[Samba] gpo client linux sssd does not apply
David Mulder
dmulder at samba.org
Tue Apr 18 17:15:44 UTC 2023
On 4/14/23 2:23 AM, Anderson Sampaio Mello via samba wrote:
> Hello Samba Team, how are you?
>
> I'm joining linux clients in the company's environment and I would like to
> apply GPOs to linux clients, I'm in the testing phase.
>
> I'm testing with ubuntu clients version 22.04 and the software I used to
> join the samba AD was sssd.
>
> The 22.04 ubuntu client has joined and everything is working fine except
> for the GPOs for linux clients.
>
> I compiled and installed oddjob-gpupdate and also installed oddbjob as
> recommended by the samba documentation (
> https://dmulder.github.io/group-policy-book/)
>
> I also installed samba version 4.15.3 with the command samba-gpupdate, when
> I run the command samba-gpupdate --rsop with sssd working it reports these
> errors:
>
> Traceback (most recent call last):
> File "/usr/sbin/samba-gpupdate", line 117, in <module>
> rsop(lp, creds, logger, store, gp_extensions, opts.target)
> File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 511, in rsop
> dc_hostname = get_dc_hostname(creds, lp)
> File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 358, in
> get_dc_hostname
> cldap_ret = net.finddc(domain=lp.get('realm'),
> flags=(nbt.NBT_SERVER_LDAP |
> samba.NTSTATUSError: (3221225524, 'The object name is not found.')
> Error in sys.excepthook:
> Traceback (most recent call last):
> File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 153,
> in apport_excepthook
> with os.fdopen(os.open(pr_filename,
> FileNotFoundError: [Errno 2] No such file or directory:
> '/var/crash/_usr_sbin_samba-gpupdate.0.crash'
>
> Original exception was:
> Traceback (most recent call last):
> File "/usr/sbin/samba-gpupdate", line 117, in <module>
> rsop(lp, creds, logger, store, gp_extensions, opts.target)
> File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 511, in rsop
> dc_hostname = get_dc_hostname(creds, lp)
> File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 358, in
> get_dc_hostname
> cldap_ret = net.finddc(domain=lp.get('realm'),
> flags=(nbt.NBT_SERVER_LDAP |
> samba.NTSTATUSError: (3221225524, 'The object name is not found.')
I was able to get it to work by setting up a simple smb.conf, and doing
a `net ads join`. SSSD is still the auth provider.
My simple smb.conf looks like this:
dmulder at dmm-tw:~> cat /etc/samba/smb.conf
[global]
idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config dmm : backend = rid
idmap config dmm : range = 20001-99999
kerberos method = secrets and keytab
security = ADS
usershare allow guests = No
workgroup = DMMSUSE
realm = dmm.suse.de
Then I set `ad_update_samba_machine_account_password = true` in
/etc/sssd/sssd.conf.
And finally:
sudo kinit Administrator
sudo net ads join -k
This creates the secrets.tdb for samba, which SSSD will now keep updated
for samba-gpupdate. Afterward samba-gpupdate is working for me with SSSD.
>
> On another station when I test on another linux ubuntu client with the same
> version of samba, but with winbind(not sssd), the GPOs are applied normally.
>
> I think it's something that isn't working well, which could be a result of
> the compilation or some detail I missed.
>
> I downloaded the code from https://github.com/openSUSE/oddjob-gpupdate and
> compiled it like this:
>
> apt install autoconf libtool libxml2-dev libdbus-1-dev oddjob libpam0g-dev
> xmlto libselinux1-dev libxml++2.6-dev
> ./autogen
> make up
> make install
>
> Did I make a mistake in the compilation process? can someone guide me to
> compile correctly?
--
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com
More information about the samba
mailing list