[Samba] Samba 4.2.14 Group Policy (GPO) sync error
rme at bluemail.ch
rme at bluemail.ch
Wed Aug 3 15:51:06 UTC 2016
> Can you run on a failing computer :
> - netdom verify yourpcname
It seems to work only with FQDN:
C:\Temp>netdom verify cyb64w10-monster
The format of the specified computer name is invalid.
The command failed to complete successfully.
C:\Temp>netdom verify cyb64w10-monster.ad.cyberdyne.local
The secure channel from CYB64W10-MONSTER.AD.CYBERDYNE.LOCAL to the domain
CYBERDYNE has been verified. The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
The command completed successfully.
> - nslookup yourpcname
Seems to work fine:
C:\Temp>nslookup cyb64w10-monster
Server: UnKnown
Address: fdea:5b48:d4c1:1:1::6
Name: cyb64w10-monster.ad.cyberdyne.local
Addresses: fdea:5b48:d4c1:1:1::100
2a02:120b:2c38:2951:8d95:bd76:deaa:73db
fdea:5b48:d4c1:1:8d95:bd76:deaa:73db
10.0.1.119
> All ok?
To me this looks alright. Isn't it?
> And is time in sync?
Yes, 100% in sync, synchronized via NTP server.
I am using two external time servers and the following config in my /etc/ntp.conf:
restrict default nomodify nopeer noquery limited kod mssntp
restrict 127.0.0.1
restrict [::1]
As of my understanding with Samba time server enabled this should allow clients
to synchronize the clock. Actually manual verification and manual clock sync
seems to work:
C:\Temp>w32tm /resync
Sending resync command to local computer
The command completed successfully.
> Did you install winbind after the update and also and did you change you
> server services line?
Well, I have installed Samba on Gentoo via official repositories. Winbind was
enabled from the beginning when upgrading from Samba 3.1 to 4.0. The group
policy synchronization worked perfectly fine until 4.2.11 update on 4.2.9 it was
working flawlessly.
My service line looks as follows:
server services = -dns
Full line (samba-tool testparm -vv | grep "server service"):
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
> And best is really to setup TLS/SSL
Copy that.
>
<https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC>
> ( missing on that site : add TLS_REQCERT allow to ldap.conf )
Actually from the page I understood if I don't change anything the TLS
certificates are generated but they are only valid 700 days. Though my ones were
generated in November 2015 (perhaps on first Samba 4 startup) I just cleaned
them and let Samba rebuild them on restart. I might go for my own CA and signed
certs valid for longer period later if this turns out to be the culprit.
So now I changed /etc/ldap/ldap.conf and inserted
TLS_REQCERT allow
Then I verified the configuration:
First verify without TLS, this should fail.
# ldapsearch -xLL -H ldap://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local"
Enter LDAP Password:
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
Then try with TLS, this should succeed.
# ldapsearch -ZZ -xLL -H ldap://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local" | head -5
Enter LDAP Password:
version: 1
dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
objectClass: top
objectClass: group
...
Then try with SSL too.
# ldapsearch -xLL -H ldaps://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local" | head -5
Enter LDAP Password:
version: 1
dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
objectClass: top
objectClass: group
...
> Now, for the other problem, after above is done/checked.
I think TLS works as expected.
> You can clear you GPO history on the pc.
> Its recreated when you reboot/login again, so now worries..
> @echo off
> DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group >
Policy\History\*.*”
> REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
> REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
> DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb
> klist purge
> gpupdate /force
> exit
> now reboot your pc, and check again.
I did run those although the Group Policy History and secedit.sdb did not exist
as GPO has never been synced on this machine (fresh Win 10 Pro 1607
installation). Though the klist purge and gpupdate run. Unfortunately gpupdate
immediately showed the same errors again while Samba printing the same errors in
its log:
[2016/08/03 17:48:48.064741, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 17:48:48.064868, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED
Many thanks for your patience trying to debug this issue. I am a bit out of
ideas now how to trace this down. All file server services of Samba seem to work
fine.
Thanks again
Rainer
More information about the samba
mailing list