On 4/14/23 2:23 AM, Anderson Sampaio Mello via samba wrote:> Hello Samba Team, how are you? > > I'm joining linux clients in the company's environment and I would like to > apply GPOs to linux clients, I'm in the testing phase. > > I'm testing with ubuntu clients version 22.04 and the software I used to > join the samba AD was sssd. > > The 22.04 ubuntu client has joined and everything is working fine except > for the GPOs for linux clients. > > I compiled and installed oddjob-gpupdate and also installed oddbjob as > recommended by the samba documentation ( > https://dmulder.github.io/group-policy-book/) > > I also installed samba version 4.15.3 with the command samba-gpupdate, when > I run the command samba-gpupdate --rsop with sssd working it reports these > errors: > > Traceback (most recent call last): > File "/usr/sbin/samba-gpupdate", line 117, in <module> > rsop(lp, creds, logger, store, gp_extensions, opts.target) > File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 511, in rsop > dc_hostname = get_dc_hostname(creds, lp) > File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 358, in > get_dc_hostname > cldap_ret = net.finddc(domain=lp.get('realm'), > flags=(nbt.NBT_SERVER_LDAP | > samba.NTSTATUSError: (3221225524, 'The object name is not found.') > Error in sys.excepthook: > Traceback (most recent call last): > File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 153, > in apport_excepthook > with os.fdopen(os.open(pr_filename, > FileNotFoundError: [Errno 2] No such file or directory: > '/var/crash/_usr_sbin_samba-gpupdate.0.crash' > > Original exception was: > Traceback (most recent call last): > File "/usr/sbin/samba-gpupdate", line 117, in <module> > rsop(lp, creds, logger, store, gp_extensions, opts.target) > File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 511, in rsop > dc_hostname = get_dc_hostname(creds, lp) > File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 358, in > get_dc_hostname > cldap_ret = net.finddc(domain=lp.get('realm'), > flags=(nbt.NBT_SERVER_LDAP | > samba.NTSTATUSError: (3221225524, 'The object name is not found.')I was able to get it to work by setting up a simple smb.conf, and doing a `net ads join`. SSSD is still the auth provider. My simple smb.conf looks like this: dmulder at dmm-tw:~> cat /etc/samba/smb.conf [global] ?? ?idmap config * : backend = tdb ?? ?idmap config * : range = 10000-20000 ?? ?idmap config dmm : backend = rid ?? ?idmap config dmm : range = 20001-99999 ?? ?kerberos method = secrets and keytab ?? ?security = ADS ?? ?usershare allow guests = No ?? ?workgroup = DMMSUSE ?? ?realm = dmm.suse.de Then I set `ad_update_samba_machine_account_password = true` in /etc/sssd/sssd.conf. And finally: sudo kinit Administrator sudo net ads join -k This creates the secrets.tdb for samba, which SSSD will now keep updated for samba-gpupdate. Afterward samba-gpupdate is working for me with SSSD.> > On another station when I test on another linux ubuntu client with the same > version of samba, but with winbind(not sssd), the GPOs are applied normally. > > I think it's something that isn't working well, which could be a result of > the compilation or some detail I missed. > > I downloaded the code from https://github.com/openSUSE/oddjob-gpupdate and > compiled it like this: > > apt install autoconf libtool libxml2-dev libdbus-1-dev oddjob libpam0g-dev > xmlto libselinux1-dev libxml++2.6-dev > ./autogen > make up > make install > > Did I make a mistake in the compilation process? can someone guide me to > compile correctly?-- David Mulder Labs Software Engineer, Samba SUSE 1221 S Valley Grove Way, Suite 500 Pleasant Grove, UT 84062 (P)+1 385.208.2989 dmulder at suse.com http://www.suse.com
On 18/04/2023 18:15, David Mulder via samba wrote:> I was able to get it to work by setting up a simple smb.conf, and doing > a `net ads join`. SSSD is still the auth provider. > > My simple smb.conf looks like this: > > dmulder at dmm-tw:~> cat /etc/samba/smb.conf > [global] > ?? ?idmap config * : backend = tdb > ?? ?idmap config * : range = 10000-20000 > ?? ?idmap config dmm : backend = rid > ?? ?idmap config dmm : range = 20001-99999 > ?? ?kerberos method = secrets and keytab > ?? ?security = ADS > ?? ?usershare allow guests = No > ?? ?workgroup = DMMSUSE > ?? ?realm = dmm.suse.de > > Then I set `ad_update_samba_machine_account_password = true` in > /etc/sssd/sssd.conf. > > And finally: > > sudo kinit Administrator > sudo net ads join -k > > This creates the secrets.tdb for samba, which SSSD will now keep updated > for samba-gpupdate. Afterward samba-gpupdate is working for me with SSSD. > >> >>That may work for sssd, but it is never going to work for Samba: 'DMM' != 'DMMSUSE' Rowland
Thanks for the reply David Mulder. But I opted to use winbind to get the GPOs up and running. I have another question about the operation of some GPOs, can I ask it here or do I need to send a new email? Thank you all. Em ter., 18 de abr. de 2023 ?s 14:16, David Mulder via samba < samba at lists.samba.org> escreveu:> On 4/14/23 2:23 AM, Anderson Sampaio Mello via samba wrote: > > Hello Samba Team, how are you? > > > > I'm joining linux clients in the company's environment and I would like > to > > apply GPOs to linux clients, I'm in the testing phase. > > > > I'm testing with ubuntu clients version 22.04 and the software I used to > > join the samba AD was sssd. > > > > The 22.04 ubuntu client has joined and everything is working fine except > > for the GPOs for linux clients. > > > > I compiled and installed oddjob-gpupdate and also installed oddbjob as > > recommended by the samba documentation ( > > https://dmulder.github.io/group-policy-book/) > > > > I also installed samba version 4.15.3 with the command samba-gpupdate, > when > > I run the command samba-gpupdate --rsop with sssd working it reports > these > > errors: > > > > Traceback (most recent call last): > > File "/usr/sbin/samba-gpupdate", line 117, in <module> > > rsop(lp, creds, logger, store, gp_extensions, opts.target) > > File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 511, in > rsop > > dc_hostname = get_dc_hostname(creds, lp) > > File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 358, in > > get_dc_hostname > > cldap_ret = net.finddc(domain=lp.get('realm'), > > flags=(nbt.NBT_SERVER_LDAP | > > samba.NTSTATUSError: (3221225524, 'The object name is not found.') > > Error in sys.excepthook: > > Traceback (most recent call last): > > File "/usr/lib/python3/dist-packages/apport_python_hook.py", line > 153, > > in apport_excepthook > > with os.fdopen(os.open(pr_filename, > > FileNotFoundError: [Errno 2] No such file or directory: > > '/var/crash/_usr_sbin_samba-gpupdate.0.crash' > > > > Original exception was: > > Traceback (most recent call last): > > File "/usr/sbin/samba-gpupdate", line 117, in <module> > > rsop(lp, creds, logger, store, gp_extensions, opts.target) > > File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 511, in > rsop > > dc_hostname = get_dc_hostname(creds, lp) > > File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 358, in > > get_dc_hostname > > cldap_ret = net.finddc(domain=lp.get('realm'), > > flags=(nbt.NBT_SERVER_LDAP | > > samba.NTSTATUSError: (3221225524, 'The object name is not found.') > > I was able to get it to work by setting up a simple smb.conf, and doing > a `net ads join`. SSSD is still the auth provider. > > My simple smb.conf looks like this: > > dmulder at dmm-tw:~> cat /etc/samba/smb.conf > [global] > idmap config * : backend = tdb > idmap config * : range = 10000-20000 > idmap config dmm : backend = rid > idmap config dmm : range = 20001-99999 > kerberos method = secrets and keytab > security = ADS > usershare allow guests = No > workgroup = DMMSUSE > realm = dmm.suse.de > > Then I set `ad_update_samba_machine_account_password = true` in > /etc/sssd/sssd.conf. > > And finally: > > sudo kinit Administrator > sudo net ads join -k > > This creates the secrets.tdb for samba, which SSSD will now keep updated > for samba-gpupdate. Afterward samba-gpupdate is working for me with SSSD. > > > > > On another station when I test on another linux ubuntu client with the > same > > version of samba, but with winbind(not sssd), the GPOs are applied > normally. > > > > I think it's something that isn't working well, which could be a result > of > > the compilation or some detail I missed. > > > > I downloaded the code from https://github.com/openSUSE/oddjob-gpupdate > and > > compiled it like this: > > > > apt install autoconf libtool libxml2-dev libdbus-1-dev oddjob > libpam0g-dev > > xmlto libselinux1-dev libxml++2.6-dev > > ./autogen > > make up > > make install > > > > Did I make a mistake in the compilation process? can someone guide me to > > compile correctly? > > -- > David Mulder > Labs Software Engineer, Samba > SUSE > 1221 S Valley Grove Way, Suite 500 > Pleasant Grove, UT 84062 > (P)+1 385.208.2989 > dmulder at suse.com > http://www.suse.com > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >