Bug 14667 - Linux-GPO not working with configuration in registry
Summary: Linux-GPO not working with configuration in registry
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.14.0rc4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-11 10:53 UTC by Stefan Kania
Modified: 2021-06-20 08:19 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Kania 2021-03-11 10:53:47 UTC
Testing Linux-GPO in different setups I found out:
Having the configuration in registry with "config backend = registry" is not working. The same with "include registry".  I saw the following error message:
----------
root@fs-01:/etc/samba# samba-gpupdate --force
Traceback (most recent call last):
  File "/usr/sbin/samba-gpupdate", line 103, in <module>
    apply_gp(lp, creds, logger, store, gp_extensions, opts.force)
  File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 436, in apply_gp
    dc_hostname = get_dc_hostname(creds, lp)
  File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 359, in get_dc_hostname
    nbt.NBT_SERVER_DS))
samba.NTSTATUSError: (3221225524, 'The object name is not found.')
---------- 

It should be mentioned in the manpage, that GPO and registry is not working together. A better error message would be nice.
Comment 1 David Mulder 2021-03-16 16:04:35 UTC
It looks like it's just failing the first time the LoadParm is used. This makes me think the python LoadParm module doesn't work with a registry backend.
Comment 2 Roy Eastwood (dead mail address) 2021-04-09 15:26:26 UTC
Not sure whether this is the same issue but application of GPO to Linux clients is also failing:

I am trying to test out the use of Group Policy for winbind clients as added in the latest samba version: 4.14.0    Following the
WiKi at https://wiki.samba.org/index.php/Group_Policy I have set up a client (running Debian Buster and Samba 4.14.0 from Louis'
repo) by adding the required line to the global section of smb.conf (apply group policies = yes).    The domain controllers have
also been updated to 4.14.0 and the samba admx file has been added to sysvol.   I have configured a setting for smb.conf using the
Group Policy Editor from Windows and the client machine has been added to an OU with the policy applied.   I have restarted smbd and
winbind on the client.   When I enter samba-gpupdate I get the following error:

root@moggy:~# samba-gpupdate
ERROR: talloc_free with references at ../../libgpo/pygpo.c:481
        reference at ../../pytalloc_util.c:164
        reference at ../../pytalloc_util.c:164
        reference at ../../pytalloc_util.c:164
Failed downloading gpt cache from 'pi-dc.microlynx.org' using SMB

If I provide the Administrator user and password the error changes to:
root@moggy:~# samba-gpupdate -Uadministrator
Password for [MICROLYNX\administrator]:
ERROR: talloc_free with references at ../../libgpo/pygpo.c:481
        reference at ../../pytalloc_util.c:164
        reference at ../../pytalloc_util.c:164
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file /var/lib/samba/private/sam.ldb: No such file or
directory

Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb':
No such file or directory
Failed to apply extension  <class 'samba.gp_sec_ext.gp_access_ext'>
Message was: Failed to load SamDB for assigning Group Policy

A reboot of the client did not improve matters.     I tried adding the line: 'allow group policies = yes' to the domain controllers'
smb.conf but that did not make any difference either.

Following the above changes the following logs repeatedly appear in syslog:
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.054799,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate: add_local_groups: SID S-1-5-21-4012640977-2272627666-3977488320-5102 -> getpwuid(15102) failed, is nsswitch configured?
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056451,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate: Traceback (most recent call last):
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056569,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:   File "/usr/sbin/samba-gpupdate", line 103, in <module>
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056599,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:     apply_gp(lp, creds, logger, store, gp_extensions, opts.force)
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056625,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:   File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 437, in apply_gp
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056652,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:     gpos = get_gpo_list(dc_hostname, creds, lp)
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056677,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:   File "/usr/lib/python3/dist-packages/samba/gpclass.py", line 370, in get_gpo_list
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056733,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate:     gpos = ads.get_gpo_list(creds.get_username())
Mar 12 00:18:17 moggy winbindd[620]: [2021/03/12 00:18:17.056768,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Mar 12 00:18:17 moggy winbindd[620]:   /usr/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'MOGGY$'(CN=MOGGY,OU=debian,DC=microlynx,DC=org): The specified account does not exist.

This is also happening with Samba Version 4.14.2.
Comment 3 Rowland 2021-06-18 20:26:07 UTC
I am not certain if this is the same issue or not, but here is some output from my samba-gpupdate --force -d10. I have eliminated most of it and just included the juicy end bits.

pm_process() returned Yes
lp_servicenumber: couldn't find homes
sitename_fetch: Returning sitename for realm 'INTERNAL.HOLDEN.COM': "Default-First-Site-Name"
internal_resolve_name: looking up internal01dc.internal.holden.com#20 (sitename Default-First-Site-Name)
namecache_fetch: name internal01dc.internal.holden.com#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 10.0.0.2 at port 445
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 0
	SO_BROADCAST = 0
	TCP_NODELAY = 1
	TCP_KEEPCNT = 9
	TCP_KEEPIDLE = 7200
	TCP_KEEPINTVL = 75
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_REUSEPORT = 0
	SO_SNDBUF = 2626560
	SO_RCVBUF = 131072
	SO_SNDLOWAT = 1
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
	TCP_QUICKACK = 1
	TCP_DEFER_ACCEPT = 0
	TCP_USER_TIMEOUT = 0
cli_session_creds_prepare_krb5: Doing kinit for administrator@INTERNAL.HOLDEN.COM to access internal01dc.internal.holden.com
kerberos_kinit_password_ext: as administrator@INTERNAL.HOLDEN.COM using [MEMORY:cliconnect] as ccache and config [(null)]
kerberos_kinit_password_ext: administrator@INTERNAL.HOLDEN.COM mapped to Administrator@INTERNAL.HOLDEN.COM
cli_session_creds_prepare_krb5: Successfully authenticated as administrator@INTERNAL.HOLDEN.COM (Administrator@INTERNAL.HOLDEN.COM) to access internal01dc.internal.holden.com using Kerberos
cli_session_setup_spnego_send: Connect to internal01dc.internal.holden.com as Administrator@INTERNAL.HOLDEN.COM using SPNEGO
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x273eb00]: subreq: 0x217f490
gensec_update_send: spnego[0x16e8f20]: subreq: 0x176b420
gensec_update_done: gse_krb5[0x273eb00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x217f490/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)]  state[struct gensec_gse_update_state (0x217f640)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x16e8f20]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x176b420/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x176b5d0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
SPNEGO login failed: The transport connection is now disconnected.
Failed downloading gpt cache from 'internal01dc.internal.holden.com' using SMB

Here is what I am seeing in journalctl -xe | grep Error

Jun 18 00:07:57 internal01dc winbindd[1394]:   /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist.
Jun 18 01:53:44 internal01dc winbindd[1394]:   /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist.
Jun 18 03:52:56 internal01dc winbindd[1394]:   /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist.
Jun 18 05:47:02 internal01dc winbindd[1394]:   /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist.
Jun 18 07:30:51 internal01dc winbindd[1394]:   /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist.
Jun 18 09:16:14 internal01dc winbindd[1394]:   /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist.
Jun 18 09:23:28 internal01dc fwupd[3972]: 16:23:28:0021 FuPluginUefi         Error opening directory “/sys/firmware/efi/esrt/entries”: No such file or directory
Jun 18 11:06:40 internal01dc winbindd[1394]:   /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist.
Jun 18 12:18:47 internal01dc fwupd[5749]: 19:18:47:0906 FuPluginUefi         Error opening directory “/sys/firmware/efi/esrt/entries”: No such file or directory
Jun 18 12:39:38 internal01dc winbindd[1394]:   /usr/local/samba/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for 'INTERNAL01DC$'(CN=INTERNAL01DC,OU=Domain Controllers,DC=internal,DC=holden,DC=com): The specified account does not exist.

This lead me to check out Kerberose, but it all looked normal to me. Samba controls the krb process, and it’s config, so there shouldn’t be a principal as it uses sam.tdb.: journalctl -xe | grep krb

-- Subject: A start job for unit krb5-admin-server.service has finished successfully
-- A start job for unit krb5-admin-server.service has finished successfully.
-- Subject: A start job for unit krb5-kdc.service has begun execution
-- A start job for unit krb5-kdc.service has begun execution.
Jun 18 00:01:06 internal01dc krb5kdc[1114]: krb5kdc: cannot initialize realm INTERNAL.HOLDEN.COM - see log file for details
Jun 18 00:01:06 internal01dc kadmind[1113]: Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory while initializing, aborting
Jun 18 00:01:06 internal01dc kadmind[1113]: kadmind: Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory while initializing, aborting
Jun 18 00:01:06 internal01dc krb5kdc[1114]: Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory - while initializing database for realm INTERNAL.HOLDEN.COM
Jun 18 00:01:06 internal01dc systemd[1]: krb5-admin-server.service: Main process exited, code=exited, status=1/FAILURE
-- An ExecStart= process belonging to unit krb5-admin-server.service has exited.
Jun 18 00:01:06 internal01dc systemd[1]: krb5-admin-server.service: Failed with result 'exit-code'.
-- The unit krb5-admin-server.service has entered the 'failed' state with result 'exit-code'.
Jun 18 00:01:06 internal01dc systemd[1]: krb5-kdc.service: Control process exited, code=exited, status=1/FAILURE
-- An ExecStart= process belonging to unit krb5-kdc.service has exited.
Jun 18 00:01:06 internal01dc systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
-- The unit krb5-kdc.service has entered the 'failed' state with result 'exit-code'.
-- Subject: A start job for unit krb5-kdc.service has failed
-- A start job for unit krb5-kdc.service has finished with a failure.
Jun 18 00:01:35 internal01dc sshd[1425]: pam_krb5(sshd:auth): user rholden authenticated as rholden@INTERNAL.HOLDEN.COM
Jun 18 00:01:45 internal01dc sudo[2019]: pam_krb5(sudo:auth): user rholden authenticated as rholden@INTERNAL.HOLDEN.COM
Jun 18 11:50:40 internal01dc sshd[4586]: pam_krb5(sshd:auth): authentication failure; logname=rholden uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.53
Jun 18 11:50:46 internal01dc sshd[4586]: pam_krb5(sshd:auth): authentication failure; logname=rholden uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.53
Jun 18 11:50:54 internal01dc sshd[4586]: pam_krb5(sshd:auth): user rholden authenticated as rholden@INTERNAL.HOLDEN.COM
Jun 18 11:51:10 internal01dc sudo[5185]: pam_krb5(sudo:auth): authentication failure; logname=rholden uid=1000 euid=0 tty=/dev/pts/0 ruser=rholden rhost=
Jun 18 11:51:25 internal01dc sudo[5185]: pam_krb5(sudo:auth): user rholden authenticated as rholden@INTERNAL.HOLDEN.COM

so the question remains, why isn’t it finding an account for the DC. Here are 

# cat krb5.conf
[libdefaults]
        default_realm = INTERNAL.HOLDEN.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
INTERNAL.HOLDEN.COM = {
        default_domain = internal.holden.com
}

[domain_realm]
        internal01dc = INTERNAL.HOLDEN.COM


# cat smb.conf
# Global parameters
[global]
        dns forwarder = 75.75.75.75
        netbios name = INTERNAL01DC
        realm = INTERNAL.HOLDEN.COM
        server role = active directory domain controller
        workgroup = INTERNAL
        apply group policies = Yes
        idmap_ldb:use rfc2307 = Yes
        bind interfaces only = Yes
        interfaces = 10.0.0.2
        dns update command = /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
        browsable = No

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/internal.holden.com/scripts
        read only = No
        browsable = No

[profiles]
        path = /home/profiles
        read only = No
        browseable = No


NOTE: I use –use-samba-tool with samba_dnsupdate because it was recommended on a thread at the samba mail lists

# cat lmhosts
127.0.0.1       localhost
10.0.0.2        internal01dc
10.0.0.2        internal


# cat resolv.conf
search internal.holden.com
nameserver 10.0.0.2

Everything I have read says this server is set up right, which is why I am convinced it is a bug. Checking out the private folder for samba showed reg files. Then I found this bug.  So I am really hopping that this bug is related to your issue and that this information will help you.
Comment 4 Rowland Penny 2021-06-18 21:08:45 UTC
(In reply to Rowland from comment #3)

Why is systemd trying to start krb5-kdc ? it looks like you have compiled Samba yourself (/usr/local/samba/sbin/samba-gpupdate), so it shouldn't be started.
Comment 5 Rowland 2021-06-18 21:10:24 UTC
(In reply to Rowland Penny from comment #4)
100% correct. It was compiled myself. As far as why is it trying to start it's self. I have no idea.  Should I throw a mask on the service? if so wont that stop samba from starting it?
Comment 6 Rowland Penny 2021-06-18 21:18:04 UTC
(In reply to Rowland from comment #5)

How did you configure Samba ? 
You shouldn't be using the MIT kerberos server (krb5-kdc), you should be using the Heimdal kerberos kdc built into Samba.
So yes mask (better still remove) krb5-kdc unless you compiled Samba to use MIT, in which case, compile Samba again, but this time without MIT
What OS is this ?
Comment 7 Rowland 2021-06-18 21:30:39 UTC
(In reply to Rowland Penny from comment #6)
I am using ubuntu Server 20.04. I install all prereques as:

apt -y install \
    acl \
    apt-utils \
    attr \
    autoconf \
    bind9utils \
    binutils \
    bison \
    build-essential \
    ccache \
    chrpath \
    curl \
    debhelper \
    dnsutils \
    docbook-xml \
    docbook-xsl \
    flex \
    gcc \
    gdb \
    git \
    glusterfs-common \
    gzip \
    heimdal-multidev \
    hostname \
    htop \
    krb5-config \
    krb5-kdc \
    krb5-user \
    language-pack-en \
    lcov \
    libacl1-dev \
    libarchive-dev \
    libattr1-dev \
    libavahi-common-dev \
    libblkid-dev \
    libbsd-dev \
    libcap-dev \
    libcephfs-dev \
    libcups2-dev \
    libdbus-1-dev \
    libglib2.0-dev \
    libgnutls28-dev \
    libgpgme11-dev \
    libicu-dev \
    libjansson-dev \
    libjs-jquery \
    libjson-perl \
    libkrb5-dev \
    libpam-krb5 \
    libldap2-dev \
    liblmdb-dev \
    libncurses5-dev \
    libpam0g-dev \
    libparse-yapp-perl \
    libpcap-dev \
    libpopt-dev \
    libreadline-dev \
    libsystemd-dev \
    libtasn1-bin \
    libtasn1-dev \
    libtracker-sparql-2.0-dev \
    libunwind-dev \
    lmdb-utils \
    locales \
    lsb-release \
    make \
    mawk \
    mingw-w64 \
    patch \
    perl \
    perl-modules \
    pkg-config \
    procps \
    psmisc \
    python3 \
    python3-cryptography \
    python3-dbg \
    python3-dev \
    python3-dnspython \
    python3-gpg \
    python3-iso8601 \
    python3-markdown \
    python3-matplotlib \
    python3-pexpect \
    python3-pyasn1 \
    python3-setproctitle \
    rng-tools \
    rsync \
    sed \
    sudo \
    tar \
    tree \
    uuid-dev \
    wget \
    xfslibs-dev \
    xsltproc \
    zlib1g-dev

most of the above was from the samba website https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba under the debian/ubuntu section. However, when running make I found that not all were included so that list includes some that were missing. 

I ran that in interactive mode because I knew Kerberos would want information during the install. 

after the install I followed this to provision an AC DC. 
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Installing_Samba

I then read a bunch of the wiki and other materials to set up the shares and time sync. 

I am now just trying to kill errors that pop up in the log. The server itself seems to work fine. I get to the shares, and log in fine. I add computers fine. The GPO's even seem to populate to the clients as my computer I have joined has the warning message that I set in GP.
Comment 8 Rowland 2021-06-18 21:31:51 UTC
(In reply to Rowland Penny from comment #6)
Also, I do not belive I am using MIT Kerberose. if I am, I am going to be upset with myself. It was not my intention.
Comment 9 Rowland 2021-06-18 21:37:55 UTC
(In reply to Rowland Penny from comment #6)
smbd -b | grep HAVE_LIBKADM5SRV_MIT reveals no output. So Samba wasn't built with MIT kerberos. I will remove the krb5 install files in the prereq listing and reboot.
Comment 10 Rowland 2021-06-19 03:32:05 UTC
(In reply to Rowland from comment #9)
My issues is resolved. Thanks to Rowland (we have the same name. that doesn't happen a lot)  So a lesson to be learned here. Don't just blindly install program dependencies, know what they do and what the program has built in. In my case I had two KDC servers running, and like siblings they were having issues with each other. 

The other issue I had was a dynamic dns record for an IPV6 address got put in my DNS server for the DC. I have since removed the record and turned off IPV6 for the machine. 

Thanks Rowland for pointing out that I actually had MIT KDC running when it shouldn't have been. I have removed it from my dependency install script. 

All seems to be happy now. No errors in logs. :)

Sorry this issue was not related to this bug.
Comment 11 Rowland Penny 2021-06-20 08:19:29 UTC
(In reply to Rowland from comment #10)
Glad you got it fixed.

Can I suggest that you ask on the samba mailing list before adding to an existing bug or creating a new bug report.