[Samba] Samba 4.2.14 Group Policy (GPO) sync error

rme at bluemail.ch rme at bluemail.ch
Wed Aug 3 15:51:06 UTC 2016

 > Can you run on a failing computer :
 > - netdom verify yourpcname

It seems to work only with FQDN:

C:\Temp>netdom verify cyb64w10-monster
The format of the specified computer name is invalid.

The command failed to complete successfully.

C:\Temp>netdom verify cyb64w10-monster.ad.cyberdyne.local
The secure channel from CYB64W10-MONSTER.AD.CYBERDYNE.LOCAL to the domain 
CYBERDYNE has been verified.  The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.

The command completed successfully.

 > - nslookup yourpcname

Seems to work fine:

C:\Temp>nslookup cyb64w10-monster
Server:  UnKnown
Address:  fdea:5b48:d4c1:1:1::6

Name:    cyb64w10-monster.ad.cyberdyne.local
Addresses:  fdea:5b48:d4c1:1:1::100

 > All ok?

To me this looks alright. Isn't it?

 > And is time in sync?

Yes, 100% in sync, synchronized via NTP server.
I am using two external time servers and the following config in my /etc/ntp.conf:
restrict default nomodify nopeer noquery limited kod mssntp
restrict [::1]

As of my understanding with Samba time server enabled this should allow clients 
to synchronize the clock. Actually manual verification and manual clock sync 
seems to work:

C:\Temp>w32tm /resync
Sending resync command to local computer
The command completed successfully.

 > Did you install winbind after the update and also and did you change you
 > server services line?

Well, I have installed Samba on Gentoo via official repositories. Winbind was 
enabled from the beginning when upgrading from Samba 3.1 to 4.0. The group 
policy synchronization worked perfectly fine until 4.2.11 update on 4.2.9 it was 
working flawlessly.

My service line looks as follows:
     server services = -dns

Full line (samba-tool testparm -vv | grep "server service"):
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, 
ntp_signd, kcc, dnsupdate

 > And best is really to setup TLS/SSL

Copy that.

 > ( missing on that site : add TLS_REQCERT allow  to ldap.conf )

Actually from the page I understood if I don't change anything the TLS 
certificates are generated but they are only valid 700 days. Though my ones were 
generated in November 2015 (perhaps on first Samba 4 startup) I just cleaned 
them and let Samba rebuild them on restart. I might go for my own CA and signed 
certs valid for longer period later if this turns out to be the culprit.

So now I changed /etc/ldap/ldap.conf and inserted
     TLS_REQCERT     allow

Then I verified the configuration:

First verify without TLS, this should fail.

# ldapsearch -xLL -H ldap://localhost -D 
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b 
Enter LDAP Password:
ldap_bind: Strong(er) authentication required (8)
         additional info: BindSimple: Transport encryption required.

Then try with TLS, this should succeed.

# ldapsearch -ZZ -xLL -H ldap://localhost -D 
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b 
"dc=ad,dc=cyberdyne,dc=local" | head -5
Enter LDAP Password:
version: 1

dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
objectClass: top
objectClass: group

Then try with SSL too.

# ldapsearch -xLL -H ldaps://localhost -D 
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b 
"dc=ad,dc=cyberdyne,dc=local" | head -5
Enter LDAP Password:
version: 1

dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
objectClass: top
objectClass: group

 > Now, for the other problem, after above is done/checked.

I think TLS works as expected.

 > You can clear you GPO history on the pc.
 > Its recreated when you reboot/login again, so now worries..

 > @echo off
 > DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group > 
 > REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
 > REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
 > DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb
 > klist purge
 > gpupdate /force
 > exit

 > now reboot your pc,  and check again.

I did run those although the Group Policy History and secedit.sdb did not exist 
as GPO has never been synced on this machine (fresh Win 10 Pro 1607 
installation). Though the klist purge and gpupdate run. Unfortunately gpupdate 
immediately showed the same errors again while Samba printing the same errors in 
its log:

[2016/08/03 17:48:48.064741,  1] 
   gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-code 0 
for mech 1 2 840 113554 1 2 2
[2016/08/03 17:48:48.064868,  0] 
   gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed: 

Many thanks for your patience trying to debug this issue. I am a bit out of 
ideas now how to trace this down. All file server services of Samba seem to work 

Thanks again

More information about the samba mailing list