[Samba] GPO on a DC

David Mulder dmulder at samba.org
Tue Jun 21 14:07:28 UTC 2022 

On 6/19/22 2:37 AM, samba-ml-en via samba wrote:
> Hi all,
> 
> I seem to have an issue with applying GPOs to a DC:
> 
> Symptoms:
> Manual application works from ssh (samba-gpupdate --force)
> Automatic application will always fail (apply group policies = true)
> 
> GPO linked to DC OU contains one setting for motd (Hello the world)
> ssh to the server, run samba-gpupdate --force, samba-gpupdate --rsop
> 
> Policy Type: /etc/motd
> ------------------------------------------------------------------------------Hello the world
> 
> cat /etc/motd
> Hello the world
> 
> now samba-gpupdate  --unapply
> cat /etc/motd -->empty this correct
> 
> Reboot the server
> cat /etc/motd -->empty this is wrong
> look in the logs
> 
> <27>1 2022-06-19T08:23:34.844029+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:34.843691, 0] ../../source3/winbindd/winbindd.c:1722(main)
> <27>1 2022-06-19T08:23:34.844236+00:00 tristsnpa43 winbindd 1446 - - winbindd version 4.15.5-Ubuntu started.
> <27>1 2022-06-19T08:23:34.844303+00:00 tristsnpa43 winbindd 1446 - - Copyright Andrew Tridgell and the Samba Team 1992-2021
> <28>1 2022-06-19T08:23:34.933431+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:34.933287, 1] ../../source3/lib/tdb_validate.c:480(tdb_validate_and_backup)
> <28>1 2022-06-19T08:23:34.933558+00:00 tristsnpa43 winbindd 1446 - - tdb '/var/lib/samba/winbindd_cache.tdb' is valid
> <28>1 2022-06-19T08:23:34.934074+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:34.934009, 1] ../../source3/lib/tdb_validate.c:489(tdb_validate_and_backup)
> <28>1 2022-06-19T08:23:34.934186+00:00 tristsnpa43 winbindd 1446 - - Created backup '/var/lib/samba/winbindd_cache.tdb.bak' of tdb '/var/lib/samba/winbindd_cache.tdb'
> <28>1 2022-06-19T08:23:34.941167+00:00 tristsnpa43 winbindd 1473 - - [2022/06/19 08:23:34.940986, 1] ../../lib/util/tevent_debug.c:66(samba_tevent_debug)
> <28>1 2022-06-19T08:23:34.941284+00:00 tristsnpa43 winbindd 1473 - - samba_tevent: EPOLL_CTL_ADD failed (Invalid argument) replay[0] - calling panic_fallback
> <29>1 2022-06-19T08:23:35.042191+00:00 tristsnpa43 samba 1450 - - [2022/06/19 08:23:35.041983, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> <29>1 2022-06-19T08:23:35.042315+00:00 tristsnpa43 samba 1450 - - Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[TRISTSNPA43$@AD2.TESTDOMAIN.EU] at [Sun, 19 Jun 2022 08:23:35.041974 UTC] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.10.20.43:39325] became [AD2TESTDOMAIN]\[TRISTSNPA43$] [S-1-5-21-2411287637-2672124256-485923657-1000]. local host [NULL]
> <29>1 2022-06-19T08:23:35.042355+00:00 tristsnpa43 samba 1450 - - {"timestamp": "2022-06-19T08:23:35.042232+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "17743f319e7720c5", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:10.10.20.43:39325", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "TRISTSNPA43$@AD2.TESTDOMAIN.EU", "workstation": null, "becameAccount": "TRISTSNPA43$", "becameDomain": "AD2TESTDOMAIN", "becameSid": "S-1-5-21-2411287637-2672124256-485923657-1000", "mappedAccount": "TRISTSNPA43$", "mappedDomain": "AD2TESTDOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 1833}}
> <29>1 2022-06-19T08:23:35.074704+00:00 tristsnpa43 samba 1447 - - [2022/06/19 08:23:35.074468, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> <29>1 2022-06-19T08:23:35.074836+00:00 tristsnpa43 samba 1447 - - Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[TRISTSNPA43$@AD2.TESTDOMAIN.EU] at [Sun, 19 Jun 2022 08:23:35.074460 UTC] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.10.20.43:36210] became [AD2TESTDOMAIN]\[TRISTSNPA43$] [S-1-5-21-2411287637-2672124256-485923657-1000]. local host [NULL]
> <29>1 2022-06-19T08:23:35.074897+00:00 tristsnpa43 samba 1447 - - {"timestamp": "2022-06-19T08:23:35.074594+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "20e4e3df88368059", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:10.10.20.43:36210", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "TRISTSNPA43$@AD2.TESTDOMAIN.EU", "workstation": null, "becameAccount": "TRISTSNPA43$", "becameDomain": "AD2TESTDOMAIN", "becameSid": "S-1-5-21-2411287637-2672124256-485923657-1000", "mappedAccount": "TRISTSNPA43$", "mappedDomain": "AD2TESTDOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 1272}}
> <27>1 2022-06-19T08:23:35.179652+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.179512, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.179736+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-2411287637-2672124256-485923657-1000 -> getpwuid(3000029) failed, is nsswitch configured?
> <27>1 2022-06-19T08:23:35.210940+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210811, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211019+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: Traceback (most recent call last):
> <27>1 2022-06-19T08:23:35.211078+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210882, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211142+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: File "/usr/sbin/samba-gpupdate", line 119, in <module>
> <27>1 2022-06-19T08:23:35.211201+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210914, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211261+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: apply_gp(lp, creds, logger, store, gp_extensions, opts.force)
> <27>1 2022-06-19T08:23:35.211327+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210923, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211363+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 438, in apply_gp
> <27>1 2022-06-19T08:23:35.211401+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210932, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211459+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: gpos = get_gpo_list(dc_hostname, creds, lp)
> <27>1 2022-06-19T08:23:35.211524+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210951, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211571+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 370, in get_gpo_list
> <27>1 2022-06-19T08:23:35.211622+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210972, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> <27>1 2022-06-19T08:23:35.211693+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: gpos = ads.get_gpo_list(creds.get_username())
> <27>1 2022-06-19T08:23:35.211768+00:00 tristsnpa43 winbindd 1446 - - [2022/06/19 08:23:35.210986, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)<27>1 2022-06-19T08:23:35.211841+00:00 tristsnpa43 winbindd 1446 - - /usr/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'TRISTSNPA43$'(CN=TRISTSNPA43,OU=Domain Controllers,DC=ad2,DC=TESTDOMAIN,DC=eu): The specified account does not exist.
> 
> This is repeated each time GPOs are applied with "apply group policies = true"
> 
> I am worried about the following message:
> samba_tevent: EPOLL_CTL_ADD failed (Invalid argument) replay[0] - calling panic_fallback
> However I could not find much about it.
> 
> The computer account seems to auth ok and:
> getent passwd AD2TESTDOMAIN\\TRISTSNPA43$
> AD2TESTDOMAIN\tristsnpa43$:*:3000029:100::/home/AD2TESTDOMAIN/tristsnpa43_:/bin/bash
> 
> Here is my config:
> 
> uname -a
> Linux tristsnpa43 5.15.0-37-generic #39-Ubuntu SMP Wed Jun 1 19:16:45 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
> 
> smbd -V
> Version 4.15.5-Ubuntu
> 
> smb.conf
> [global]
> bind interfaces only = Yes
> disable netbios = Yes
> disable spoolss = Yes
> dns zone transfer clients allow = 127.0.0.1 10.10.20.9
> interfaces = lo vlan20
> kerberos encryption types = strong
> kerberos method = secrets and keytab
> ldap server require strong auth = Yes
> logging = syslog at 3 file at 3
> log level = 1 auth_audit:3@/var/log/samba/auth_audit.log auth_json_audit:3@/var/log/samba/auth_audit.json
> name resolve order = host lmhosts wins bcast
> netbios name = TRISTSNPA43
> ntlm auth = mschapv2-and-ntlmv2-only
> password hash userPassword schemes = CryptSHA256 CryptSHA512
> printcap name = /dev/null
> realm = AD2.TESTDOMAIN.EU
> restrict anonymous = 2
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> smb ports = 445
> template homedir = /home/%D/%U
> template shell = /bin/bash
> tls cafile = tls/ca.pem
> tls certfile = tls/cert.pem
> tls enabled = Yes
> tls keyfile = tls/key.pem
> tls priority = NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> workgroup = AD2TESTDOMAIN
> idmap_ldb:use rfc2307 = no
> acl:search = true
> apply group policies = true
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> 
> [netlogon]
> path = /var/lib/samba/sysvol/ad2.testdomain.eu/scripts
> read only = No
> [dfs]
> comment = DFS Proxy Share
> msdfs proxy = \tristsnpa43.ad2.testdomain.eu\dfsroot
> read only = No
> msdfs root = Yes
> vfs objects = dfs_samba4 acl_xattr recycle
> browsable = Yes
> 
> [dfsroot]
> comment = DFS Root Share
> path = /var/lib/samba/dfsroot
> read only = No
> msdfs root = Yes
> vfs objects = dfs_samba4 acl_xattr recycle browsable = No
> 
> krb5.conf:
> [libdefaults]
> default_realm = AD2.TESTDOMAIN.EU
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> [realms]
> AD2.TESTDOMAIN.EU = {
> default_domain = ad2.testdomain.eu
> }
> 
> [domain_realm] tristsnpa43 = AD2.TESTDOMAIN.EU
> 
> nsswitch.conf:
> passwd: files systemd winbind
> group: files systemd winbind

This is the relevant error (from your debug):

Traceback (most recent call last):
File "/usr/sbin/samba-gpupdate", line 119, in <module>
apply_gp(lp, creds, logger, store, gp_extensions, opts.force)
File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 438, in 
apply_gp
gpos = get_gpo_list(dc_hostname, creds, lp)
File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 370, in 
get_gpo_list
gpos = ads.get_gpo_list(creds.get_username())
RuntimeError: Failed to get machine token for 
'TRISTSNPA43$'(CN=TRISTSNPA43,OU=Domain 
Controllers,DC=ad2,DC=TESTDOMAIN,DC=eu): The specified account does not 
exist.

Does 'CN=TRISTSNPA43,OU=Domain Controllers,DC=ad2,DC=TESTDOMAIN,DC=eu' 
exist?

-- 
*David Mulder*
Labs Software Engineer, Samba
SUSE
1221 Valley Grove Way
Pleasant Grove, UT 84062

dmulder at suse.com
http://www.suse.com

More information about the samba mailing list