[Samba] Samba 4.2.14 Group Policy (GPO) sync error

rme at bluemail.ch rme at bluemail.ch
Wed Aug 3 11:41:28 UTC 2016 

Hello,

I think I really need some help on this.

Since Samba 4.2.11 upgrade my Windows 10 clients are unable to synchronize group 
policies. I have asked about this already here 
<https://lists.samba.org/archive/samba/2016-April/199226.html>. Now I 
re-investigate the issue with Windows 10 1607 update and still face the same 
issue which prevents me from rolling out this configuration in production.

My Setup:
- Samba 4.2.14 in active directory domain controller role
- BIND_DLZ DNS backend
- Windows 10 Pro 1607 clients


I am successfully able to join the clients to the Samba AD domain but they fail 
to synchronize group policies and therefore fail to apply logon/logoff scripts 
as well as important system settings.

Executing 'gpupdate' on the command line yields the following output:
----
The processing of Group Policy failed. Windows could not resolve the computer 
name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain 
controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were 
encountered:

The processing of Group Policy failed. Windows could not resolve the user name. 
This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain 
controller has not replicated to the current domain controller).
----


On Samba side with log level 10 I get the following errors:
----
[2016/08/03 13:12:41.571366,  1] 
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
   gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-code 0 
for mech 1 2 840 113554 1 2 2
[2016/08/03 13:12:41.571495,  0] 
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
   gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed: 
NT_STATUS_ACCESS_DENIED
----


I am specifically worried about the "unknonwn mech-code" error which might 
indicate some issues regarding Kerberos crypto. I am running Samba on Gentoo 
along with Heimdal 1.5.3-r2.


Does anybody have a clue where to look for a configuration mistake or whether I 
should report this as a bug?
Especially I am concerned because this error did not occur in Samba 4.2.9 (last 
version before badlock security update).

Any help or hint would be highly appreciated!


When running gpupdate the following block of messages are repeated multiple 
times in samba logs:
[2016/08/03 13:12:39.715332,  3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2016/08/03 13:12:39.716203,  5] 
../auth/gensec/gensec_start.c:672(gensec_start_mech)
   Starting GENSEC mechanism spnego
[2016/08/03 13:12:39.716472,  5] 
../auth/gensec/gensec_start.c:672(gensec_start_mech)
   Starting GENSEC submechanism gssapi_krb5
[2016/08/03 13:12:39.718868,  5] 
../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update)
   gensec_gssapi: NO credentials were delegated
[2016/08/03 13:12:39.718993,  5] 
../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update)
   GSSAPI Connection will be cryptographically sealed
[2016/08/03 13:12:39.728127,  1] 
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
   gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-code 0 
for mech 1 2 840 113554 1 2 2
[2016/08/03 13:12:39.728261,  0] 
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
   gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed: 
NT_STATUS_ACCESS_DENIED
[2016/08/03 13:12:39.729278,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/08/03 13:12:39.729352,  5] 
../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
   imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.16428.49
[2016/08/03 13:12:39.729499,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]




Here's my compiled parameters as printed by testparm:

# Global parameters
[global]
         workgroup = MYDOM
         realm = ad.mydom.local
         netbios aliases = SOFTWARE
         server string = Server
         interfaces = 127.0.0.1/8 10.0.1.6/24 fdea:5b48:d4c1:1:1::6/64
         bind interfaces only = Yes
         server role = active directory domain controller
         passdb backend = samba_dsdb
         log file = /var/log/samba/smb.%M
         max log size = 500
         time server = Yes
         deadtime = 2
         logon script = KIX32.exe logon.kix
         logon path = \\%N\profile\.winprofile
         logon drive = N:
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
         rpc_server:tcpip = no
         rpc_daemon:spoolssd = embedded
         rpc_server:spoolss = embedded
         rpc_server:winreg = embedded
         rpc_server:ntsvcs = embedded
         rpc_server:eventlog = embedded
         rpc_server:srvsvc = embedded
         rpc_server:svcctl = embedded
         rpc_server:default = external
         winbindd:use external pipes = true
         idmap_ldb:use rfc2307 = yes
         acl:search = no
         idmap config * : backend = tdb
         veto files = 
/*.k/*.encoderpass/*.locky/*.ecc/*.ezz/*.exx/*.zzz/*.xyz/*.aaa/*.abc/*.ccc/*.vvv/*.xxx/*.ttt/*.micro/*.encrypted/*.locked/*.crypto/_crypt/*.crinf/*.r5a/*.xrtn/*.XTBL/*.crypt/*.R16M01D05/*.pzdc/*.good/*.LOL!/*.OMG!/*.RDM/*.RRK/*.encryptedRSA/*.crjoker/*.EnCiPhErEd/*.LeChiffre/*.keybtc at inbox_com/*.0x0/*.bleep/*.1999/*.vault/*.HA3/*.toxcrypt/*.magic/*.SUPERCRYPT/*.CTBL/*.CTB2/*.locky/HELPDECRYPT.TXT/HELP_YOUR_FILES.TXT/HELP_TO_DECRYPT_YOUR_FILES.txt/RECOVERY_KEY.txt/HELP_RESTORE_FILES.txt/HELP_RECOVER_FILES.txt/HELP_TO_SAVE_FILES.txt/DecryptAllFiles.txt/DECRYPT_INSTRUCTIONS.TXT/INSTRUCCIONES_DESCIFRADO.TXT/How_To_Recover_Files.txt/YOUR_FILES.HTML/YOUR_FILES.url/encryptor_raas_readme_liesmich.txt/Help_Decrypt.txt/DECRYPT_INSTRUCTION.TXT/HOW_TO_DECRYPT_FILES.TXT/ReadDecryptFilesHere.txt/Coin.Locker.txt/_secret_code.txt/About_Files.txt/Read.txt/DECRYPT_ReadMe.TXT/DecryptAllFiles.txt/FILESAREGONE.TXT/IAMREADYTOPAY.TXT/HELLOTHERE.TXT/READTHISNOW!!!.TXT/SECRETIDHERE.KEY/IHAVEYOURSECRET.KEY/SECRET.KEY/HELPDECYPRT_YOUR_FILES.HTML/help_decrypt_your_files.html/HELP_TO_SAVE_FILES.txt/RECOVERY_FILES.txt/RECOVERY_FILE.TXT/RECOVERY_FILE*.txt/HowtoRESTORE_FILES.txt/HowtoRestore_FILES.txt/howto_recover_file.txt/restorefiles.txt/howrecover+*.txt/_how_recover.txt/recoveryfile*.txt/recoverfile*.txt/recoveryfile*.txt/Howto_Restore_FILES.TXT/help_recover_instructions+*.txt/_Locky_recover_instructions.txt/
         map archive = No
         map readonly = no
         store dos attributes = Yes
         vfs objects = dfs_samba4 acl_xattr



Many thanks
Rainer

More information about the samba mailing list