Testing Linux-GPO in different setups I found out: Having the configuration in registry with "config backend = registry" is not working. The same with "include registry". I saw the following error message: ---------- root@fs-01:/etc/samba# samba-gpupdate --force Traceback (most recent call last): File "/usr/sbin/samba-gpupdate", line 103, in <module> apply_gp(lp, creds, logger, store, gp_extensions, opts.force) File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 436, in apply_gp dc_hostname = get_dc_hostname(creds, lp) File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 359, in get_dc_hostname nbt.NBT_SERVER_DS)) samba.NTSTATUSError: (3221225524, 'The object name is not found.') ---------- It should be mentioned in the manpage, that GPO and registry is not working together. A better error message would be nice.
It looks like it's just failing the first time the LoadParm is used. This makes me think the python LoadParm module doesn't work with a registry backend.
Not sure whether this is the same issue but application of GPO to Linux clients is also failing: I am trying to test out the use of Group Policy for winbind clients as added in the latest samba version: 4.14.0 Following the WiKi at https://wiki.samba.org/index.php/Group_Policy I have set up a client (running Debian Buster and Samba 4.14.0 from Louis' repo) by adding the required line to the global section of smb.conf (apply group policies = yes). The domain controllers have also been updated to 4.14.0 and the samba admx file has been added to sysvol. I have configured a setting for smb.conf using the Group Policy Editor from Windows and the client machine has been added to an OU with the policy applied. I have restarted smbd and winbind on the client. When I enter samba-gpupdate I get the following error: root@moggy:~# samba-gpupdate ERROR: talloc_free with references at ../../libgpo/pygpo.c:481 reference at ../../pytalloc_util.c:164 reference at ../../pytalloc_util.c:164 reference at ../../pytalloc_util.c:164 Failed downloading gpt cache from 'pi-dc.microlynx.org' using SMB If I provide the Administrator user and password the error changes to: root@moggy:~# samba-gpupdate -Uadministrator Password for [MICROLYNX\administrator]: ERROR: talloc_free with references at ../../libgpo/pygpo.c:481 reference at ../../pytalloc_util.c:164 reference at ../../pytalloc_util.c:164 ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file /var/lib/samba/private/sam.ldb: No such file or directory Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory Failed to apply extension <class 'samba.gp_sec_ext.gp_access_ext'> Message was: Failed to load SamDB for assigning Group Policy A reboot of the client did not improve matters. I tried adding the line: 'allow group policies = yes' to the domain controllers' smb.conf but that did not make any difference either. Following the above changes the following logs repeatedly appear in syslog: Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.054799, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Mar 12 00:18:17 moggy winbindd[620]: /usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-4012640977-2272627666-3977488320-5102 -> getpwuid(15102) failed, is nsswitch configured? Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056451, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Mar 12 00:18:17 moggy winbindd[620]: /usr/sbin/samba-gpupdate: Traceback (most recent call last): Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056569, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Mar 12 00:18:17 moggy winbindd[620]: /usr/sbin/samba-gpupdate: File "/usr/sbin/samba-gpupdate", line 103, in <module> Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056599, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Mar 12 00:18:17 moggy winbindd[620]: /usr/sbin/samba-gpupdate: apply_gp(lp, creds, logger, store, gp_extensions, opts.force) Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056625, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Mar 12 00:18:17 moggy winbindd[620]: /usr/sbin/samba-gpupdate: File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 437, in apply_gp Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056652, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Mar 12 00:18:17 moggy winbindd[620]: /usr/sbin/samba-gpupdate: gpos = get_gpo_list(dc_hostname, creds, lp) Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056677, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Mar 12 00:18:17 moggy winbindd[620]: /usr/sbin/samba-gpupdate: File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 370, in get_gpo_list Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056733, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Mar 12 00:18:17 moggy winbindd[620]: /usr/sbin/samba-gpupdate: gpos = ads.get_gpo_list(creds.get_username()) Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056768, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) Mar 12 00:18:17 moggy winbindd[620]: /usr/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'MOGGY$'(CN=MOGGY,OU=debian,DC=microlynx,DC=org): The specified account does not exist. This is also happening with Samba Version 4.14.2.
I am not certain if this is the same issue or not, but here is some output from my samba-gpupdate --force -d10. I have eliminated most of it and just included the juicy end bits. pm_process() returned Yes lp_servicenumber: couldn't find homes sitename_fetch: Returning sitename for realm 'INTERNAL.HOLDEN.COM': "Default-First-Site-Name" internal_resolve_name: looking up internal01dc.internal.holden.com#20 (sitename Default-First-Site-Name) namecache_fetch: name internal01dc.internal.holden.com#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs Connecting to 10.0.0.2 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 2626560 SO_RCVBUF = 131072 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 TCP_USER_TIMEOUT = 0 cli_session_creds_prepare_krb5: Doing kinit for administrator@INTERNAL.HOLDEN.COM to access internal01dc.internal.holden.com kerberos_kinit_password_ext: as administrator@INTERNAL.HOLDEN.COM using [MEMORY:cliconnect] as ccache and config [(null)] kerberos_kinit_password_ext: administrator@INTERNAL.HOLDEN.COM mapped to Administrator@INTERNAL.HOLDEN.COM cli_session_creds_prepare_krb5: Successfully authenticated as administrator@INTERNAL.HOLDEN.COM (Administrator@INTERNAL.HOLDEN.COM) to access internal01dc.internal.holden.com using Kerberos cli_session_setup_spnego_send: Connect to internal01dc.internal.holden.com as Administrator@INTERNAL.HOLDEN.COM using SPNEGO Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gensec_update_send: gse_krb5[0x273eb00]: subreq: 0x217f490 gensec_update_send: spnego[0x16e8f20]: subreq: 0x176b420 gensec_update_done: gse_krb5[0x273eb00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x217f490/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x217f640)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859] gensec_update_done: spnego[0x16e8f20]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x176b420/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x176b5d0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] SPNEGO login failed: The transport connection is now disconnected. Failed downloading gpt cache from 'internal01dc.internal.holden.com' using SMB Here is what I am seeing in journalctl -xe | grep Error Jun 18 00:07:57 internal01dc winbindd[1394]: /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist. Jun 18 01:53:44 internal01dc winbindd[1394]: /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist. Jun 18 03:52:56 internal01dc winbindd[1394]: /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist. Jun 18 05:47:02 internal01dc winbindd[1394]: /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist. Jun 18 07:30:51 internal01dc winbindd[1394]: /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist. Jun 18 09:16:14 internal01dc winbindd[1394]: /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist. Jun 18 09:23:28 internal01dc fwupd[3972]: 16:23:28:0021 FuPluginUefi Error opening directory “/sys/firmware/efi/esrt/entries”: No such file or directory Jun 18 11:06:40 internal01dc winbindd[1394]: /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist. Jun 18 12:18:47 internal01dc fwupd[5749]: 19:18:47:0906 FuPluginUefi Error opening directory “/sys/firmware/efi/esrt/entries”: No such file or directory Jun 18 12:39:38 internal01dc winbindd[1394]: /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist. This lead me to check out Kerberose, but it all looked normal to me. Samba controls the krb process, and it’s config, so there shouldn’t be a principal as it uses sam.tdb.: journalctl -xe | grep krb -- Subject: A start job for unit krb5-admin-server.service has finished successfully -- A start job for unit krb5-admin-server.service has finished successfully. -- Subject: A start job for unit krb5-kdc.service has begun execution -- A start job for unit krb5-kdc.service has begun execution. Jun 18 00:01:06 internal01dc krb5kdc[1114]: krb5kdc: cannot initialize realm INTERNAL.HOLDEN.COM - see log file for details Jun 18 00:01:06 internal01dc kadmind[1113]: Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory while initializing, aborting Jun 18 00:01:06 internal01dc kadmind[1113]: kadmind: Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory while initializing, aborting Jun 18 00:01:06 internal01dc krb5kdc[1114]: Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory - while initializing database for realm INTERNAL.HOLDEN.COM Jun 18 00:01:06 internal01dc systemd[1]: krb5-admin-server.service: Main process exited, code=exited, status=1/FAILURE -- An ExecStart= process belonging to unit krb5-admin-server.service has exited. Jun 18 00:01:06 internal01dc systemd[1]: krb5-admin-server.service: Failed with result 'exit-code'. -- The unit krb5-admin-server.service has entered the 'failed' state with result 'exit-code'. Jun 18 00:01:06 internal01dc systemd[1]: krb5-kdc.service: Control process exited, code=exited, status=1/FAILURE -- An ExecStart= process belonging to unit krb5-kdc.service has exited. Jun 18 00:01:06 internal01dc systemd[1]: krb5-kdc.service: Failed with result 'exit-code'. -- The unit krb5-kdc.service has entered the 'failed' state with result 'exit-code'. -- Subject: A start job for unit krb5-kdc.service has failed -- A start job for unit krb5-kdc.service has finished with a failure. Jun 18 00:01:35 internal01dc sshd[1425]: pam_krb5(sshd:auth): user rholden authenticated as rholden@INTERNAL.HOLDEN.COM Jun 18 00:01:45 internal01dc sudo[2019]: pam_krb5(sudo:auth): user rholden authenticated as rholden@INTERNAL.HOLDEN.COM Jun 18 11:50:40 internal01dc sshd[4586]: pam_krb5(sshd:auth): authentication failure; logname=rholden uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.53 Jun 18 11:50:46 internal01dc sshd[4586]: pam_krb5(sshd:auth): authentication failure; logname=rholden uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.53 Jun 18 11:50:54 internal01dc sshd[4586]: pam_krb5(sshd:auth): user rholden authenticated as rholden@INTERNAL.HOLDEN.COM Jun 18 11:51:10 internal01dc sudo[5185]: pam_krb5(sudo:auth): authentication failure; logname=rholden uid=1000 euid=0 tty=/dev/pts/0 ruser=rholden rhost= Jun 18 11:51:25 internal01dc sudo[5185]: pam_krb5(sudo:auth): user rholden authenticated as rholden@INTERNAL.HOLDEN.COM so the question remains, why isn’t it finding an account for the DC. Here are # cat krb5.conf [libdefaults] default_realm = INTERNAL.HOLDEN.COM dns_lookup_realm = false dns_lookup_kdc = true [realms] INTERNAL.HOLDEN.COM = { default_domain = internal.holden.com } [domain_realm] internal01dc = INTERNAL.HOLDEN.COM # cat smb.conf # Global parameters [global] dns forwarder = 75.75.75.75 netbios name = INTERNAL01DC realm = INTERNAL.HOLDEN.COM server role = active directory domain controller workgroup = INTERNAL apply group policies = Yes idmap_ldb:use rfc2307 = Yes bind interfaces only = Yes interfaces = 10.0.0.2 dns update command = /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No browsable = No [netlogon] path = /usr/local/samba/var/locks/sysvol/internal.holden.com/scripts read only = No browsable = No [profiles] path = /home/profiles read only = No browseable = No NOTE: I use –use-samba-tool with samba_dnsupdate because it was recommended on a thread at the samba mail lists # cat lmhosts 127.0.0.1 localhost 10.0.0.2 internal01dc 10.0.0.2 internal # cat resolv.conf search internal.holden.com nameserver 10.0.0.2 Everything I have read says this server is set up right, which is why I am convinced it is a bug. Checking out the private folder for samba showed reg files. Then I found this bug. So I am really hopping that this bug is related to your issue and that this information will help you.
(In reply to Rowland from comment #3) Why is systemd trying to start krb5-kdc ? it looks like you have compiled Samba yourself (/usr/local/samba/sbin/samba-gpupdate), so it shouldn't be started.
(In reply to Rowland Penny from comment #4) 100% correct. It was compiled myself. As far as why is it trying to start it's self. I have no idea. Should I throw a mask on the service? if so wont that stop samba from starting it?
(In reply to Rowland from comment #5) How did you configure Samba ? You shouldn't be using the MIT kerberos server (krb5-kdc), you should be using the Heimdal kerberos kdc built into Samba. So yes mask (better still remove) krb5-kdc unless you compiled Samba to use MIT, in which case, compile Samba again, but this time without MIT What OS is this ?
(In reply to Rowland Penny from comment #6) I am using ubuntu Server 20.04. I install all prereques as: apt -y install \ acl \ apt-utils \ attr \ autoconf \ bind9utils \ binutils \ bison \ build-essential \ ccache \ chrpath \ curl \ debhelper \ dnsutils \ docbook-xml \ docbook-xsl \ flex \ gcc \ gdb \ git \ glusterfs-common \ gzip \ heimdal-multidev \ hostname \ htop \ krb5-config \ krb5-kdc \ krb5-user \ language-pack-en \ lcov \ libacl1-dev \ libarchive-dev \ libattr1-dev \ libavahi-common-dev \ libblkid-dev \ libbsd-dev \ libcap-dev \ libcephfs-dev \ libcups2-dev \ libdbus-1-dev \ libglib2.0-dev \ libgnutls28-dev \ libgpgme11-dev \ libicu-dev \ libjansson-dev \ libjs-jquery \ libjson-perl \ libkrb5-dev \ libpam-krb5 \ libldap2-dev \ liblmdb-dev \ libncurses5-dev \ libpam0g-dev \ libparse-yapp-perl \ libpcap-dev \ libpopt-dev \ libreadline-dev \ libsystemd-dev \ libtasn1-bin \ libtasn1-dev \ libtracker-sparql-2.0-dev \ libunwind-dev \ lmdb-utils \ locales \ lsb-release \ make \ mawk \ mingw-w64 \ patch \ perl \ perl-modules \ pkg-config \ procps \ psmisc \ python3 \ python3-cryptography \ python3-dbg \ python3-dev \ python3-dnspython \ python3-gpg \ python3-iso8601 \ python3-markdown \ python3-matplotlib \ python3-pexpect \ python3-pyasn1 \ python3-setproctitle \ rng-tools \ rsync \ sed \ sudo \ tar \ tree \ uuid-dev \ wget \ xfslibs-dev \ xsltproc \ zlib1g-dev most of the above was from the samba website https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba under the debian/ubuntu section. However, when running make I found that not all were included so that list includes some that were missing. I ran that in interactive mode because I knew Kerberos would want information during the install. after the install I followed this to provision an AC DC. https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Installing_Samba I then read a bunch of the wiki and other materials to set up the shares and time sync. I am now just trying to kill errors that pop up in the log. The server itself seems to work fine. I get to the shares, and log in fine. I add computers fine. The GPO's even seem to populate to the clients as my computer I have joined has the warning message that I set in GP.
(In reply to Rowland Penny from comment #6) Also, I do not belive I am using MIT Kerberose. if I am, I am going to be upset with myself. It was not my intention.
(In reply to Rowland Penny from comment #6) smbd -b | grep HAVE_LIBKADM5SRV_MIT reveals no output. So Samba wasn't built with MIT kerberos. I will remove the krb5 install files in the prereq listing and reboot.
(In reply to Rowland from comment #9) My issues is resolved. Thanks to Rowland (we have the same name. that doesn't happen a lot) So a lesson to be learned here. Don't just blindly install program dependencies, know what they do and what the program has built in. In my case I had two KDC servers running, and like siblings they were having issues with each other. The other issue I had was a dynamic dns record for an IPV6 address got put in my DNS server for the DC. I have since removed the record and turned off IPV6 for the machine. Thanks Rowland for pointing out that I actually had MIT KDC running when it shouldn't have been. I have removed it from my dependency install script. All seems to be happy now. No errors in logs. :) Sorry this issue was not related to this bug.
(In reply to Rowland from comment #10) Glad you got it fixed. Can I suggest that you ask on the samba mailing list before adding to an existing bug or creating a new bug report.