thr3ads.net - samba - [Samba] Samba 4.2.14 Group Policy (GPO) sync error [Aug 2016]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2016-Aug-04 10:37 UTC

[Samba] Samba 4.2.14 Group Policy (GPO) sync error

On Thu, 4 Aug 2016 12:02:18 +0200
rme at bluemail.ch wrote:
> > Well, I am using IPv6 mainly for all services and don't want to
> > disable it. Though I might try this temporary which will be quite a
> > bunch of reconfiguration to disable IPv6 in all services. So I will
> > come back with results on this later.
> 
> I have completely disabled IPv6 on the server temporary as well as I
> removed the second IPv4 address from the interface.
> 
> Unfortunately this didn't do any change to the result.
> 
> Still getting the same errors in Samba log.
> 
> [2016/08/04 11:49:23.546473,  1] 
> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
>    gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown
> mech-code 0 for mech 1 2 840 113554 1 2 2
> [2016/08/04 11:49:23.546602,  0] 
> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
>    gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)
> failed: NT_STATUS_ACCESS_DENIED
> 
> 
> best regards,
> Rainer
> 
Lets go back to basics, can you post you smb.conf again, but this time,
obtain it via cat

Can you also post your /etc/krb5.conf

Rowland

rme at bluemail.ch

2016-Aug-04 12:10 UTC

head link

[Samba] Samba 4.2.14 Group Policy (GPO) sync error

Hello Rowland
> Lets go back to basics, can you post you smb.conf again, but this time,
obtain it via cat
Sure. As it's bit larger and I don't want to process or omit anything 
which could be important here's a complete paste:

<http://pastebin.com/mYa1d5KG>


In short without comments:

[global]
         workgroup = CYBERDYNE
         realm = ad.cyberdyne.local
         netbios name = SKYNET
         netbios aliases = SOFTWARE
         server string = SkyNet
         server role = active directory domain controller
         acl:search = no
         ldap server require strong auth = no
         server services = -dns
         idmap_ldb:use rfc2307 = yes

         time server = yes

         logon script = KIX32.exe logon.kix
         logon path = \\%N\profile\.winprofile
         logon drive = N:
         logon home = \\%N\%U

         log file = /var/log/samba/smb.%M
         max log size = 500

[netlogon]
         path = /var/lib/samba/sysvol/ad.cyberdyne.local/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

> Can you also post your /etc/krb5.conf
Sure:

# cat /etc/krb5.conf
[libdefaults]
         default_realm = AD.CYBERDYNE.LOCAL
         dns_lookup_realm = true
         dns_lookup_kdc = true

[realms]
         AD.CYBERDYNE.LOCAL = {
                 default_domain = ad.cyberdne.local
                 kdc = skynet.ad.cyberdyne.local
                 admin_server = skynet.ad.cyberdyne.local
         }

[domain_realm]
         .ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
         ad.cyberdyne.local = AD.CYBERDYNE.LOCAL




best regards,
Rainer

rme at bluemail.ch

2016-Aug-04 13:00 UTC

head link

[Samba] Samba 4.2.14 Group Policy (GPO) sync error

Perhaps I am on the wrong track but I would like to share some 
additional observations...

I quickly enabled DNS query logging:
     # rndc querylog


Then run another gpupdate on the client.

During the Update I see lots of queries:

04-Aug-2016 14:46:58.414 queries: info: client 10.0.1.186#59270 
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local): 
view internal: query: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local 
IN SRV + (10.0.1.6)
04-Aug-2016 14:46:59.223 queries: info: client 10.0.1.186#50476 
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local): 
view internal: query: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local 
IN SRV + (10.0.1.6)
04-Aug-2016 14:46:59.428 queries: info: client 10.0.1.186#58473 
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local): 
view internal: query: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local 
IN SRV + (10.0.1.6)
... [message repeated 16 times in total]

or with IPv6 enabled:
04-Aug-2016 14:57:42.217 queries: info: client 
fdea:5b48:d4c1:1:68f2:fa7c:db26:ce22#53050 
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local): 
view internal: query: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local 
IN SRV + (fdea:5b48:d4c1:1:1::6)
04-Aug-2016 14:57:42.401 queries: info: client 
fdea:5b48:d4c1:1:68f2:fa7c:db26:ce22#63158 
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local): 
view internal: query: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local 
IN SRV + (fdea:5b48:d4c1:1:1::6)
04-Aug-2016 14:57:42.711 queries: info: client 
fdea:5b48:d4c1:1:68f2:fa7c:db26:ce22#64202 
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local): 
view internal: query: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local 
IN SRV + (fdea:5b48:d4c1:1:1::6)
... [message repeated 16 times in total]


I did query this from the client:

C:\Temp>nslookup -type=SRV 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local
Server:  skynet.ad.cyberdyne.local
Address:  fdea:5b48:d4c1:1:1::6

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local 
SRV service location:
           priority       = 0
           weight         = 100
           port           = 389
           svr hostname   = skynet.ad.cyberdyne.local
_msdcs.ad.cyberdyne.local       nameserver = skynet.ad.cyberdyne.local
skynet.ad.cyberdyne.local       internet address = 10.0.0.6
skynet.ad.cyberdyne.local       internet address = 10.0.2.6
skynet.ad.cyberdyne.local       internet address = 10.0.1.6
skynet.ad.cyberdyne.local       AAAA IPv6 address = fdea:5b48:d4c1:1:1::6
skynet.ad.cyberdyne.local       AAAA IPv6 address = 2a02:120b:2c38:2950::1
skynet.ad.cyberdyne.local       AAAA IPv6 address = 2a02:120b:2c38:2951::1


And from the server:

# dig -t SRV 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local

; <<>> DiG 9.10.3-P4 <<>> -t SRV 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33143
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local. 
        IN SRV

;; ANSWER SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local. 
900 IN SRV 0 100 389 skynet.ad.cyberdyne.local.

;; AUTHORITY SECTION:
_msdcs.ad.cyberdyne.local. 900  IN      NS      skynet.ad.cyberdyne.local.

;; ADDITIONAL SECTION:
skynet.ad.cyberdyne.local. 900  IN      A       10.0.1.6
skynet.ad.cyberdyne.local. 900  IN      A       10.0.0.6
skynet.ad.cyberdyne.local. 900  IN      A       10.0.2.6
skynet.ad.cyberdyne.local. 900  IN      AAAA    fdea:5b48:d4c1:1:1::6
skynet.ad.cyberdyne.local. 900  IN      AAAA    2a02:120b:2c38:2950::1
skynet.ad.cyberdyne.local. 900  IN      AAAA    2a02:120b:2c38:2951::1

;; Query time: 12 msec
;; SERVER: fdea:5b48:d4c1:1:1::6#53(fdea:5b48:d4c1:1:1::6)
;; WHEN: Thu Aug 04 14:53:22 CEST 2016
;; MSG SIZE  rcvd: 290



In fact to me it looks like all the adresses returned are valid.
I am not sure why gpupdate issues 16 queries on this

best regards,
Rainer

Possibly Parallel Threads

Search for more possibly parallel threads

samba - Aug 2016 - Samba 4.2.14 Group Policy (GPO) sync error

[Samba] Samba 4.2.14 Group Policy (GPO) sync error

[Samba] Samba 4.2.14 Group Policy (GPO) sync error

[Samba] Samba 4.2.14 Group Policy (GPO) sync error

Possibly Parallel Threads