[Samba] GPO on a DC
samba-ml-en
samba-ml-en at protonmail.com
Sat Jun 25 14:42:20 UTC 2022
Dear Rowland,Louis and David,
I am coming to you with regards to the answer point from rowland, and more testing of my problem of course, hoping it makes sense, but it seems to me there are 3 bugs with samba GPOs.
I ran my setup again with --option="tls enabled=no" in my "samba-tool domain provision", well I can say, it is not honored and is not written in smb.conf and therefore you always end up with the default which is Yes (cf man page and testparm -vv | grep tls). So anyway this prompted me to do further testing and I started to look at the samba code. I found in the repo samba/source3/winbindd/winbindd_gpupdate.c (https://github.com/samba-team/samba/blob/e742661bd2507d39dfa47e40531dc1dca636cbbe/source3/winbindd/winbindd_gpupdate.c)
I could infer it is calling samba-gpupdate with the parameters -s smb.conf --target=Computer --machine-pass within a call back function WITH some other parameters.
So now I repeated my testing:
1) tls enabled = Yes (which is the default)
Run samba-gpupdate -s /etc/samba/smb.conf --target=Computer --machine-pass -d10
GPO are parsed and applied
Next systemctl restart samba-ad-dc and I get
[2022/06/25 13:24:49.936038, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
/usr/sbin/samba-gpupdate: Connecting to 10.10.20.43 at port 389
[2022/06/25 13:24:49.936180, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
/usr/sbin/samba-gpupdate: open_socket_out: failed to open socket
repeat many times systemctl restart samba-ad-dc sometimes the connection is successful......
2) Repeat the above with tls enabled = No
Run samba-gpupdate -s /etc/samba/smb.conf --target=Computer --machine-pass -d10
GPO are parsed and applied
Next systemctl restart samba-ad-dc and I get the original error.
What I can conclude so far, few issues:
1) --option="tls enabled=no" not honored during samba-tool domain provision
2) tls enabled = Yes
winbindd does not seem to be able to connect to the socket (on 636 I suppose, because in the logs it can do some cldap on 389 before without error) during samba-ad-dc startup, but it is fine do to the same after it is started. I suspect the process on port 636 is not yet up when it tries. Let's call it a timing issue
3) tls enabled = No
We can get the data we want off ldap regardless of the method (samba restart or manual gp update), however we get
/usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-3771616199-2733218289-4272702380-1000 -> getpwuid(3000141) failed, is nsswitch configured?
Always the case when the update comes from an automatic update. What is the difference with the manual method? Well the call is wrapped by I suppose winbindd_gpupdate.c which may be the culprit
Now why GPOs are working on a windows client?
Samba is fully started when updates occur and it is not using winbind
Now why GPOs are not working on a linux client?
Same reason a for the server part, winbindd code
Eric
> On Fri, 2022-06-24 at 14:45 +0000, samba-ml-en wrote:
>
> > Hello Rowland,
> >
> > I removed the down level options, left the winbind enum ones (I am
> > still testing, not many users/groups), re-enabled netbios, and
> > disabled winbind over RPC.
> >
> > now I can see better ldap conversation, however I am hitting in one
> > case the same problem as before, the other probably another issue.
> > so:
> >
> > 1) tls enabled = Yes
> >
> > I have a valid certificate
>
>
> You may have, but don't use ldaps, use kerberos instead, it is more
> secure.
>
> Rowland
>
More information about the samba
mailing list