samba - Apr 2023 - gpo client linux sssd does not apply

Hello Samba Team, how are you?

I'm joining linux clients in the company's environment and I would like
to
apply GPOs to linux clients, I'm in the testing phase.

I'm testing with ubuntu clients version 22.04 and the software I used to
join the samba AD was sssd.

The 22.04 ubuntu client has joined and everything is working fine except
for the GPOs for linux clients.

I compiled and installed oddjob-gpupdate and also installed oddbjob as
recommended by the samba documentation (
https://dmulder.github.io/group-policy-book/)

I also installed samba version 4.15.3 with the command samba-gpupdate, when
I run the command samba-gpupdate --rsop with sssd working it reports these
errors:

Traceback (most recent call last):
   File "/usr/sbin/samba-gpupdate", line 117, in <module>
     rsop(lp, creds, logger, store, gp_extensions, opts.target)
   File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 511,
in rsop
     dc_hostname = get_dc_hostname(creds, lp)
   File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 358,
in
get_dc_hostname
     cldap_ret = net.finddc(domain=lp.get('realm'),
flags=(nbt.NBT_SERVER_LDAP |
samba.NTSTATUSError: (3221225524, 'The object name is not found.')
Error in sys.excepthook:
Traceback (most recent call last):
   File "/usr/lib/python3/dist-packages/apport_python_hook.py", line
153,
in apport_excepthook
     with os.fdopen(os.open(pr_filename,
FileNotFoundError: [Errno 2] No such file or directory:
'/var/crash/_usr_sbin_samba-gpupdate.0.crash'

Original exception was:
Traceback (most recent call last):
   File "/usr/sbin/samba-gpupdate", line 117, in <module>
     rsop(lp, creds, logger, store, gp_extensions, opts.target)
   File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 511,
in rsop
     dc_hostname = get_dc_hostname(creds, lp)
   File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 358,
in
get_dc_hostname
     cldap_ret = net.finddc(domain=lp.get('realm'),
flags=(nbt.NBT_SERVER_LDAP |
samba.NTSTATUSError: (3221225524, 'The object name is not found.')

On another station when I test on another linux ubuntu client with the same
version of samba, but with winbind(not sssd), the GPOs are applied normally.

I think it's something that isn't working well, which could be a result
of
the compilation or some detail I missed.

I downloaded the code from https://github.com/openSUSE/oddjob-gpupdate and
compiled it like this:

apt install autoconf libtool libxml2-dev libdbus-1-dev oddjob libpam0g-dev
xmlto libselinux1-dev libxml++2.6-dev
./autogen
make up
make install

Did I make a mistake in the compilation process? can someone guide me to
compile correctly?

Am 14.04.23 um 10:23 schrieb Anderson Sampaio Mello via
samba:
> Did I make a mistake in the compilation process? can someone guide me to
> compile correctly?
I think sssd has its own support for GPOs. It uses the existing 
Windows-Template 
(https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo#how-sssd-works-with-gpo).

Maybe this gets in the way? And I assume it was never ment to work with 
SSSD.


Regards

Christian

On 14/04/2023 09:23, Anderson Sampaio Mello via samba
wrote:
> Hello Samba Team, how are you?
> 
> I'm joining linux clients in the company's environment and I would
like to
> apply GPOs to linux clients, I'm in the testing phase.
> 
> I'm testing with ubuntu clients version 22.04 and the software I used
to
> join the samba AD was sssd.
> 

Samba does not provide or support sssd (which has its own GPO 
mechanism), so it may have never been tested in the way you are running 
it. You will probably get better support by contacting the sssd-users 
mailing list.

Rowland

On 4/14/23 2:23 AM, Anderson Sampaio Mello via samba
wrote:
> Hello Samba Team, how are you?
>
> I'm joining linux clients in the company's environment and I would
like to
> apply GPOs to linux clients, I'm in the testing phase.
>
> I'm testing with ubuntu clients version 22.04 and the software I used
to
> join the samba AD was sssd.
>
> The 22.04 ubuntu client has joined and everything is working fine except
> for the GPOs for linux clients.
>
> I compiled and installed oddjob-gpupdate and also installed oddbjob as
> recommended by the samba documentation (
> https://dmulder.github.io/group-policy-book/)
>
> I also installed samba version 4.15.3 with the command samba-gpupdate, when
> I run the command samba-gpupdate --rsop with sssd working it reports these
> errors:
>
> Traceback (most recent call last):
>     File "/usr/sbin/samba-gpupdate", line 117, in <module>
>       rsop(lp, creds, logger, store, gp_extensions, opts.target)
>     File "/usr/lib/python3/dist-packages/samba/gpclass.py", line
511, in rsop
>       dc_hostname = get_dc_hostname(creds, lp)
>     File "/usr/lib/python3/dist-packages/samba/gpclass.py", line
358, in
> get_dc_hostname
>       cldap_ret = net.finddc(domain=lp.get('realm'),
> flags=(nbt.NBT_SERVER_LDAP |
> samba.NTSTATUSError: (3221225524, 'The object name is not found.')
> Error in sys.excepthook:
> Traceback (most recent call last):
>     File "/usr/lib/python3/dist-packages/apport_python_hook.py",
line 153,
> in apport_excepthook
>       with os.fdopen(os.open(pr_filename,
> FileNotFoundError: [Errno 2] No such file or directory:
> '/var/crash/_usr_sbin_samba-gpupdate.0.crash'
>
> Original exception was:
> Traceback (most recent call last):
>     File "/usr/sbin/samba-gpupdate", line 117, in <module>
>       rsop(lp, creds, logger, store, gp_extensions, opts.target)
>     File "/usr/lib/python3/dist-packages/samba/gpclass.py", line
511, in rsop
>       dc_hostname = get_dc_hostname(creds, lp)
>     File "/usr/lib/python3/dist-packages/samba/gpclass.py", line
358, in
> get_dc_hostname
>       cldap_ret = net.finddc(domain=lp.get('realm'),
> flags=(nbt.NBT_SERVER_LDAP |
> samba.NTSTATUSError: (3221225524, 'The object name is not found.')
samba-gpupdate is failing to find the dc hostname. Can you provide me 
with copies of your config (sssd, smb.conf)?
> On another station when I test on another linux ubuntu client with the same
> version of samba, but with winbind(not sssd), the GPOs are applied
normally.
>
> I think it's something that isn't working well, which could be a
result of
> the compilation or some detail I missed.
>
> I downloaded the code from https://github.com/openSUSE/oddjob-gpupdate and
> compiled it like this:
>
> apt install autoconf libtool libxml2-dev libdbus-1-dev oddjob libpam0g-dev
> xmlto libselinux1-dev libxml++2.6-dev
> ./autogen
> make up
> make install
>
> Did I make a mistake in the compilation process? can someone guide me to
> compile correctly?
I'm afraid Samba's group policy isn't officially supported with
SSSD,
although it has worked in the past. It is known to work well with 
Winbind though.

Sorry for the slow response. I've been on paternity leave.

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com

On 4/14/23 2:23 AM, Anderson Sampaio Mello via samba
wrote:
> Hello Samba Team, how are you?
>
> I'm joining linux clients in the company's environment and I would
like to
> apply GPOs to linux clients, I'm in the testing phase.
>
> I'm testing with ubuntu clients version 22.04 and the software I used
to
> join the samba AD was sssd.
>
> The 22.04 ubuntu client has joined and everything is working fine except
> for the GPOs for linux clients.
>
> I compiled and installed oddjob-gpupdate and also installed oddbjob as
> recommended by the samba documentation (
> https://dmulder.github.io/group-policy-book/)
>
> I also installed samba version 4.15.3 with the command samba-gpupdate, when
> I run the command samba-gpupdate --rsop with sssd working it reports these
> errors:
>
> Traceback (most recent call last):
>     File "/usr/sbin/samba-gpupdate", line 117, in <module>
>       rsop(lp, creds, logger, store, gp_extensions, opts.target)
>     File "/usr/lib/python3/dist-packages/samba/gpclass.py", line
511, in rsop
>       dc_hostname = get_dc_hostname(creds, lp)
>     File "/usr/lib/python3/dist-packages/samba/gpclass.py", line
358, in
> get_dc_hostname
>       cldap_ret = net.finddc(domain=lp.get('realm'),
> flags=(nbt.NBT_SERVER_LDAP |
> samba.NTSTATUSError: (3221225524, 'The object name is not found.')
> Error in sys.excepthook:
> Traceback (most recent call last):
>     File "/usr/lib/python3/dist-packages/apport_python_hook.py",
line 153,
> in apport_excepthook
>       with os.fdopen(os.open(pr_filename,
> FileNotFoundError: [Errno 2] No such file or directory:
> '/var/crash/_usr_sbin_samba-gpupdate.0.crash'
>
> Original exception was:
> Traceback (most recent call last):
>     File "/usr/sbin/samba-gpupdate", line 117, in <module>
>       rsop(lp, creds, logger, store, gp_extensions, opts.target)
>     File "/usr/lib/python3/dist-packages/samba/gpclass.py", line
511, in rsop
>       dc_hostname = get_dc_hostname(creds, lp)
>     File "/usr/lib/python3/dist-packages/samba/gpclass.py", line
358, in
> get_dc_hostname
>       cldap_ret = net.finddc(domain=lp.get('realm'),
> flags=(nbt.NBT_SERVER_LDAP |
> samba.NTSTATUSError: (3221225524, 'The object name is not found.')
I was able to get it to work by setting up a simple smb.conf, and doing 
a `net ads join`. SSSD is still the auth provider.

My simple smb.conf looks like this:

dmulder at dmm-tw:~> cat /etc/samba/smb.conf
[global]
 ?? ?idmap config * : backend = tdb
 ?? ?idmap config * : range = 10000-20000
 ?? ?idmap config dmm : backend = rid
 ?? ?idmap config dmm : range = 20001-99999
 ?? ?kerberos method = secrets and keytab
 ?? ?security = ADS
 ?? ?usershare allow guests = No
 ?? ?workgroup = DMMSUSE
 ?? ?realm = dmm.suse.de

Then I set `ad_update_samba_machine_account_password = true` in 
/etc/sssd/sssd.conf.

And finally:

sudo kinit Administrator
sudo net ads join -k

This creates the secrets.tdb for samba, which SSSD will now keep updated 
for samba-gpupdate. Afterward samba-gpupdate is working for me with SSSD.
>
> On another station when I test on another linux ubuntu client with the same
> version of samba, but with winbind(not sssd), the GPOs are applied
normally.
>
> I think it's something that isn't working well, which could be a
result of
> the compilation or some detail I missed.
>
> I downloaded the code from https://github.com/openSUSE/oddjob-gpupdate and
> compiled it like this:
>
> apt install autoconf libtool libxml2-dev libdbus-1-dev oddjob libpam0g-dev
> xmlto libselinux1-dev libxml++2.6-dev
> ./autogen
> make up
> make install
>
> Did I make a mistake in the compilation process? can someone guide me to
> compile correctly?
-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com