[Samba] GPO on a DC

samba-ml-en samba-ml-en at protonmail.com
Fri Jun 24 14:45:29 UTC 2022

Hello Rowland,

I removed the down level options, left the winbind enum ones (I am still testing, not many users/groups), re-enabled netbios, and disabled winbind over RPC.

now I can see better ldap conversation, however I am hitting in one case the same problem as before, the other probably another issue. so:

1) tls enabled = Yes

I have a valid certificate
openssl s_client -showcerts -connect tristsnpa43.ad2.domain.eu:636
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = tristsnpa43.ad2.domain.eu
verify return:1
Server certificate
subject=CN = tristsnpa43.ad2.domain.eu
issuer=C = US, O = Let's Encrypt, CN = R3
SSL handshake has read 3890 bytes and written 441 bytes
Verification: OK

Looking at the log (attached log.winbindd.with-tls-and-error) after a reboot, I have a new error
 /usr/sbin/samba-gpupdate: Connecting to at port 389
[2022/06/24 14:07:48.855245,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: open_socket_out: failed to open socket
[2022/06/24 14:07:48.887965,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: RuntimeError: ads_connect() failed: Operations error

2) tls enabled = No
This is already better, however exactly same result as with winbind rpc only = Yes (see attached log.winbindd.no-tls)

[2022/06/24 13:52:03.940310,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: sid S-1-5-21-121635736-320366473-2533684654-1000 -> uid 3000027
[2022/06/24 13:52:03.940619,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-121635736-320366473-2533684654-1000 -> getpwuid(3000027) failed, is nsswitch configured?
[2022/06/24 13:52:03.971762,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'TRISTSNPA43$'(CN=TRISTSNPA43,OU=Linux,OU=AOA,OU=Domain Controllers,DC=ad2,DC=domain,DC=eu): The specified account does not exist.


> domain master = Yes
> That is an NT4-style domain term and has no place in a DC smb.conf
> winbind enum groups = Yes
> winbind enum users = Yes
> You do not need those, nsswitch will work without them, they can just
> slow things down.
> name resolve order = host lmhosts wins bcast
> Another NT4-style term, you use DNS instead.
> template homedir = /home/%D/%U
> That is a default setting.
> disable netbios = Yes
> That is not how you turn off netbios on a DC, you need to either remove
> 'nbt' from the 'server services' line or have a 'server services' line
> with '-nbt' (at least) in it.
> winbind rpc only = Yes
> With this set, you are not allowing winbindd to retrieve information
> from AD with ldap. It might be your problem.

More information about the samba mailing list