[Samba] Samba 4.2.14 Group Policy (GPO) sync error
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 3 14:31:57 UTC 2016
Can you run on a failing computer :
- netdom verify yourpcname
- nslookup yourpcname
All ok?
And is time in sync?
Did you install winbind after the update and also and did you change you server services line?
Like, i use bind9 dns
My smb.conf contains only this : server services = -dns
The full line is :
samba-tool testparm -vv | grep "server service"
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
The thing you have to look at is : winbindd
And not winbind.
And best is really to setup TLS/SSL
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
( missing on that site : add TLS_REQCERT allow to ldap.conf )
Or a simple setup with own cert.
https://www.spinics.net/lists/samba/msg134098.html
Its debian minded but translate it to your os, most is same.
Or make them manually
https://www.google.nl/search?q=setup+own+caroot#q=openssl+create+self+signed+certificate
pik one.
Now, for the other problem, after above is done/checked.
You can clear you GPO history on the pc.
Its recreated when you reboot/login again, so now worries..
@echo off
DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History\*.*”
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb
Klist purge
gpupdate /force
exit
now reboot your pc, and check again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch
> Verzonden: woensdag 3 augustus 2016 15:19
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
>
> Hi Louis,
>
> Many many thanks for your very quick and comprehensive reply.
> I also found this thread here
> <https://lists.samba.org/archive/samba/2016-July/201471.html>
>
> Unfortunately none of the suggestions seem to entirely resolve the issue.
>
> As a first work-around I have inserted
> ldap server require strong auth = no
> to my smb.conf and re-started Samba.
>
> Unfortunately this didn't change anything. I am still getting the same
> errors
> from gpupdate.exe (with the same errors logged to event log) claiming name
> resolution failure while samba logs report:
>
> [2016/08/03 15:17:45.609250, 1]
> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
> gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-
> code 0
> for mech 1 2 840 113554 1 2 2
> [2016/08/03 15:17:45.609387, 0]
> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
> gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)
> failed:
> NT_STATUS_ACCESS_DENIED
>
>
> I am not fully sure about the MS changes though. My GPO all list
> "Authenticated
> Users" in the "Security Filtering" section in Scope tab. I unsure where to
> insert the "Authenticated Users" group in the GPO with read permissions.
> Does it
> mean I should add "Authenticated Users" in the Delegation tab? If yes,
> then all
> my GPO already have this entry in Delegation tab:
> - Authenticated Users, Read (from Security Filtering)
>
> I also tried inserting Domain Computers with Read permissions to the
> Delegation
> tab. No change in the result though.
>
> I also tried to remove the "Authenticated Users" entry from Security
> Filtering
> with and without adding it to the Delegation tab at no avail. It still
> complains
> about name resolution failure on domain controller.
>
>
>
>
>
> I also added the admx templates sucessfully to sysvol but this did not fix
> the
> GPO processing issue (as expected).
>
>
> In addition also samba-tool ntacl sysvolcheck returns the same error as
> indicated in the thread above:
>
> # samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/ad.cyberdyne.local/Policies/{31B2F340-016D-11D2-
> 945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175,
> in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line
> 249, in run
> lp)
> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line
> 1730, in checksysvolacl
> direct_db_access)
> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line
> 1681, in check_gpos_acl
> domainsid, direct_db_access)
> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line
> 1628, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO directory %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
>
> Though according to
> <https://lists.samba.org/archive/samba/2016-July/201448.html> this might
> be a
> samba-tool issue.
>
> Though I don't think it's related to the error as it looks like somehow
> it's not
> about permissions or issues on sysvol share level but rather
> crypto/signature
> issues.
>
>
>
>
>
> Moreover I tried a bit more GPO debugging as instructed here:
> <https://lists.samba.org/archive/samba/2016-August/201762.html>
>
> Perhaps the following log line points out an error:
> GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed
> with 5.
>
> The full log can be found here:
> <http://pastebin.com/vgbhx0cm>
>
>
>
> Many thanks again.
> Rainer
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list