Computer-based GPOs won't apply to Windows 10 or Windows 7 clients if they try to fetch those policies from a DC build against MIT-kerberos, for example in fedora 28/27 (see https://lists.samba.org/archive/samba/2018-July/216778.html for example) or opensuse leap 15. I tested with the packages provided by opensuse and a 4.8.2 build by myself. If I transfer those GPOs to a Windows Server 2008 R2 based DC via robocopy they apply on joined computers without any error. Same with samba 4.6.15 heimdal based DCs. If MIT kerberos support is still experimental, it should clearly be called that way, which would prevent MIT-based distributions to pick this feature up. However i was not able to find a corresponding entry in the release notes of samba 4.7 or 4.8 nor the wiki (not feature-complete does not necessarily mean experimental). Steps to reproduce: 1. Setup a DC based on the named distros 2. Join some Windows 10 or 7 Clients 3. Deploy computer-based GPOs 4. Check application of those GPOs The computer is a part of the following security groups: NULL SID Default Domain Policy: Filtering: Denied (Security)
Andreas, Can you please address this? Thanks, Andrew Bartlett
A policy is applied by the client machine, not a DC (unless you are logging on the DC). It would be good to gather network traces and Samba logs (log level = 50) when a login to the client happens.
the only possible difference I see might be in a content of MS-PAC record in a TGT obtained by the client machine with the machine account. If Samba logs could be provided with 'log level = 50' for an attempt to logon to a client workstation, we could see an MS-PAC record dump in the logs.
Created attachment 14319 [details] Samba log with station logon (log level=50) Station name: win10eng
(In reply to Tomasz Majewski from comment #4) Ideally we need all the logs under /var/log/samba during the attempted logon via that workstation. Also, we need logs from a working heimdal dc, as well as the mit dc, so that we can compare the two.
Is there any particular module for which you need the logs? Or just everything at level 50?
Just everything.
Created attachment 14523 [details] log with heimdal (windows 10 workstation joins, reboots, user logs on)
Created attachment 14524 [details] logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 1 This is 1st part of the archive (to fit into the size limit), just cat both parts, and unpack (tar xaf) them.
Created attachment 14525 [details] logs with MIT kerberos (windows 10 workstation joins, reboots, user logs on), part 2 This is 2nd (and the last) part, just cat both parts, and unpack (tar xaf) them
> Ideally we need all the logs under /var/log/samba during the attempted logon via that workstation. I've collected these logs with samba 4.8.5 (running on ALT Linux), see the attachments. Please let me know if you need any additional info.
Looks like this BZ is stalled since a year. Anything that can be done to get this moving? I am having the same issue with SLES 15 now - and I can gather data, but I am unfortunately no kerberos expert, so I can probably not analyze the issue (unless I find some spare time to dig into kerberos. In case tests, data, etc. is needed, I can provide that. Thanks!
(In reply to Martin Tessun from comment #12) For starters, a detailed step-by-step how to reproduce would help.
I tested with MIT master and MR 1062, and computer GPO seem to work fine. Via "Group Policy Manager", I added a rule to set an environment variable SMB_VAR, and it gets set accordingly. > set |findstr SMB_TEST SMB_TEST=OK > gpresult /r Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 c 2018 Microsoft Corporation. All rights reserved. Created on ?2/?6/?2020 at 1:33:24 PM RSOP data for SMB\Administrator on CMA : Logging Mode ------------------------------------------------------ OS Configuration: Member Server OS Version: 10.0.17763 Site Name: Default-First-Site-Name Roaming Profile: N/A Local Profile: C:\Users\Administrator.SMB Connected over a slow link?: No COMPUTER SETTINGS ------------------ CN=CMA,CN=Computers,DC=smb,DC=net Last time Group Policy was applied: 2/6/2020 at 1:33:02 PM Group Policy was applied from: sdc.smb.net Group Policy slow link threshold: 500 kbps Domain Name: SMB Domain Type: Windows 2008 or later Applied Group Policy Objects ----------------------------- Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The computer is a part of the following security groups ------------------------------------------------------- BUILTIN\Administrators Everyone BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization CMA$ Domain Computers System Mandatory Level USER SETTINGS -------------- CN=Administrator,CN=Users,DC=smb,DC=net Last time Group Policy was applied: 2/6/2020 at 1:33:03 PM Group Policy was applied from: sdc.smb.net Group Policy slow link threshold: 500 kbps Domain Name: SMB Domain Type: Windows 2008 or later Applied Group Policy Objects ----------------------------- N/A The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Default Domain Policy Filtering: Not Applied (Empty) Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups --------------------------------------------------- Domain Users Everyone BUILTIN\Users BUILTIN\Administrators REMOTE INTERACTIVE LOGON NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users This Organization LOCAL Domain Admins Denied RODC Password Replication Group Schema Admins Enterprise Admins Group Policy Creator Owners High Mandatory Level
Hi Isaac, indeed this looks good - btw. just saw the question for reproducer, but mainly it is (regardless if GPO is set or not) that the host has no security groups: So for e.g. openSuSE 15.x it gpresult shows for a Domain member host: The computer is a part of the following security groups ------------------------------------------------------- NULL SID NETWORK THIS ORGANISATION- Untrusted Mandatory Level which is not what is configured in the ADC (Samba). So once it would get the configured security groups it would work - as your example shows as well. Sorry for answering so late, but I somehow missed your previous update. Sill what is written in c#0 is pretty much accurate. Next steps I want to do is verify if it works for me as well as soon as I recompiled with nightly build from MIT krb. Cheers, Martin
(In reply to Martin Tessun from comment #15) Thanks for confirming, if you want to try samba master and krb5-mit master you'd also need to apply MR 1062 to get it working. I think the fix probably comes from recent changes upstream MIT, but it may be some fix in samba, we'd need to clarify it.
It probably needs some while. Currently kdc crashes after a few minutes with exit status 6 - need to figure out what went wrong. Anyways I will update as soon as I have results.
(In reply to Martin Tessun from comment #17) Can you share the backtrace and the versions you tried? Thanks
Sorry, needed to destroy the test-environment. Will build a new one as soon as I have some spare-time.
I have the same issue. Is there a clear idea of the effort needed to resolve the issue with using the MIT kerberos library?
Could this be similar to bug 14864?
Current samba 4.17 built with current mit-kerberos5 1.20, when run as an AD DC and used for Windows 10 clients, seems to be servicing GPOs to computers just fine. At least I haven't found any issues, — might be I were just lucky enough not to face any.
Should be fixed with Samba 4.17 in combination with MIT Kerberos >= 1.20. For 1.20 we rewrote quite a big chunk of the KDB driver and fixed a lot of issues. I'm going to close it. Reopen if someone can reproduce it and give details. However I think it is fixed.