The Samba-Bugzilla – Bug 13516
Computer-based GPOs fail to apply if Samba is build against system mit-kerberos
Last modified: 2019-11-12 14:43:26 UTC
Computer-based GPOs won't apply to Windows 10 or Windows 7 clients if they try to fetch those policies from a DC build against MIT-kerberos, for example in fedora 28/27 (see https://lists.samba.org/archive/samba/2018-July/216778.html for example) or opensuse leap 15. I tested with the packages provided by opensuse and a 4.8.2 build by myself.
If I transfer those GPOs to a Windows Server 2008 R2 based DC via robocopy they apply on joined computers without any error. Same with samba 4.6.15 heimdal based DCs.
If MIT kerberos support is still experimental, it should clearly be called that way, which would prevent MIT-based distributions to pick this feature up. However i was not able to find a corresponding entry in the release notes of samba 4.7 or 4.8 nor the wiki (not feature-complete does not necessarily mean experimental).
Steps to reproduce:
1. Setup a DC based on the named distros
2. Join some Windows 10 or 7 Clients
3. Deploy computer-based GPOs
4. Check application of those GPOs
The computer is a part of the following security groups: NULL SID
Default Domain Policy: Filtering: Denied (Security)
Can you please address this?
A policy is applied by the client machine, not a DC (unless you are logging on the DC).
It would be good to gather network traces and Samba logs (log level = 50) when a login to the client happens.
the only possible difference I see might be in a content of MS-PAC record in a TGT obtained by the client machine with the machine account. If Samba logs could be provided with 'log level = 50' for an attempt to logon to a client workstation, we could see an MS-PAC record dump in the logs.
Created attachment 14319 [details]
Samba log with station logon (log level=50)
Station name: win10eng
(In reply to Tomasz Majewski from comment #4)
Ideally we need all the logs under /var/log/samba during the attempted logon via that workstation. Also, we need logs from a working heimdal dc, as well as the mit dc, so that we can compare the two.
Is there any particular module for which you need the logs? Or just everything at level 50?
Created attachment 14523 [details]
log with heimdal (windows 10 workstation joins, reboots, user logs on)
Created attachment 14524 [details]
logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 1
This is 1st part of the archive (to fit into the size limit), just cat both parts, and unpack (tar xaf) them.
Created attachment 14525 [details]
logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 2
This is 2nd (and the last) part, just cat both parts, and unpack (tar xaf) them
> Ideally we need all the logs under /var/log/samba during the attempted logon via that workstation.
I've collected these logs with samba 4.8.5 (running on ALT Linux), see the attachments. Please let me know if you need any additional info.