Bug 13516 - Computer-based GPOs fail to apply if Samba is build against system mit-kerberos
Computer-based GPOs fail to apply if Samba is build against system mit-kerberos
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
All Linux
: P5 normal
: ---
Assigned To: Andreas Schneider
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-09 14:51 UTC by rz
Modified: 2019-11-12 14:43 UTC (History)
6 users (show)

See Also:


Attachments
Samba log with station logon (log level=50) (2.29 MB, application/x-gzip)
2018-07-11 10:37 UTC, Tomasz Majewski
no flags Details
log with heimdal (windows 10 workstation joins, reboots, user logs on) (3.33 MB, application/x-xz)
2018-10-10 08:17 UTC, Alexey Sheplyakov
no flags Details
logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 1 (4.77 MB, application/x-xz)
2018-10-10 08:19 UTC, Alexey Sheplyakov
no flags Details
logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 2 (2.12 MB, application/octet-stream)
2018-10-10 08:21 UTC, Alexey Sheplyakov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description rz 2018-07-09 14:51:47 UTC
Computer-based GPOs won't apply to Windows 10 or Windows 7 clients if they try to fetch those policies from a DC build against MIT-kerberos, for example in fedora 28/27 (see https://lists.samba.org/archive/samba/2018-July/216778.html for example) or opensuse leap 15.  I tested with the packages provided by opensuse and a 4.8.2 build by myself.

If I transfer those GPOs to a Windows Server 2008 R2 based DC via robocopy they apply on joined computers without any error. Same with samba 4.6.15 heimdal based DCs.

If MIT kerberos support is still experimental, it should clearly be called that way, which would prevent MIT-based distributions to pick this feature up. However i was not able to find a corresponding entry in the release notes of samba 4.7 or 4.8 nor the wiki (not feature-complete does not necessarily mean experimental).

Steps to reproduce:

1. Setup a DC based on the named distros
2. Join some Windows 10 or 7 Clients
3. Deploy computer-based GPOs
4. Check application of those GPOs

The computer is a part of the following security groups: NULL SID
Default Domain Policy: Filtering:  Denied (Security)
Comment 1 Andrew Bartlett 2018-07-09 22:21:29 UTC
Andreas,

Can you please address this?

Thanks,

Andrew Bartlett
Comment 2 Alexander Bokovoy 2018-07-10 12:19:18 UTC
A policy is applied by the client machine, not a DC (unless you are logging on the DC).

It would be good to gather network traces and Samba logs (log level = 50) when a login to the client happens.
Comment 3 Alexander Bokovoy 2018-07-10 12:29:47 UTC
the only possible difference I see might be in a content of MS-PAC record in a TGT obtained by the client machine with the machine account. If Samba logs could be provided with 'log level = 50' for an attempt to logon to a client workstation, we could see an MS-PAC record dump in the logs.
Comment 4 Tomasz Majewski 2018-07-11 10:37:03 UTC
Created attachment 14319 [details]
Samba log with station logon (log level=50)

Station name: win10eng
Comment 5 David Mulder 2018-07-16 14:44:53 UTC
(In reply to Tomasz Majewski from comment #4)
Ideally we need all the logs under /var/log/samba during the attempted logon via that workstation. Also, we need logs from a working heimdal dc, as well as the mit dc, so that we can compare the two.
Comment 6 Engel, Johannes 2018-07-28 17:59:28 UTC
Is there any particular module for which you need the logs? Or just everything at level 50?
Comment 7 Andreas Schneider 2018-08-28 12:32:43 UTC
Just everything.
Comment 8 Alexey Sheplyakov 2018-10-10 08:17:05 UTC
Created attachment 14523 [details]
log with heimdal (windows 10 workstation joins, reboots, user logs on)
Comment 9 Alexey Sheplyakov 2018-10-10 08:19:25 UTC
Created attachment 14524 [details]
logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 1

This is 1st part of the archive (to fit into the size limit), just cat both parts, and unpack (tar xaf) them.
Comment 10 Alexey Sheplyakov 2018-10-10 08:21:18 UTC
Created attachment 14525 [details]
logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 2

This is 2nd (and the last) part, just cat both parts, and unpack (tar xaf) them
Comment 11 Alexey Sheplyakov 2018-10-10 08:22:34 UTC
> Ideally we need all the logs under /var/log/samba during the attempted logon via that workstation.

I've collected these logs with samba 4.8.5 (running on ALT Linux), see the attachments. Please let me know if you need any additional info.