[Samba] GPO on a DC

samba-ml-en samba-ml-en at protonmail.com
Sat Jun 25 14:42:20 UTC 2022

Dear Rowland,Louis and David,

I am coming to you with regards to the answer point from rowland, and more testing of my problem of course, hoping it makes sense, but it seems to me there are 3 bugs with samba GPOs.

I ran my setup again with  --option="tls enabled=no" in my "samba-tool domain provision", well I can say, it is not honored and is not written in smb.conf and therefore you always end up with the default which is Yes (cf man page and testparm -vv | grep tls). So anyway this prompted me to do further testing and I started to look at the samba code. I found in the repo  samba/source3/winbindd/winbindd_gpupdate.c  (https://github.com/samba-team/samba/blob/e742661bd2507d39dfa47e40531dc1dca636cbbe/source3/winbindd/winbindd_gpupdate.c)
I could infer it is calling samba-gpupdate with the parameters -s smb.conf --target=Computer --machine-pass within a call back function WITH some other parameters.

So now I repeated my testing:

1) tls enabled = Yes (which is the default)

Run samba-gpupdate -s /etc/samba/smb.conf --target=Computer --machine-pass -d10
GPO are parsed and applied

Next systemctl restart samba-ad-dc and I get
[2022/06/25 13:24:49.936038,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: Connecting to at port 389
[2022/06/25 13:24:49.936180,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: open_socket_out: failed to open socket

repeat many times systemctl restart samba-ad-dc sometimes the connection is successful......

2) Repeat the above with tls enabled = No

Run samba-gpupdate -s /etc/samba/smb.conf --target=Computer --machine-pass -d10
GPO are parsed and applied

Next systemctl restart samba-ad-dc and I get the original error.

What I can conclude so far, few issues:

1) --option="tls enabled=no" not honored during samba-tool domain provision

2) tls enabled = Yes
winbindd does not seem to be able to connect to the socket (on 636 I suppose, because in the logs it can do some cldap on 389 before without error) during samba-ad-dc startup, but it is fine do to the same after it is started. I suspect the process on port 636 is not yet up when it tries. Let's call it a timing issue

3) tls enabled = No
We can get the data we want off ldap regardless of the method (samba restart or manual gp update), however we get
 /usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-3771616199-2733218289-4272702380-1000 -> getpwuid(3000141) failed, is nsswitch configured?
Always the case when the update comes from an automatic update. What is the difference with the manual method? Well the call is wrapped by I suppose winbindd_gpupdate.c which may be the culprit

Now why GPOs are working on a windows client?
  Samba is fully started when updates occur and it is not using winbind

Now why GPOs are not working on a linux client?
  Same reason a for the server part, winbindd code


> On Fri, 2022-06-24 at 14:45 +0000, samba-ml-en wrote:
> > Hello Rowland,
> >
> > I removed the down level options, left the winbind enum ones (I am
> > still testing, not many users/groups), re-enabled netbios, and
> > disabled winbind over RPC.
> >
> > now I can see better ldap conversation, however I am hitting in one
> > case the same problem as before, the other probably another issue.
> > so:
> >
> > 1) tls enabled = Yes
> >
> > I have a valid certificate
> You may have, but don't use ldaps, use kerberos instead, it is more
> secure.
> Rowland

More information about the samba mailing list