[Samba] Samba 4.2.14 GPO issue

L.P.H. van Belle belle at bazuin.nl
Wed Aug 3 06:27:39 UTC 2016 

In addition 

( source : http://www.networksteve.com/forum/topic.php/Group_Policy_Access_Denied_for_computer_policy_only/?TopicId=39534&Posts=2 ) 

The root problem was a rogue cached credential under the Local System account. This was preventing the Local System account from logging on to the domain using the domain computer account. I think the rogue credential was a lingering item from my prior home network configuration using Windows Home Server 2011.

To resolve the issue, I had to find and delete the rogue credential under the Local System account. This is what I did:
1.Use SysInternals PsExec to open a command prompt under the Local System account [http://technet.microsoft.com/en-us/sysinternals/bb897553]:
 From an Administrator command prompt: PsExec.exe -i -s cmd.exe
2.Open the Stored User Names and Passwords app under the Local System account:
 From the System account command prompt: rundll32.exe keymgr.dll, KRShowKeyMgr
3.You should now see the credentials that are cached under the Local System account. Review the list for rogue suspects, and remove them. For me, this was straightforward. There were two credentials listed: one rogue cred (from my old WHS2011 config I suspect), and a second called virtualapp/didlogical. When I reviewed the credentials on machines that were working, they only had the virtualapp/didlogical credential listed.

I removed the rogue credential, and then gpupdate worked like a charm! Also, running klist -li 0x3e7 now shows a nice healthy set of Kerberos tickets for the Local System account. 
All is good.




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: woensdag 3 augustus 2016 8:15
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.2.14 GPO issue
> 
> Hai Min Wai,
> 
> Please read these links, MS change some things in GPO.
> 
> MS16-072: Security update for Group Policy: June 14, 2016
> https://support.microsoft.com/en-gb/kb/3159398
> 
> The following page explains the issues and the corrective measures.
> https://support.microsoft.com/en-gb/kb/3163622
> 
> 
> In sum:
> Add the Authenticated Users group with Read Permissions on the Group
> Policy Object (GPO).
> If you are using security filtering, add the Domain Computers group with
> read permission.
> 
> See if above helps you.
> If not, enable GPO operational logging.
> Open registry editor, navigate to HKLM\Software\Microsoft\Windows
> NT\CurrentVersion
> 
> - Right click CurrentVersion->New->Key
> - Rename the newly created key to Diagnostics
> - Right click on Diagnostics->New->DWORD(32-bit)value, rename the new
> DWORD entry to GPSvcDebugLevel and set the value as 0x30002 (hexadecimal)
> 
> - After you modified the registry, please run the command gpupdate /force
> at command prompt to refresh the policy. Reboot the computer to reproduce
> the issue.
> 
> The log file is written to the %SystemRoot%\Debug\UserMode folder.
> And see if you get more/better info from the debug log.
> 
> 
> 
> Greetz,
> 
> Louis
> 
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Min Wai Chan
> > Verzonden: woensdag 3 augustus 2016 4:45
> > Aan: Sébastien Le Ray
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba 4.2.14 GPO issue
> >
> > Dear Sébastien,
> >
> > Sorry for the delay,
> >
> > Please check on the log below.
> > As for the word "???????????????"  it should translate to Access Deny...
> >
> > Please help.
> >
> >
> > - <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
> > <http://schemas.microsoft.com/win/2004/08/events/event>*">
> > - <System>
> >   <Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
> > *{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
> >   <EventID>1055</EventID>
> >   <Version>0</Version>
> >   <Level>2</Level>
> >   <Task>0</Task>
> >   <Opcode>1</Opcode>
> >   <Keywords>0x8000000000000000</Keywords>
> >   <TimeCreated SystemTime="*2016-08-03T02:25:58.236569500Z*" />
> >   <EventRecordID>237427</EventRecordID>
> >   <Correlation ActivityID="*{20A9F83F-172B-4F62-8B1A-5732474FD71D}*" />
> >   <Execution ProcessID="*1156*" ThreadID="*1872*" />
> >   <Channel>System</Channel>
> >   <Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
> >   <Security UserID="*S-1-5-18*" />
> >   </System>
> > - <EventData>
> >   <Data Name="*SupportInfo1*">1</Data>
> >   <Data Name="*SupportInfo2*">2052</Data>
> >   <Data Name="*ProcessingMode*">0</Data>
> >   <Data Name="*ProcessingTimeInMilliseconds*">3495</Data>
> >   <Data Name="*ErrorCode*">5</Data>
> >   <Data Name="*ErrorDescription*">???????????????</Data>
> >   </EventData>
> >   </Event>
> >
> >
> > - <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
> > <http://schemas.microsoft.com/win/2004/08/events/event>*">
> > - <System>
> >   <Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
> > *{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
> >   <EventID>1053</EventID>
> >   <Version>0</Version>
> >   <Level>2</Level>
> >   <Task>0</Task>
> >   <Opcode>1</Opcode>
> >   <Keywords>0x8000000000000000</Keywords>
> >   <TimeCreated SystemTime="*2016-08-03T02:25:58.220969800Z*" />
> >   <EventRecordID>237426</EventRecordID>
> >   <Correlation ActivityID="*{81CBE41A-C06F-4C33-9A59-DA9418903184}*" />
> >   <Execution ProcessID="*1156*" ThreadID="*4516*" />
> >   <Channel>System</Channel>
> >   <Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
> >   <Security UserID="*S-1-5-21-3560897929-3766931875-2087304217-2002*" />
> >   </System>
> > - <EventData>
> >   <Data Name="*SupportInfo1*">1</Data>
> >   <Data Name="*SupportInfo2*">2052</Data>
> >   <Data Name="*ProcessingMode*">0</Data>
> >   <Data Name="*ProcessingTimeInMilliseconds*">3541</Data>
> >   <Data Name="*ErrorCode*">5</Data>
> >   <Data Name="*ErrorDescription*">???????????????</Data>
> >   </EventData>
> >   </Event>
> >
> >
> >
> >
> > On Mon, Jul 25, 2016 at 2:51 AM, Sébastien Le Ray <sebastien-
> > samba at orniz.org
> > > wrote:
> >
> > > Hi,
> > >
> > > That's look more like a gpupdate output than an event log entry :-)
> > >
> > >
> > >
> > > Le 24/07/2016 à 20:46, Min Wai Chan a écrit :
> > >
> > >> Hello Sébastien Le Ray,
> > >>
> > >> The PC reply the following...
> > >>
> > >> The processing of Group Policy failed. Windows could not resolve the
> > user
> > >> name. This could be caused by one or more of the following:
> > >> a) Name Resolution failure on the current domain controller.
> > >> b) Active Directory Replication Latency (an account created on
> another
> > >> domain controller has not replicated to the current domain
> controller).
> > >>
> > >> The processing of Group Policy failed. Windows could not resolve the
> > >> computer name. This could be caused by one of more of the following:
> > >> a) Name Resolution failure on the current domain controller.
> > >> b) Active Directory Replication Latency (an account created on
> another
> > >> domain controller has not replicated to the current domain
> controller).
> > >>
> > >> To diagnose the failure, review the event log or run GPRESULT /H
> > >> GPReport.html from
> > >> the command line to access information about Group Policy results.
> > >>
> > >> On Sun, Jul 24, 2016 at 3:56 PM, Sébastien Le Ray <
> > >> sebastien-samba at orniz.org
> > >>
> > >>> wrote:
> > >>> Hi,
> > >>>
> > >>> Do you have any specific error message in Windows events log
> > concerning
> > >>> GPO?
> > >>>
> > >>> Regards
> > >>>
> > >>>
> > >>> Le 24/07/2016 à 05:40, Min Wai Chan a écrit :
> > >>>
> > >>> Dear All,
> > >>>> I've recently upgrade from samba 4.1.x to samba 4.2.14 and found
> that
> > >>>> GPO
> > >>>> are having issue
> > >>>>
> > >>>> Specifically when I'm adding new using they *never *got the
> gpupdate
> > >>>>
> > >>>> success fully.
> > >>>>
> > >>>> When I run samba-tool ntacl sysvolcheck or samba-tool ntacl
> > sysvolreset
> > >>>>
> > >>>> But don't seem to got it fix..
> > >>>>
> > >>>> Any suggestion?
> > >>>>
> > >>>> Thank in advance.
> > >>>>
> > >>>> #samba-tool ntacl sysvolcheck
> > >>>> Processing section "[netlogon]"
> > >>>> Processing section "[sysvol]"
> > >>>> Processing section "[dfs]"
> > >>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> > exception -
> > >>>> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
> > >>>> kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> > >>>> <http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-
> > 00C04FB984F9%7D>
> > >>>> <
> > >>>> http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-
> > 00C04FB984F9%7D
> > >>>> >
> > >>>>
> > >>>>
> > >>>>
> >
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> >
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> > 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > >>>> does not match expected value
> > >>>>
> > >>>>
> > >>>>
> >
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> >
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> > 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > >>>> from GPO object
> > >>>>     File "/usr/lib64/python2.7/site-
> > packages/samba/netcmd/__init__.py",
> > >>>> line
> > >>>> 175, in _run
> > >>>>       return self.run(*args, **kwargs)
> > >>>>     File "/usr/lib64/python2.7/site-
> packages/samba/netcmd/ntacl.py",
> > >>>> line
> > >>>> 249, in run
> > >>>>       lp)
> > >>>>     File
> > >>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> > >>>> line 1730, in checksysvolacl
> > >>>>       direct_db_access)
> > >>>>     File
> > >>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> > >>>> line 1681, in check_gpos_acl
> > >>>>       domainsid, direct_db_access)
> > >>>>     File
> > >>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> > >>>> line 1628, in check_dir_acl
> > >>>>       raise ProvisioningError('%s ACL on GPO directory %s %s does
> not
> > >>>> match
> > >>>> expected value %s from GPO object' % (acl_type(direct_db_access),
> > path,
> > >>>> fsacl_sddl, acl))
> > >>>>
> > >>>> Regards,
> > >>>> Min Wai
> > >>>>
> > >>>>
> > >>>
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list