[Samba] Samba 4.2.14 Group Policy (GPO) sync error

L.P.H. van Belle belle at bazuin.nl
Wed Aug 3 12:12:33 UTC 2016 

The server expects TLS but you didnt set tls. 

Read : 
https://www.samba.org/samba/history/samba-4.2.10.html 

basicly its now : Default: ldap server require strong auth = yes

You can try  to add:  ldap server require strong auth = no
But i do advice to setup the TLS parameters and make everything more secure. 

Please read these links, MS change some things in GPO also.

MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398

The following page explains the issues and the corrective measures. 
https://support.microsoft.com/en-gb/kb/3163622

short version:
Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.


And last, make sure you updated to the last policy set.
https://www.niallbrady.com/2016/02/03/how-can-i-add-new-windows-10-admx-files-to-the-group-policy-central-store-and-then-deploy-them/ 

To update the policy set, you can also copy the local grouppolicy folder on the windows 10 pc to the server. 


Greetz. 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch
> Verzonden: woensdag 3 augustus 2016 13:41
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
> 
> Hello,
> 
> I think I really need some help on this.
> 
> Since Samba 4.2.11 upgrade my Windows 10 clients are unable to synchronize
> group
> policies. I have asked about this already here
> <https://lists.samba.org/archive/samba/2016-April/199226.html>. Now I
> re-investigate the issue with Windows 10 1607 update and still face the
> same
> issue which prevents me from rolling out this configuration in production.
> 
> My Setup:
> - Samba 4.2.14 in active directory domain controller role
> - BIND_DLZ DNS backend
> - Windows 10 Pro 1607 clients
> 
> 
> I am successfully able to join the clients to the Samba AD domain but they
> fail
> to synchronize group policies and therefore fail to apply logon/logoff
> scripts
> as well as important system settings.
> 
> Executing 'gpupdate' on the command line yields the following output:
> ----
> The processing of Group Policy failed. Windows could not resolve the
> computer
> name. This could be caused by one of more of the following:
> a) Name Resolution failure on the current domain controller.
> b) Active Directory Replication Latency (an account created on another
> domain
> controller has not replicated to the current domain controller).
> User Policy could not be updated successfully. The following errors were
> encountered:
> 
> The processing of Group Policy failed. Windows could not resolve the user
> name.
> This could be caused by one of more of the following:
> a) Name Resolution failure on the current domain controller.
> b) Active Directory Replication Latency (an account created on another
> domain
> controller has not replicated to the current domain controller).
> ----
> 
> 
> On Samba side with log level 10 I get the following errors:
> ----
> [2016/08/03 13:12:41.571366,  1]
> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
>    gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-
> code 0
> for mech 1 2 840 113554 1 2 2
> [2016/08/03 13:12:41.571495,  0]
> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
>    gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)
> failed:
> NT_STATUS_ACCESS_DENIED
> ----
> 
> 
> I am specifically worried about the "unknonwn mech-code" error which might
> indicate some issues regarding Kerberos crypto. I am running Samba on
> Gentoo
> along with Heimdal 1.5.3-r2.
> 
> 
> Does anybody have a clue where to look for a configuration mistake or
> whether I
> should report this as a bug?
> Especially I am concerned because this error did not occur in Samba 4.2.9
> (last
> version before badlock security update).
> 
> Any help or hint would be highly appreciated!
> 
> 
> When running gpupdate the following block of messages are repeated
> multiple
> times in samba logs:
> [2016/08/03 13:12:39.715332,  3] ../lib/ldb-
> samba/ldb_wrap.c:321(ldb_wrap_connect)
>    ldb_wrap open of secrets.ldb
> [2016/08/03 13:12:39.716203,  5]
> ../auth/gensec/gensec_start.c:672(gensec_start_mech)
>    Starting GENSEC mechanism spnego
> [2016/08/03 13:12:39.716472,  5]
> ../auth/gensec/gensec_start.c:672(gensec_start_mech)
>    Starting GENSEC submechanism gssapi_krb5
> [2016/08/03 13:12:39.718868,  5]
> ../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update)
>    gensec_gssapi: NO credentials were delegated
> [2016/08/03 13:12:39.718993,  5]
> ../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update)
>    GSSAPI Connection will be cryptographically sealed
> [2016/08/03 13:12:39.728127,  1]
> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
>    gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-
> code 0
> for mech 1 2 840 113554 1 2 2
> [2016/08/03 13:12:39.728261,  0]
> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
>    gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)
> failed:
> NT_STATUS_ACCESS_DENIED
> [2016/08/03 13:12:39.729278,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>    Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/08/03 13:12:39.729352,  5]
> ../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
>    imessaging: cleaning up
> /var/lib/samba/private/smbd.tmp/msg/msg.16428.49
> [2016/08/03 13:12:39.729499,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>    single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> 
> 
> 
> 
> Here's my compiled parameters as printed by testparm:
> 
> # Global parameters
> [global]
>          workgroup = MYDOM
>          realm = ad.mydom.local
>          netbios aliases = SOFTWARE
>          server string = Server
>          interfaces = 127.0.0.1/8 10.0.1.6/24 fdea:5b48:d4c1:1:1::6/64
>          bind interfaces only = Yes
>          server role = active directory domain controller
>          passdb backend = samba_dsdb
>          log file = /var/log/samba/smb.%M
>          max log size = 500
>          time server = Yes
>          deadtime = 2
>          logon script = KIX32.exe logon.kix
>          logon path = \\%N\profile\.winprofile
>          logon drive = N:
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>          rpc_server:tcpip = no
>          rpc_daemon:spoolssd = embedded
>          rpc_server:spoolss = embedded
>          rpc_server:winreg = embedded
>          rpc_server:ntsvcs = embedded
>          rpc_server:eventlog = embedded
>          rpc_server:srvsvc = embedded
>          rpc_server:svcctl = embedded
>          rpc_server:default = external
>          winbindd:use external pipes = true
>          idmap_ldb:use rfc2307 = yes
>          acl:search = no
>          idmap config * : backend = tdb
>          veto files =
> /*.k/*.encoderpass/*.locky/*.ecc/*.ezz/*.exx/*.zzz/*.xyz/*.aaa/*.abc/*.ccc
> /*.vvv/*.xxx/*.ttt/*.micro/*.encrypted/*.locked/*.crypto/_crypt/*.crinf/*.
> r5a/*.xrtn/*.XTBL/*.crypt/*.R16M01D05/*.pzdc/*.good/*.LOL!/*.OMG!/*.RDM/*.
> RRK/*.encryptedRSA/*.crjoker/*.EnCiPhErEd/*.LeChiffre/*.keybtc at inbox_com/*
> .0x0/*.bleep/*.1999/*.vault/*.HA3/*.toxcrypt/*.magic/*.SUPERCRYPT/*.CTBL/*
> .CTB2/*.locky/HELPDECRYPT.TXT/HELP_YOUR_FILES.TXT/HELP_TO_DECRYPT_YOUR_FIL
> ES.txt/RECOVERY_KEY.txt/HELP_RESTORE_FILES.txt/HELP_RECOVER_FILES.txt/HELP
> _TO_SAVE_FILES.txt/DecryptAllFiles.txt/DECRYPT_INSTRUCTIONS.TXT/INSTRUCCIO
> NES_DESCIFRADO.TXT/How_To_Recover_Files.txt/YOUR_FILES.HTML/YOUR_FILES.url
> /encryptor_raas_readme_liesmich.txt/Help_Decrypt.txt/DECRYPT_INSTRUCTION.T
> XT/HOW_TO_DECRYPT_FILES.TXT/ReadDecryptFilesHere.txt/Coin.Locker.txt/_secr
> et_code.txt/About_Files.txt/Read.txt/DECRYPT_ReadMe.TXT/DecryptAllFiles.tx
> t/FILESAREGONE.TXT/IAMREADYTOPAY.TXT/HELLOTHERE.TXT/READTHISNOW!!!.TXT/SEC
> RETIDHERE.KEY/IHAVEYOURSECRET.KEY/SE
> 
> CRET.KEY/HELPDECYPRT_YOUR_FILES.HTML/help_decrypt_your_files.html/HELP_TO_
> SAVE_FILES.txt/RECOVERY_FILES.txt/RECOVERY_FILE.TXT/RECOVERY_FILE*.txt/How
> toRESTORE_FILES.txt/HowtoRestore_FILES.txt/howto_recover_file.txt/restoref
> iles.txt/howrecover+*.txt/_how_recover.txt/recoveryfile*.txt/recoverfile*.
> txt/recoveryfile*.txt/Howto_Restore_FILES.TXT/help_recover_instructions+*.
> txt/_Locky_recover_instructions.txt/
>          map archive = No
>          map readonly = no
>          store dos attributes = Yes
>          vfs objects = dfs_samba4 acl_xattr
> 
> 
> 
> Many thanks
> Rainer
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list