[Samba] Computer members on AD are not identified and don´t have group mebership applied

Mon Jul 9 17:17:11 UTC 2018

I´m trying to set up a Fedora 27 server with samba 4.7 as a AD DC for a
windows network. I followed the tutorial from the samba wiki and the arch
linux wiki and currently have things working to the point where I can join
windows machines, add users, create GPOs and apply them to users.

The problem occurs when trying to apply computer GPOs. The windows machines
just don't get affected by them. After running GPResult, I noticed that
computer GPOs are denied on the base of security filtering. Also while the
user is correctly identified and added to the gruops it belongs, the
machine itself is recognized as belonging only to 'NULL SID', 'NT
AUTHORITY\NETWORK', 'This company', and something like 'Obligatory level of
no trust'. That's it, 'Authenticated users' or 'Domain Computers' don´t
appear anywhere.

This explains why the policies are being filtered, the GPOs only apply to
'authenticated users' by default, and according to GPResult, the machine
doesn't belong to the group. What I don´t understand is why the group
membership is not being correctly resolved.

This happens to ALL windows machines I join to the domain, and rejoining
doesn't do anytihng. Purging kerberos tickets for 0x3e7 and trying to
access a network share as LocalSystem (psexec -s -i -d cmd) to get a new
one doesn´t work. I ran wireshark to examine the AS_REP and AS_REQ, and
decrypted the TGT using an exported keytab from the linux server to check
if the machine was being correctly identified and it was, even group
membership was correctly included. wbinfo and getent from another linux
server in the domain show correct id and group membership for the windows
machine accounts.

At this point I am lost, I checked every possible variation of this problem
for more than a week on google and only found 2 threads with people
experiencing the same problem. Both were dead ends.

The only wierd thing I found was after enabling kerberos logging on the
windows machines. All show an 0x1A error, KDC_ERR_SERVER_NOMATCH saying
EVIDENCE_TICKET_MISSMATCH.
This error also appears on the mit_kdc.log file on the DC. Googling that
error shows nothing, just a few 1 setentence descriptions that don´t really
help.

Please guys, you are my only hope at this point. I can provide all config
files, log files (both windows and linux), and even the wireshark record i
took.