[Samba] gpo client linux sssd does not apply
Rowland Penny
rpenny at samba.org
Tue Apr 18 10:44:54 UTC 2023
On 17/04/2023 15:47, David Mulder via samba wrote:
> On 4/14/23 2:23 AM, Anderson Sampaio Mello via samba wrote:
>> Hello Samba Team, how are you?
>>
>> I'm joining linux clients in the company's environment and I would
>> like to
>> apply GPOs to linux clients, I'm in the testing phase.
>>
>> I'm testing with ubuntu clients version 22.04 and the software I used to
>> join the samba AD was sssd.
>>
>> The 22.04 ubuntu client has joined and everything is working fine except
>> for the GPOs for linux clients.
>>
>> I compiled and installed oddjob-gpupdate and also installed oddbjob as
>> recommended by the samba documentation (
>> https://dmulder.github.io/group-policy-book/)
>>
>> I also installed samba version 4.15.3 with the command samba-gpupdate,
>> when
>> I run the command samba-gpupdate --rsop with sssd working it reports
>> these
>> errors:
>>
>> Traceback (most recent call last):
>> File "/usr/sbin/samba-gpupdate", line 117, in <module>
>> rsop(lp, creds, logger, store, gp_extensions, opts.target)
>> File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 511,
>> in rsop
>> dc_hostname = get_dc_hostname(creds, lp)
>> File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 358, in
>> get_dc_hostname
>> cldap_ret = net.finddc(domain=lp.get('realm'),
>> flags=(nbt.NBT_SERVER_LDAP |
>> samba.NTSTATUSError: (3221225524, 'The object name is not found.')
>> Error in sys.excepthook:
>> Traceback (most recent call last):
>> File "/usr/lib/python3/dist-packages/apport_python_hook.py", line
>> 153,
>> in apport_excepthook
>> with os.fdopen(os.open(pr_filename,
>> FileNotFoundError: [Errno 2] No such file or directory:
>> '/var/crash/_usr_sbin_samba-gpupdate.0.crash'
>>
>> Original exception was:
>> Traceback (most recent call last):
>> File "/usr/sbin/samba-gpupdate", line 117, in <module>
>> rsop(lp, creds, logger, store, gp_extensions, opts.target)
>> File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 511,
>> in rsop
>> dc_hostname = get_dc_hostname(creds, lp)
>> File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 358, in
>> get_dc_hostname
>> cldap_ret = net.finddc(domain=lp.get('realm'),
>> flags=(nbt.NBT_SERVER_LDAP |
>> samba.NTSTATUSError: (3221225524, 'The object name is not found.')
> samba-gpupdate is failing to find the dc hostname. Can you provide me
> with copies of your config (sssd, smb.conf)?
>> On another station when I test on another linux ubuntu client with the
>> same
>> version of samba, but with winbind(not sssd), the GPOs are applied
>> normally.
>>
>> I think it's something that isn't working well, which could be a
>> result of
>> the compilation or some detail I missed.
>>
>> I downloaded the code from https://github.com/openSUSE/oddjob-gpupdate
>> and
>> compiled it like this:
>>
>> apt install autoconf libtool libxml2-dev libdbus-1-dev oddjob
>> libpam0g-dev
>> xmlto libselinux1-dev libxml++2.6-dev
>> ./autogen
>> make up
>> make install
>>
>> Did I make a mistake in the compilation process? can someone guide me to
>> compile correctly?
>
> I'm afraid Samba's group policy isn't officially supported with SSSD,
> although it has worked in the past. It is known to work well with
> Winbind though.
>
>
I think what you are saying is this, using oddjob-gpupdate replaces the
'apply group policies = yes' line in smb.conf
Anderson compiled oddjob-gpupdate and it didn't work using sssd, but the
same basic setup on the OS using winbind did.
As far as I can see, oddjob-gpupdate or 'apply group policies = yes'
just run samba-gpupdate, as the python script works okay using winbind,
it is unlikely there is anything wrong with the script.
This leaves sssd, which doesn't seem to take any part in the process, or
the oddjob-gpupdate script, which seems to run the samba-gpudate script
or the basic setup of the OS, my money is on the latter.
If the process works correctly when using winbind, what is
oddjob-gpupdate for ? Does Suse require it ?
Rowland
More information about the samba
mailing list