Hello, Centos 7.5 samba 4.8.3 installation, compiled from source working as AD DC. It was an update from 4.7 (not an in place update, but added new DC's to existing domain and demoted 4.7.x DC's). After adding to my smb.conf: /apply group policies = yes/ I see errors on samba star: ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_gpoupdate: SID S-1-5-21-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -> getpwuid(3000002) failed [2018/07/02 10:21:45.885124, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_gpoupdate: Traceback (most recent call last): ./lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_gpoupdate: File "/usr/local/samba/sbin/samba_gpoupdate", line 177, in <module> ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_gpoupdate: apply_gp(lp, creds, test_ldb, logger, store, gp_extensions) ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_gpoupdate: File "/usr/local/samba/sbin/samba_gpoupdate", line 71, in apply_gp ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_gpoupdate: for gpo_obj in gpos: [2018/07/02 10:21:45.885357, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) winbindd[14072]: /usr/local/samba/sbin/samba_gpoupdate: TypeError: 'NoneType' object is not iterable UID that is "failed" is the right machine account of the server (DC2$). Running "wbinfo --uid-info=30000002 results correctly with DOMAIN\dc2$:*:3000002:10000::/home/dc2_ at DOMAIN:/bin/bash Same issue is present on all other samba 4 AD servers i tried it (also centos 7.5 with compiled from source samba 4.8.3). Running: "samba_gpoupdate -M -d 5" is on the other hand successfull, and GPO is being applied correctly: end of output looks like this: KDC Minimum Password age was changed from -4320000000000 to -4320000000000 KDC Maximum Password age was changed from -25920000000000 to -25920000000000 KDC Minimum Password length was changed from 5 to 8 KDC Password Properties were changed from 1 to 1 kdc:user_ticket_lifetime was changed from 10 to 13 kdc:renewal_lifetime was changed from 150 to 168 kdc:service_ticket_lifetime was changed from 10 to 13 and those settings are correctly applied and respected. Can anyone shed some light , why the smb.conf setting fails, but running update manually works just fine? Did anyone run into same issue? One thing that I realized post-samba installa, is that "python-chardet" package (from centos repo) was required to run the "samba_gpoupdate" script. Could it be, that because it was missing at compile time, that's the cause of the error? Regards, Kacper
Hello, I've realised that there was an error on this server, wrong idmap.ldb, 3000002 should be one of the built-in users or groups instead of machine own account. Unfortunately fixing idmap (I imported idmap.ldb from DC with correct mapping) didn't fix my original error, as it still appears each time samba is restarted. Regards, Kacper W dniu 02.07.2018 o 10:52, Kacper Wirski via samba pisze:> Hello, > > Centos 7.5 samba 4.8.3 installation, compiled from source working as > AD DC. > > It was an update from 4.7 (not an in place update, but added new DC's > to existing domain and demoted 4.7.x DC's). > > After adding to my smb.conf: > > /apply group policies = yes/ > > > I see errors on samba star: > > ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_gpoupdate: SID > S-1-5-21-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -> getpwuid(3000002) failed > [2018/07/02 10:21:45.885124, 0] > ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_gpoupdate: Traceback (most recent call > last): > ./lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_gpoupdate: File > "/usr/local/samba/sbin/samba_gpoupdate", line 177, in <module> > ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_gpoupdate: apply_gp(lp, creds, > test_ldb, logger, store, gp_extensions) > ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_gpoupdate: File > "/usr/local/samba/sbin/samba_gpoupdate", line 71, in apply_gp > ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_gpoupdate: for gpo_obj in gpos: > [2018/07/02 10:21:45.885357, 0] > ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > winbindd[14072]: /usr/local/samba/sbin/samba_gpoupdate: TypeError: > 'NoneType' object is not iterable > > > UID that is "failed" is the right machine account of the server (DC2$). > > Running "wbinfo --uid-info=30000002 results correctly with > > DOMAIN\dc2$:*:3000002:10000::/home/dc2_ at DOMAIN:/bin/bash > > Same issue is present on all other samba 4 AD servers i tried it > (also centos 7.5 with compiled from source samba 4.8.3). > > Running: "samba_gpoupdate -M -d 5" is on the other hand successfull, > and GPO is being applied correctly: > > end of output looks like this: > > KDC Minimum Password age was changed from -4320000000000 to > -4320000000000 > KDC Maximum Password age was changed from -25920000000000 to > -25920000000000 > KDC Minimum Password length was changed from 5 to 8 > KDC Password Properties were changed from 1 to 1 > kdc:user_ticket_lifetime was changed from 10 to 13 > kdc:renewal_lifetime was changed from 150 to 168 > kdc:service_ticket_lifetime was changed from 10 to 13 > > and those settings are correctly applied and respected. > > Can anyone shed some light , why the smb.conf setting fails, but > running update manually works just fine? Did anyone run into same issue? > > > One thing that I realized post-samba installa, is that > "python-chardet" package (from centos repo) was required to run the > "samba_gpoupdate" script. Could it be, that because it was missing at > compile time, that's the cause of the error? > > Regards, > > Kacper > >
On Tue, 3 Jul 2018 08:06:44 +0200 Kacper Wirski via samba <samba at lists.samba.org> wrote:> Hello, > > I've realised that there was an error on this server, wrong > idmap.ldb, 3000002 should be one of the built-in users or groups > instead of machine own account. Unfortunately fixing idmap (I > imported idmap.ldb from DC with correct mapping) didn't fix my > original error, as it still appears each time samba is restarted. >It isn't actually an error, idmap.ldb allocates ID's on a first come basis and you will get different ID's on different Samba DC's. When you sync sysvol between DC's, you also need to sync idmap.ldb. Rowland