rme at bluemail.ch
2016-Aug-03 13:19 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hi Louis,
Many many thanks for your very quick and comprehensive reply.
I also found this thread here
<https://lists.samba.org/archive/samba/2016-July/201471.html>
Unfortunately none of the suggestions seem to entirely resolve the issue.
As a first work-around I have inserted
ldap server require strong auth = no
to my smb.conf and re-started Samba.
Unfortunately this didn't change anything. I am still getting the same
errors
from gpupdate.exe (with the same errors logged to event log) claiming name
resolution failure while samba logs report:
[2016/08/03 15:17:45.609250, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 15:17:45.609387, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED
I am not fully sure about the MS changes though. My GPO all list
"Authenticated
Users" in the "Security Filtering" section in Scope tab. I unsure
where to
insert the "Authenticated Users" group in the GPO with read
permissions. Does it
mean I should add "Authenticated Users" in the Delegation tab? If yes,
then all
my GPO already have this entry in Delegation tab:
- Authenticated Users, Read (from Security Filtering)
I also tried inserting Domain Computers with Read permissions to the Delegation
tab. No change in the result though.
I also tried to remove the "Authenticated Users" entry from Security
Filtering
with and without adding it to the Delegation tab at no avail. It still complains
about name resolution failure on domain controller.
I also added the admx templates sucessfully to sysvol but this did not fix the
GPO processing issue (as expected).
In addition also samba-tool ntacl sysvolcheck returns the same error as
indicated in the thread above:
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/ad.cyberdyne.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175,
in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 249, in run
lp)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1730, in checksysvolacl
direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1681, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))
Though according to
<https://lists.samba.org/archive/samba/2016-July/201448.html> this might
be a
samba-tool issue.
Though I don't think it's related to the error as it looks like somehow
it's not
about permissions or issues on sysvol share level but rather crypto/signature
issues.
Moreover I tried a bit more GPO debugging as instructed here:
<https://lists.samba.org/archive/samba/2016-August/201762.html>
Perhaps the following log line points out an error:
GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed with 5.
The full log can be found here:
<http://pastebin.com/vgbhx0cm>
Many thanks again.
Rainer
On Wed, 3 Aug 2016 15:19:03 +0200 rme at bluemail.ch wrote:> Hi Louis, > > Many many thanks for your very quick and comprehensive reply. > I also found this thread here > <https://lists.samba.org/archive/samba/2016-July/201471.html> > > Unfortunately none of the suggestions seem to entirely resolve the > issue. > > As a first work-around I have inserted > ldap server require strong auth = no > to my smb.conf and re-started Samba. >I wonder if this has the same cause as this bug: https://bugzilla.samba.org/show_bug.cgi?id=11351 Rowland
rme at bluemail.ch
2016-Aug-03 14:49 UTC
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
> I wonder if this has the same cause as this bug:> https://bugzilla.samba.org/show_bug.cgi?id=11351 Well, I already came across this bug report as my GPMC shows the same error on "Status" tab of the domain. Though I didn't join ainy Windows domain controller to the Samba domain. I am running GPMC on my local Windows 10 Pro machine joined to the domain. It shows "No Infrastructure Status Information exists for this domain." and "Click the Detect Now button below to gather infrasturcture status from all of the domain controllers in this domain.". When I click "Detect Now" it shows "A processing error occurred collecting date using this base domain controller. Please change the base domain controller and try again." When I click on the "Change" link a Window opens with the title "Sleect New Baseline DC" with no content. So nothing to select there. So I am not sure if this is correct with Samba or not. Thanks Rainer