Bug 14667 - Linux-GPO not working with configuration in registry
Summary: Linux-GPO not working with configuration in registry
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.14.0rc4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-11 10:53 UTC by Stefan Kania
Modified: 2021-04-09 15:28 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Kania 2021-03-11 10:53:47 UTC
Testing Linux-GPO in different setups I found out:
Having the configuration in registry with "config backend = registry" is not working. The same with "include registry".  I saw the following error message:
----------
root@fs-01:/etc/samba# samba-gpupdate --force
Traceback (most recent call last):
  File "/usr/sbin/samba-gpupdate", line 103, in <module>
    apply_gp(lp, creds, logger, store, gp_extensions, opts.force)
  File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 436, in apply_gp
    dc_hostname = get_dc_hostname(creds, lp)
  File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 359, in get_dc_hostname
    nbt.NBT_SERVER_DS))
samba.NTSTATUSError: (3221225524, 'The object name is not found.')
---------- 

It should be mentioned in the manpage, that GPO and registry is not working together. A better error message would be nice.
Comment 1 David Mulder 2021-03-16 16:04:35 UTC
It looks like it's just failing the first time the LoadParm is used. This makes me think the python LoadParm module doesn't work with a registry backend.
Comment 2 Roy Eastwood 2021-04-09 15:26:26 UTC
Not sure whether this is the same issue but application of GPO to Linux clients is also failing:

I am trying to test out the use of Group Policy for winbind clients as added in the latest samba version: 4.14.0    Following the
WiKi at https://wiki.samba.org/index.php/Group_Policy I have set up a client (running Debian Buster and Samba 4.14.0 from Louis'
repo) by adding the required line to the global section of smb.conf (apply group policies = yes).    The domain controllers have
also been updated to 4.14.0 and the samba admx file has been added to sysvol.   I have configured a setting for smb.conf using the
Group Policy Editor from Windows and the client machine has been added to an OU with the policy applied.   I have restarted smbd and
winbind on the client.   When I enter samba-gpupdate I get the following error:

root@moggy:~# samba-gpupdate
ERROR: talloc_free with references at ../../libgpo/pygpo.c:481
        reference at ../../pytalloc_util.c:164
        reference at ../../pytalloc_util.c:164
        reference at ../../pytalloc_util.c:164
Failed downloading gpt cache from 'pi-dc.microlynx.org' using SMB

If I provide the Administrator user and password the error changes to:
root@moggy:~# samba-gpupdate -Uadministrator
Password for [MICROLYNX\administrator]:
ERROR: talloc_free with references at ../../libgpo/pygpo.c:481
        reference at ../../pytalloc_util.c:164
        reference at ../../pytalloc_util.c:164
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file /var/lib/samba/private/sam.ldb: No such file or
directory

Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb':
No such file or directory
Failed to apply extension  <class 'samba.gp_sec_ext.gp_access_ext'>
Message was: Failed to load SamDB for assigning Group Policy

A reboot of the client did not improve matters.     I tried adding the line: 'allow group policies = yes' to the domain controllers'
smb.conf but that did not make any difference either.

Following the above changes the following logs repeatedly appear in syslog:
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.054799,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-4012640977-2272627666-3977488320-5102 -> getpwuid(15102) failed, is nsswitch configured?
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056451,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate: Traceback (most recent call last):
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056569,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:   File "/usr/sbin/samba-gpupdate", line 103, in <module>
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056599,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:     apply_gp(lp, creds, logger, store, gp_extensions, opts.force)
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056625,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:   File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 437, in apply_gp
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056652,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:     gpos = get_gpo_list(dc_hostname, creds, lp)
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056677,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:   File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 370, in get_gpo_list
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056733,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:     gpos = ads.get_gpo_list(creds.get_username())
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056768,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'MOGGY$'(CN=MOGGY,OU=debian,DC=microlynx,DC=org): The specified account does not exist.

This is also happening with Samba Version 4.14.2.