Bug 13516 - Computer-based GPOs fail to apply if Samba is build against system mit-kerberos
Computer-based GPOs fail to apply if Samba is build against system mit-kerberos
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
All Linux
: P5 normal
: ---
Assigned To: Andreas Schneider
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-09 14:51 UTC by rz
Modified: 2020-02-17 07:19 UTC (History)
7 users (show)

See Also:


Attachments
Samba log with station logon (log level=50) (2.29 MB, application/x-gzip)
2018-07-11 10:37 UTC, Tomasz Majewski
no flags Details
log with heimdal (windows 10 workstation joins, reboots, user logs on) (3.33 MB, application/x-xz)
2018-10-10 08:17 UTC, Alexey Sheplyakov
no flags Details
logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 1 (4.77 MB, application/x-xz)
2018-10-10 08:19 UTC, Alexey Sheplyakov
no flags Details
logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 2 (2.12 MB, application/octet-stream)
2018-10-10 08:21 UTC, Alexey Sheplyakov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description rz 2018-07-09 14:51:47 UTC
Computer-based GPOs won't apply to Windows 10 or Windows 7 clients if they try to fetch those policies from a DC build against MIT-kerberos, for example in fedora 28/27 (see https://lists.samba.org/archive/samba/2018-July/216778.html for example) or opensuse leap 15.  I tested with the packages provided by opensuse and a 4.8.2 build by myself.

If I transfer those GPOs to a Windows Server 2008 R2 based DC via robocopy they apply on joined computers without any error. Same with samba 4.6.15 heimdal based DCs.

If MIT kerberos support is still experimental, it should clearly be called that way, which would prevent MIT-based distributions to pick this feature up. However i was not able to find a corresponding entry in the release notes of samba 4.7 or 4.8 nor the wiki (not feature-complete does not necessarily mean experimental).

Steps to reproduce:

1. Setup a DC based on the named distros
2. Join some Windows 10 or 7 Clients
3. Deploy computer-based GPOs
4. Check application of those GPOs

The computer is a part of the following security groups: NULL SID
Default Domain Policy: Filtering:  Denied (Security)
Comment 1 Andrew Bartlett 2018-07-09 22:21:29 UTC
Andreas,

Can you please address this?

Thanks,

Andrew Bartlett
Comment 2 Alexander Bokovoy 2018-07-10 12:19:18 UTC
A policy is applied by the client machine, not a DC (unless you are logging on the DC).

It would be good to gather network traces and Samba logs (log level = 50) when a login to the client happens.
Comment 3 Alexander Bokovoy 2018-07-10 12:29:47 UTC
the only possible difference I see might be in a content of MS-PAC record in a TGT obtained by the client machine with the machine account. If Samba logs could be provided with 'log level = 50' for an attempt to logon to a client workstation, we could see an MS-PAC record dump in the logs.
Comment 4 Tomasz Majewski 2018-07-11 10:37:03 UTC
Created attachment 14319 [details]
Samba log with station logon (log level=50)

Station name: win10eng
Comment 5 David Mulder 2018-07-16 14:44:53 UTC
(In reply to Tomasz Majewski from comment #4)
Ideally we need all the logs under /var/log/samba during the attempted logon via that workstation. Also, we need logs from a working heimdal dc, as well as the mit dc, so that we can compare the two.
Comment 6 Engel, Johannes 2018-07-28 17:59:28 UTC
Is there any particular module for which you need the logs? Or just everything at level 50?
Comment 7 Andreas Schneider 2018-08-28 12:32:43 UTC
Just everything.
Comment 8 Alexey Sheplyakov 2018-10-10 08:17:05 UTC
Created attachment 14523 [details]
log with heimdal (windows 10 workstation joins, reboots, user logs on)
Comment 9 Alexey Sheplyakov 2018-10-10 08:19:25 UTC
Created attachment 14524 [details]
logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 1

This is 1st part of the archive (to fit into the size limit), just cat both parts, and unpack (tar xaf) them.
Comment 10 Alexey Sheplyakov 2018-10-10 08:21:18 UTC
Created attachment 14525 [details]
logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 2

This is 2nd (and the last) part, just cat both parts, and unpack (tar xaf) them
Comment 11 Alexey Sheplyakov 2018-10-10 08:22:34 UTC
> Ideally we need all the logs under /var/log/samba during the attempted logon via that workstation.

I've collected these logs with samba 4.8.5 (running on ALT Linux), see the attachments. Please let me know if you need any additional info.
Comment 12 Martin Tessun 2019-12-21 11:53:23 UTC
Looks like this BZ is stalled since a year. Anything that can be done to get this moving? I am having the same issue with SLES 15 now - and I can gather data, but I am unfortunately no kerberos expert, so I can probably not analyze the issue (unless I find some spare time to dig into kerberos.

In case tests, data, etc. is needed, I can provide that.

Thanks!
Comment 13 Isaac Boukris 2020-01-12 02:57:55 UTC
(In reply to Martin Tessun from comment #12)

For starters, a detailed step-by-step how to reproduce would help.
Comment 14 Isaac Boukris 2020-02-06 12:45:03 UTC
I tested with MIT master and MR 1062, and computer GPO seem to work fine.
Via "Group Policy Manager", I added a rule to set an environment variable SMB_VAR, and it gets set accordingly.

> set |findstr SMB_TEST
SMB_TEST=OK

> gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2018 Microsoft Corporation. All rights reserved.

Created on ?2/?6/?2020 at 1:33:24 PM


RSOP data for SMB\Administrator on CMA : Logging Mode
------------------------------------------------------

OS Configuration:            Member Server
OS Version:                  10.0.17763
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\Administrator.SMB
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=CMA,CN=Computers,DC=smb,DC=net
    Last time Group Policy was applied: 2/6/2020 at 1:33:02 PM
    Group Policy was applied from:      sdc.smb.net
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        SMB
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        CMA$
        Domain Computers
        System Mandatory Level
        

USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=smb,DC=net
    Last time Group Policy was applied: 2/6/2020 at 1:33:03 PM
    Group Policy was applied from:      sdc.smb.net
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        SMB
    Domain Type:                        Windows 2008 or later
    
    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        BUILTIN\Administrators
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Domain Admins
        Denied RODC Password Replication Group
        Schema Admins
        Enterprise Admins
        Group Policy Creator Owners
        High Mandatory Level
Comment 15 Martin Tessun 2020-02-10 08:54:44 UTC
Hi Isaac,

indeed this looks good - btw. just saw the question for reproducer, but mainly it is (regardless if GPO is set or not) that the host has no security groups:

So for e.g. openSuSE 15.x it gpresult shows for a Domain member host:

    The computer is a part of the following security groups
    -------------------------------------------------------
        NULL SID
        NETWORK
        THIS ORGANISATION- 
        Untrusted Mandatory Level

which is not what is configured in the ADC (Samba).

So once it would get the configured security groups it would work - as your example shows as well.

Sorry for answering so late, but I somehow missed your previous update. Sill what is written in c#0 is pretty much accurate.

Next steps I want to do is verify if it works for me as well as soon as I recompiled with nightly build from MIT krb.

Cheers,
Martin
Comment 16 Isaac Boukris 2020-02-10 09:51:07 UTC
(In reply to Martin Tessun from comment #15)

Thanks for confirming, if you want to try samba master and krb5-mit master you'd also need to apply MR 1062 to get it working.
I think the fix probably comes from recent changes upstream MIT, but it may be some fix in samba, we'd need to clarify it.
Comment 17 Martin Tessun 2020-02-10 12:35:52 UTC
It probably needs some while. Currently kdc crashes after a few minutes with exit status 6 - need to figure out what went wrong.

Anyways I will update as soon as I have results.
Comment 18 Isaac Boukris 2020-02-10 12:43:40 UTC
(In reply to Martin Tessun from comment #17)

Can you share the backtrace and the versions you tried?

Thanks