[Samba] GPO on a DC

samba-ml-en samba-ml-en at protonmail.com
Sun Jun 19 08:37:49 UTC 2022 

Hi all,

I seem to have an issue with applying GPOs to a DC:

Symptoms:
Manual application works from ssh (samba-gpupdate --force)
Automatic application will always fail (apply group policies = true)

GPO linked to DC OU contains one setting for motd (Hello the world)
ssh to the server, run samba-gpupdate --force, samba-gpupdate --rsop

Policy Type: /etc/motd
------------------------------------------------------------------------------Hello the world

cat /etc/motd
Hello the world

now samba-gpupdate  --unapply
cat /etc/motd -->empty this correct

Reboot the server
cat /etc/motd -->empty this is wrong
look in the logs

<27>1 2022-06-19T08:23:34.844029+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:34.843691, 0] ../../source3/winbindd/winbindd.c:1722(main)
<27>1 2022-06-19T08:23:34.844236+00:00 tristsnpa43 winbindd 1446 - - winbindd version 4.15.5-Ubuntu started.
<27>1 2022-06-19T08:23:34.844303+00:00 tristsnpa43 winbindd 1446 - - Copyright Andrew Tridgell and the Samba Team 1992-2021
<28>1 2022-06-19T08:23:34.933431+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:34.933287, 1] ../../source3/lib/tdb_validate.c:480(tdb_validate_and_backup)
<28>1 2022-06-19T08:23:34.933558+00:00 tristsnpa43 winbindd 1446 - - tdb '/var/lib/samba/winbindd_cache.tdb' is valid
<28>1 2022-06-19T08:23:34.934074+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:34.934009, 1] ../../source3/lib/tdb_validate.c:489(tdb_validate_and_backup)
<28>1 2022-06-19T08:23:34.934186+00:00 tristsnpa43 winbindd 1446 - - Created backup '/var/lib/samba/winbindd_cache.tdb.bak' of tdb '/var/lib/samba/winbindd_cache.tdb'
<28>1 2022-06-19T08:23:34.941167+00:00 tristsnpa43 winbindd 1473 - - [2022/06/19 08:23:34.940986, 1] ../../lib/util/tevent_debug.c:66(samba_tevent_debug)
<28>1 2022-06-19T08:23:34.941284+00:00 tristsnpa43 winbindd 1473 - - samba_tevent: EPOLL_CTL_ADD failed (Invalid argument) replay[0] - calling panic_fallback
<29>1 2022-06-19T08:23:35.042191+00:00 tristsnpa43 samba 1450 - - [2022/06/19 08:23:35.041983, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
<29>1 2022-06-19T08:23:35.042315+00:00 tristsnpa43 samba 1450 - - Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[TRISTSNPA43$@AD2.TESTDOMAIN.EU] at [Sun, 19 Jun 2022 08:23:35.041974 UTC] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.10.20.43:39325] became [AD2TESTDOMAIN]\[TRISTSNPA43$] [S-1-5-21-2411287637-2672124256-485923657-1000]. local host [NULL]
<29>1 2022-06-19T08:23:35.042355+00:00 tristsnpa43 samba 1450 - - {"timestamp": "2022-06-19T08:23:35.042232+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "17743f319e7720c5", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:10.10.20.43:39325", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "TRISTSNPA43$@AD2.TESTDOMAIN.EU", "workstation": null, "becameAccount": "TRISTSNPA43$", "becameDomain": "AD2TESTDOMAIN", "becameSid": "S-1-5-21-2411287637-2672124256-485923657-1000", "mappedAccount": "TRISTSNPA43$", "mappedDomain": "AD2TESTDOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 1833}}
<29>1 2022-06-19T08:23:35.074704+00:00 tristsnpa43 samba 1447 - - [2022/06/19 08:23:35.074468, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
<29>1 2022-06-19T08:23:35.074836+00:00 tristsnpa43 samba 1447 - - Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[TRISTSNPA43$@AD2.TESTDOMAIN.EU] at [Sun, 19 Jun 2022 08:23:35.074460 UTC] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.10.20.43:36210] became [AD2TESTDOMAIN]\[TRISTSNPA43$] [S-1-5-21-2411287637-2672124256-485923657-1000]. local host [NULL]
<29>1 2022-06-19T08:23:35.074897+00:00 tristsnpa43 samba 1447 - - {"timestamp": "2022-06-19T08:23:35.074594+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "20e4e3df88368059", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:10.10.20.43:36210", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "TRISTSNPA43$@AD2.TESTDOMAIN.EU", "workstation": null, "becameAccount": "TRISTSNPA43$", "becameDomain": "AD2TESTDOMAIN", "becameSid": "S-1-5-21-2411287637-2672124256-485923657-1000", "mappedAccount": "TRISTSNPA43$", "mappedDomain": "AD2TESTDOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 1272}}
<27>1 2022-06-19T08:23:35.179652+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.179512, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
<27>1 2022-06-19T08:23:35.179736+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-2411287637-2672124256-485923657-1000 -> getpwuid(3000029) failed, is nsswitch configured?
<27>1 2022-06-19T08:23:35.210940+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210811, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
<27>1 2022-06-19T08:23:35.211019+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: Traceback (most recent call last):
<27>1 2022-06-19T08:23:35.211078+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210882, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
<27>1 2022-06-19T08:23:35.211142+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: File "/usr/sbin/samba-gpupdate", line 119, in <module>
<27>1 2022-06-19T08:23:35.211201+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210914, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
<27>1 2022-06-19T08:23:35.211261+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: apply_gp(lp, creds, logger, store, gp_extensions, opts.force)
<27>1 2022-06-19T08:23:35.211327+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210923, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
<27>1 2022-06-19T08:23:35.211363+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 438, in apply_gp
<27>1 2022-06-19T08:23:35.211401+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210932, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
<27>1 2022-06-19T08:23:35.211459+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: gpos = get_gpo_list(dc_hostname, creds, lp)
<27>1 2022-06-19T08:23:35.211524+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210951, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
<27>1 2022-06-19T08:23:35.211571+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 370, in get_gpo_list
<27>1 2022-06-19T08:23:35.211622+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210972, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
<27>1 2022-06-19T08:23:35.211693+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: gpos = ads.get_gpo_list(creds.get_username())
<27>1 2022-06-19T08:23:35.211768+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210986, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)<27>1 2022-06-19T08:23:35.211841+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'TRISTSNPA43$'(CN=TRISTSNPA43,OU=Domain Controllers,DC=ad2,DC=TESTDOMAIN,DC=eu): The specified account does not exist.

This is repeated each time GPOs are applied with "apply group policies = true"

I am worried about the following message:
samba_tevent: EPOLL_CTL_ADD failed (Invalid argument) replay[0] - calling panic_fallback
However I could not find much about it.

The computer account seems to auth ok and:
getent passwd AD2TESTDOMAIN\\TRISTSNPA43$
AD2TESTDOMAIN\tristsnpa43$:*:3000029:100::/home/AD2TESTDOMAIN/tristsnpa43_:/bin/bash

Here is my config:

uname -a
Linux tristsnpa43 5.15.0-37-generic #39-Ubuntu SMP Wed Jun 1 19:16:45 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

smbd -V
Version 4.15.5-Ubuntu

smb.conf
[global]
bind interfaces only = Yes
disable netbios = Yes
disable spoolss = Yes
dns zone transfer clients allow = 127.0.0.1 10.10.20.9
interfaces = lo vlan20
kerberos encryption types = strong
kerberos method = secrets and keytab
ldap server require strong auth = Yes
logging = syslog at 3 file at 3
log level = 1 auth_audit:3@/var/log/samba/auth_audit.log auth_json_audit:3@/var/log/samba/auth_audit.json
name resolve order = host lmhosts wins bcast
netbios name = TRISTSNPA43
ntlm auth = mschapv2-and-ntlmv2-only
password hash userPassword schemes = CryptSHA256 CryptSHA512
printcap name = /dev/null
realm = AD2.TESTDOMAIN.EU
restrict anonymous = 2
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
smb ports = 445
template homedir = /home/%D/%U
template shell = /bin/bash
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls enabled = Yes
tls keyfile = tls/key.pem
tls priority = NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
workgroup = AD2TESTDOMAIN
idmap_ldb:use rfc2307 = no
acl:search = true
apply group policies = true

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/ad2.testdomain.eu/scripts
read only = No
[dfs]
comment = DFS Proxy Share
msdfs proxy = \tristsnpa43.ad2.testdomain.eu\dfsroot
read only = No
msdfs root = Yes
vfs objects = dfs_samba4 acl_xattr recycle
browsable = Yes

[dfsroot]
comment = DFS Root Share
path = /var/lib/samba/dfsroot
read only = No
msdfs root = Yes
vfs objects = dfs_samba4 acl_xattr recycle browsable = No

krb5.conf:
[libdefaults]
default_realm = AD2.TESTDOMAIN.EU
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
AD2.TESTDOMAIN.EU = {
default_domain = ad2.testdomain.eu
}

[domain_realm] tristsnpa43 = AD2.TESTDOMAIN.EU

nsswitch.conf:
passwd: files systemd winbind
group: files systemd winbind

More information about the samba mailing list