thr3ads.net - samba - [Samba] gpo not applied a boot computer [Feb 2019]

If this information is useful, please help other people find it:
Share via:

David Jehin

2019-Feb-26 14:57 UTC

[Samba] gpo not applied a boot computer

Hello everyone
since now a certain time I pull my hair and do not understand the source of
my problem.
after a samba 3 pdc migration to samba 4.8.5 AD, when a windows client
starts the gpo computer is not applied to the boot.
in the windows logs there are 1058 GPO errors and server side samba here
are the logs:

  GSS server Update (krb5) (1) Update failed: Miscellaneous failure (see
text): Failed to find SAMBA4$@FSS.LAN (kvno 2) in keytab FILE:
/var/lib/samba/private/secrets.keytab (arcfour -hmac-md5)
[2019/02/20 11: 20: 33.013351, 1]
../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
   gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing
NEG_TOKEN_INIT content failed (next [(null)]): NT_STATUS_LOGON_FAILURE
[2019/02/20 11: 20: 33.041913, 1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)

thank you again for your participation.

Rowland Penny

2019-Feb-26 15:22 UTC

head link

[Samba] gpo not applied a boot computer

On Tue, 26 Feb 2019 15:57:03 +0100
David Jehin via samba <samba at lists.samba.org> wrote:
> Hello everyone
> since now a certain time I pull my hair and do not understand the
> source of my problem.
> after a samba 3 pdc migration to samba 4.8.5 AD, when a windows client
> starts the gpo computer is not applied to the boot.
> in the windows logs there are 1058 GPO errors and server side samba
> here are the logs:
> 
>   GSS server Update (krb5) (1) Update failed: Miscellaneous failure
> (see text): Failed to find SAMBA4$@FSS.LAN (kvno 2) in keytab FILE:
> /var/lib/samba/private/secrets.keytab (arcfour -hmac-md5)
> [2019/02/20 11: 20: 33.013351, 1]
> ../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
>    gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing
> NEG_TOKEN_INIT content failed (next [(null)]): NT_STATUS_LOGON_FAILURE
> [2019/02/20 11: 20: 33.041913, 1]
> ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
> 
> thank you again for your participation.
What does this show:

klist -e -k /var/lib/samba/private/secrets.keytab

Rowland

David Jehin

2019-Feb-26 15:37 UTC

head link

[Samba] gpo not applied a boot computer

THANK YOU FOR YOUR REPLY

THE RESULT :
KVNO Principal
----
--------------------------------------------------------------------------
   1 HOST/samba4 at FSS.LAN (des-cbc-crc)
   1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-crc)
   1 SAMBA4$@FSS.LAN (des-cbc-crc)
   1 HOST/samba4 at FSS.LAN (des-cbc-md5)
   1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-md5)
   1 SAMBA4$@FSS.LAN (des-cbc-md5)
   1 HOST/samba4 at FSS.LAN (arcfour-hmac)
   1 HOST/samba4.fss.lan at FSS.LAN (arcfour-hmac)
   1 SAMBA4$@FSS.LAN (arcfour-hmac)
   1 HOST/samba4 at FSS.LAN (aes128-cts-hmac-sha1-96)
   1 HOST/samba4.fss.lan at FSS.LAN (aes128-cts-hmac-sha1-96)
   1 SAMBA4$@FSS.LAN (aes128-cts-hmac-sha1-96)
   1 HOST/samba4 at FSS.LAN (aes256-cts-hmac-sha1-96)
   1 HOST/samba4.fss.lan at FSS.LAN (aes256-cts-hmac-sha1-96)
   1 SAMBA4$@FSS.LAN (aes256-cts-hmac-sha1-96)
   2 HOST/samba4 at FSS.LAN (des-cbc-crc)
   2 HOST/samba4.fss.lan at FSS.LAN (des-cbc-crc)
   2 SAMBA4$@FSS.LAN (des-cbc-crc)
   2 HOST/samba4 at FSS.LAN (des-cbc-md5)
   2 HOST/samba4.fss.lan at FSS.LAN (des-cbc-md5)
   2 SAMBA4$@FSS.LAN (des-cbc-md5)
   2 HOST/samba4 at FSS.LAN (arcfour-hmac)
   2 HOST/samba4.fss.lan at FSS.LAN (arcfour-hmac)
   2 SAMBA4$@FSS.LAN (arcfour-hmac)
   2 HOST/samba4 at FSS.LAN (aes128-cts-hmac-sha1-96)
   2 HOST/samba4.fss.lan at FSS.LAN (aes128-cts-hmac-sha1-96)
   2 SAMBA4$@FSS.LAN (aes128-cts-hmac-sha1-96)
   2 HOST/samba4 at FSS.LAN (aes256-cts-hmac-sha1-96)
   2 HOST/samba4.fss.lan at FSS.LAN (aes256-cts-hmac-sha1-96)
   2 SAMBA4$@FSS.LAN (aes256-cts-hmac-sha1-96)
   1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-crc)
   1 SAMBA4$@FSS.LAN (des-cbc-crc)
   1 HOST/samba4 at FSS.LAN (des-cbc-md5)
   1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-md5)
   1 SAMBA4$@FSS.LAN (des-cbc-md5)
   1 HOST/samba4 at FSS.LAN (arcfour-hmac)
   1 HOST/samba4.fss.lan at FSS.LAN (arcfour-hmac)
   1 SAMBA4$@FSS.LAN (arcfour-hmac)
   1 HOST/samba4 at FSS.LAN (aes128-cts-hmac-sha1-96)
   1 HOST/samba4.fss.lan at FSS.LAN (aes128-cts-hmac-sha1-96)
   1 SAMBA4$@FSS.LAN (aes128-cts-hmac-sha1-96)
   1 HOST/samba4 at FSS.LAN (aes256-cts-hmac-sha1-96)
   1 HOST/samba4.fss.lan at FSS.LAN (aes256-cts-hmac-sha1-96)
   1 SAMBA4$@FSS.LAN (aes256-cts-hmac-sha1-96)


Le mar. 26 févr. 2019 à 16:22, Rowland Penny via samba <
samba at lists.samba.org> a écrit :
> On Tue, 26 Feb 2019 15:57:03 +0100
> David Jehin via samba <samba at lists.samba.org> wrote:
>
> > Hello everyone
> > since now a certain time I pull my hair and do not understand the
> > source of my problem.
> > after a samba 3 pdc migration to samba 4.8.5 AD, when a windows client
> > starts the gpo computer is not applied to the boot.
> > in the windows logs there are 1058 GPO errors and server side samba
> > here are the logs:
> >
> >   GSS server Update (krb5) (1) Update failed: Miscellaneous failure
> > (see text): Failed to find SAMBA4$@FSS.LAN (kvno 2) in keytab FILE:
> > /var/lib/samba/private/secrets.keytab (arcfour -hmac-md5)
> > [2019/02/20 11: 20: 33.013351, 1]
> > ../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
> >    gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing
> > NEG_TOKEN_INIT content failed (next [(null)]): NT_STATUS_LOGON_FAILURE
> > [2019/02/20 11: 20: 33.041913, 1]
> >
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
> >
> > thank you again for your participation.
>
> What does this show:
>
> klist -e -k /var/lib/samba/private/secrets.keytab
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Sérgio Basto

2019-Feb-26 18:45 UTC

head link

[Samba] gpo not applied a boot computer

On Tue, 2019-02-26 at 15:57 +0100, David Jehin via samba
wrote:> Hello everyone
> since now a certain time I pull my hair and do not understand the
> source of
> my problem.
> after a samba 3 pdc migration to samba 4.8.5 AD, when a windows
> client
> starts the gpo computer is not applied to the boot.
> in the windows logs there are 1058 GPO errors and server side samba
> here
> are the logs:
> 
>   GSS server Update (krb5) (1) Update failed: Miscellaneous failure
> (see
> text): Failed to find SAMBA4$@FSS.LAN (kvno 2) in keytab FILE:
> /var/lib/samba/private/secrets.keytab (arcfour -hmac-md5)
> [2019/02/20 11: 20: 33.013351, 1]
> ../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
>    gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing
> NEG_TOKEN_INIT content failed (next [(null)]):
> NT_STATUS_LOGON_FAILURE
> [2019/02/20 11: 20: 33.041913, 1]
> ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_inter
> nal)
> 
> thank you again for your participation.
In my notes if you use --dns-backend=BIND9_DLZ

# To start named (bind) 
chgrp named /var/lib/samba/private
chmod g+rx /var/lib/samba/private

Samba 4.8 
ls -lai /var/lib/samba/bind-dns/dns/sam.ldb.d/
(everything 660 e root:named)

ll /var/lib/samba/bind-dns/dns/
-rw-rw---- 1 root named 3014656 Nov 15 16:36 sam.ldb
drwxrwx--- 2 root named     281 Nov 15 16:36 sam.ldb.d

chmod g+w /var/lib/samba/bind-dns
chgrp named /var/lib/samba/private/dns.keytab
chmod g+r  /var/lib/samba/private/dns.keytab



-- 
Sérgio M. B.

David Jehin

2019-Feb-27 09:40 UTC

head link

[Samba] gpo not applied a boot computer

thank you for your reply. bind rights are correct.>
> but the problem does not come from the dns, they are well updated.
>
> gpo are not applied only to the startup of the computer. After a user logs
>> in, the gpupdate / force command is applied correctly.
>
> the samba server side logs are:
>
>
> [2019/02/26 12:20:06.751340,  2] ../source3/smbd/service.c:1120(close_cnum)
>>
>> S server Update(krb5)(1) Update failed:  Miscellaneous failure (see
>>> text): Decrypt integrity check failed
>>
>> [2019/02/25 10:21:11.914286,  1]
>>>
../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
>>
>>   gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing
>>> NEG_TOKEN_INIT content failed (next[(null)]):
NT_STATUS_LOGON_FAILURE
>>
>>
> the logs on windows 10 are: error id : 1130 and  1058
>
>thank
>
>
> In my notes if you use --dns-backend=BIND9_DLZ
>
> # To start named (bind)
> chgrp named /var/lib/samba/private
> chmod g+rx /var/lib/samba/private
>
> Samba 4.8
> ls -lai /var/lib/samba/bind-dns/dns/sam.ldb.d/
> (everything 660 e root:named)
>
> ll /var/lib/samba/bind-dns/dns/
> -rw-rw---- 1 root named 3014656 Nov 15 16:36 sam.ldb
> drwxrwx--- 2 root named     281 Nov 15 16:36 sam.ldb.d
>
> chmod g+w /var/lib/samba/bind-dns
> chgrp named /var/lib/samba/private/dns.keytab
> chmod g+r  /var/lib/samba/private/dns.keytab
>
>
>
> --
> Sérgio M. B.
>
>

L.P.H. van Belle

2019-Feb-27 09:47 UTC

head link

[Samba] gpo not applied a boot computer

Hai, 


Did you set in the GPO (computer policy) 

Under System\Logon, "Always wait for the network at computer startup and
logon" = Enabled"

If its a script, also add these. 

"Configure Network Options preference extension policy processing" is
"Enabled"
"Configure Logon Script Delay" = Enabled and set to 0

And, after setting the GPO, reboot 2 x ! or login as Domain\Administrator and
run gupdate /force
Then reboot. (1x) 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> David Jehin via samba
> Verzonden: woensdag 27 februari 2019 10:41
> Aan: Sérgio Basto
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] gpo not applied a boot computer
> 
> thank you for your reply. bind rights are correct.
> >
> > but the problem does not come from the dns, they are well updated.
> >
> > gpo are not applied only to the startup of the computer. 
> After a user logs
> >> in, the gpupdate / force command is applied correctly.
> >
> > the samba server side logs are:
> >
> >
> 
> > [2019/02/26 12:20:06.751340,  2] 
> ../source3/smbd/service.c:1120(close_cnum)
> >>
> >> S server Update(krb5)(1) Update failed:  Miscellaneous failure
(see
> >>> text): Decrypt integrity check failed
> >>
> >> [2019/02/25 10:21:11.914286,  1]
> >>> 
> ../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
> >>
> >>   gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing
> >>> NEG_TOKEN_INIT content failed (next[(null)]): 
> NT_STATUS_LOGON_FAILURE
> >>
> >>
> 
> > the logs on windows 10 are: error id : 1130 and  1058
> >
> >
> thank
> 
> >
> >
> > In my notes if you use --dns-backend=BIND9_DLZ
> >
> > # To start named (bind)
> > chgrp named /var/lib/samba/private
> > chmod g+rx /var/lib/samba/private
> >
> > Samba 4.8
> > ls -lai /var/lib/samba/bind-dns/dns/sam.ldb.d/
> > (everything 660 e root:named)
> >
> > ll /var/lib/samba/bind-dns/dns/
> > -rw-rw---- 1 root named 3014656 Nov 15 16:36 sam.ldb
> > drwxrwx--- 2 root named     281 Nov 15 16:36 sam.ldb.d
> >
> > chmod g+w /var/lib/samba/bind-dns
> > chgrp named /var/lib/samba/private/dns.keytab
> > chmod g+r  /var/lib/samba/private/dns.keytab
> >
> >
> >
> > --
> > Sérgio M. B.
> >
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Possibly Parallel Threads

Search for more seemingly similar threads

samba - Feb 2019 - gpo not applied a boot computer

[Samba] gpo not applied a boot computer

[Samba] gpo not applied a boot computer

[Samba] gpo not applied a boot computer

[Samba] gpo not applied a boot computer

[Samba] gpo not applied a boot computer

[Samba] gpo not applied a boot computer

Possibly Parallel Threads