba-tool ntacl sysvolcheck returns the same error as> indicated in the thread above:>> # samba-tool ntacl sysvolcheck> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -> ProvisioningError: DB ACL on GPO directory> /var/lib/samba/sysvol/ad.cyberdyne.local/Policies/{31B2F340-016D-11D2-> 945F-00C04FB984F9}> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)> does not match expected value> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)> from GPO object> File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",> line 175,> in _run> return self.run(*args, **kwargs)> File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line> 249, in run> lp)> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",> line> 1730, in checksysvolacl> direct_db_access)> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",> line> 1681, in check_gpos_acl> domainsid, direct_db_access)> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",> line> 1628, in check_dir_acl> raise ProvisioningError('%s ACL on GPO directory %s %s does not match> expected value %s from GPO object' % (acl_type(direct_db_access), path,> fsacl_sddl, acl))>> Though according to> <https://lists.samba.org/archive/samba/2016-July/201448.html> this might> be a> samba-tool issue.>> Though I don't think it's related to the error as it looks like somehow> it's not> about permissions or issues on sysvol share level but rather> crypto/signature> issues.>>>>>> Moreover I tried a bit more GPO debugging as instructed here:> <https://lists.samba.org/archive/samba/2016-August/201762.html>>> Perhaps the following log line points out an error:> GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed> with 5.>> The full log can be found here:> <http://pastebin.com/vgbhx0cm>>>>> Many thanks again.> Rainer>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba