[Samba] Samba 4.2.14 Group Policy (GPO) sync error

L.P.H. van Belle belle at bazuin.nl
Wed Aug 3 14:31:57 UTC 2016 

 

Can you run on a failing computer : 

- netdom verify yourpcname

- nslookup yourpcname

All ok? 

And is time in sync? 

 

Did you install winbind after the update and also and did you change you server services line?

 

Like, i use bind9 dns 

My smb.conf contains only this :        server services = -dns 

 

The full line is :  

samba-tool testparm -vv | grep "server service"

        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate

 

The thing you have to look at is : winbindd  

And not winbind. 

And best is really to setup TLS/SSL

https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC 

( missing on that site : add TLS_REQCERT allow  to ldap.conf ) 

 

 

Or a simple setup with own cert. 

https://www.spinics.net/lists/samba/msg134098.html 

Its debian minded but translate it to your os, most is same. 

 

Or make them manually 

https://www.google.nl/search?q=setup+own+caroot#q=openssl+create+self+signed+certificate 

pik one. 

 

 

Now, for the other problem, after above is done/checked. 

 

You can clear you GPO history on the pc.

Its recreated when you reboot/login again, so now worries.. 

 

@echo off

DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History\*.*”

REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f

REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f

DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb

Klist purge

gpupdate /force

exit

 

now reboot your pc,  and check again. 

 

 

Greetz, 

 

Louis

 

 

> -----Oorspronkelijk bericht-----

> Van: samba [mailto:samba-bounces at lists.samba.org] Namens rme at bluemail.ch

> Verzonden: woensdag 3 augustus 2016 15:19

> Aan: samba at lists.samba.org

> Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error

> 

> Hi Louis,

> 

> Many many thanks for your very quick and comprehensive reply.

> I also found this thread here

> <https://lists.samba.org/archive/samba/2016-July/201471.html>

> 

> Unfortunately none of the suggestions seem to entirely resolve the issue.

> 

> As a first work-around I have inserted

>      ldap server require strong auth = no

> to my smb.conf and re-started Samba.

> 

> Unfortunately this didn't change anything. I am still getting the same

> errors

> from gpupdate.exe (with the same errors logged to event log) claiming name

> resolution failure while samba logs report:

> 

> [2016/08/03 15:17:45.609250,  1]

> ../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)

>    gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-

> code 0

> for mech 1 2 840 113554 1 2 2

> [2016/08/03 15:17:45.609387,  0]

> ../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)

>    gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)

> failed:

> NT_STATUS_ACCESS_DENIED

> 

> 

> I am not fully sure about the MS changes though. My GPO all list

> "Authenticated

> Users" in the "Security Filtering" section in Scope tab. I unsure where to

> insert the "Authenticated Users" group in the GPO with read permissions.

> Does it

> mean I should add "Authenticated Users" in the Delegation tab? If yes,

> then all

> my GPO already have this entry in Delegation tab:

> - Authenticated Users, Read (from Security Filtering)

> 

> I also tried inserting Domain Computers with Read permissions to the

> Delegation

> tab. No change in the result though.

> 

> I also tried to remove the "Authenticated Users" entry from Security

> Filtering

> with and without adding it to the Delegation tab at no avail. It still

> complains

> about name resolution failure on domain controller.

> 

> 

> 

> 

> 

> I also added the admx templates sucessfully to sysvol but this did not fix

> the

> GPO processing issue (as expected).

> 

> 

> In addition also samba-tool ntacl sysvolcheck returns the same error as

> indicated in the thread above:

> 

> # samba-tool ntacl sysvolcheck

> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -

> ProvisioningError: DB ACL on GPO directory

> /var/lib/samba/sysvol/ad.cyberdyne.local/Policies/{31B2F340-016D-11D2-

> 945F-00C04FB984F9}

> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001

> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120

> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)

> does not match expected value

> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001

> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120

> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)

> from GPO object

>    File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",

> line 175,

> in _run

>      return self.run(*args, **kwargs)

>    File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line

> 249, in run

>      lp)

>    File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",

> line

> 1730, in checksysvolacl

>      direct_db_access)

>    File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",

> line

> 1681, in check_gpos_acl

>      domainsid, direct_db_access)

>    File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",

> line

> 1628, in check_dir_acl

>      raise ProvisioningError('%s ACL on GPO directory %s %s does not match

> expected value %s from GPO object' % (acl_type(direct_db_access), path,

> fsacl_sddl, acl))

> 

> Though according to

> <https://lists.samba.org/archive/samba/2016-July/201448.html> this might

> be a

> samba-tool issue.

> 

> Though I don't think it's related to the error as it looks like somehow

> it's not

> about permissions or issues on sysvol share level but rather

> crypto/signature

> issues.

> 

> 

> 

> 

> 

> Moreover I tried a bit more GPO debugging as instructed here:

> <https://lists.samba.org/archive/samba/2016-August/201762.html>

> 

> Perhaps the following log line points out an error:

> GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed

> with 5.

> 

> The full log can be found here:

> <http://pastebin.com/vgbhx0cm>

> 

> 

> 

> Many thanks again.

> Rainer

> 

> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/options/samba

 

More information about the samba mailing list