Discussion:
[Samba] Samba 4.2.14 Group Policy (GPO) sync error
r***@bluemail.ch
2016-08-03 11:41:28 UTC
Permalink
Hello,

I think I really need some help on this.

Since Samba 4.2.11 upgrade my Windows 10 clients are unable to synchronize group
policies. I have asked about this already here
<https://lists.samba.org/archive/samba/2016-April/199226.html>. Now I
re-investigate the issue with Windows 10 1607 update and still face the same
issue which prevents me from rolling out this configuration in production.

My Setup:
- Samba 4.2.14 in active directory domain controller role
- BIND_DLZ DNS backend
- Windows 10 Pro 1607 clients


I am successfully able to join the clients to the Samba AD domain but they fail
to synchronize group policies and therefore fail to apply logon/logoff scripts
as well as important system settings.

Executing 'gpupdate' on the command line yields the following output:
----
The processing of Group Policy failed. Windows could not resolve the computer
name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were
encountered:

The processing of Group Policy failed. Windows could not resolve the user name.
This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
----


On Samba side with log level 10 I get the following errors:
----
[2016/08/03 13:12:41.571366, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 13:12:41.571495, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED
----


I am specifically worried about the "unknonwn mech-code" error which might
indicate some issues regarding Kerberos crypto. I am running Samba on Gentoo
along with Heimdal 1.5.3-r2.


Does anybody have a clue where to look for a configuration mistake or whether I
should report this as a bug?
Especially I am concerned because this error did not occur in Samba 4.2.9 (last
version before badlock security update).

Any help or hint would be highly appreciated!


When running gpupdate the following block of messages are repeated multiple
times in samba logs:
[2016/08/03 13:12:39.715332, 3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/08/03 13:12:39.716203, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC mechanism spnego
[2016/08/03 13:12:39.716472, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC submechanism gssapi_krb5
[2016/08/03 13:12:39.718868, 5]
../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update)
gensec_gssapi: NO credentials were delegated
[2016/08/03 13:12:39.718993, 5]
../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update)
GSSAPI Connection will be cryptographically sealed
[2016/08/03 13:12:39.728127, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 13:12:39.728261, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED
[2016/08/03 13:12:39.729278, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/08/03 13:12:39.729352, 5]
../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.16428.49
[2016/08/03 13:12:39.729499, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]




Here's my compiled parameters as printed by testparm:

# Global parameters
[global]
workgroup = MYDOM
realm = ad.mydom.local
netbios aliases = SOFTWARE
server string = Server
interfaces = 127.0.0.1/8 10.0.1.6/24 fdea:5b48:d4c1:1:1::6/64
bind interfaces only = Yes
server role = active directory domain controller
passdb backend = samba_dsdb
log file = /var/log/samba/smb.%M
max log size = 500
time server = Yes
deadtime = 2
logon script = KIX32.exe logon.kix
logon path = \\%N\profile\.winprofile
logon drive = N:
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
acl:search = no
idmap config * : backend = tdb
veto files =
/*.k/*.encoderpass/*.locky/*.ecc/*.ezz/*.exx/*.zzz/*.xyz/*.aaa/*.abc/*.ccc/*.vvv/*.xxx/*.ttt/*.micro/*.encrypted/*.locked/*.crypto/_crypt/*.crinf/*.r5a/*.xrtn/*.XTBL/*.crypt/*.R16M01D05/*.pzdc/*.good/*.LOL!/*.OMG!/*.RDM/*.RRK/*.encryptedRSA/*.crjoker/*.EnCiPhErEd/*.LeChiffre/****@inbox_com/*.0x0/*.bleep/*.1999/*.vault/*.HA3/*.toxcrypt/*.magic/*.SUPERCRYPT/*.CTBL/*.CTB2/*.locky/HELPDECRYPT.TXT/HELP_YOUR_FILES.TXT/HELP_TO_DECRYPT_YOUR_FILES.txt/RECOVERY_KEY.txt/HELP_RESTORE_FILES.txt/HELP_RECOVER_FILES.txt/HELP_TO_SAVE_FILES.txt/DecryptAllFiles.txt/DECRYPT_INSTRUCTIONS.TXT/INSTRUCCIONES_DESCIFRADO.TXT/How_To_Recover_Files.txt/YOUR_FILES.HTML/YOUR_FILES.url/encryptor_raas_readme_liesmich.txt/Help_Decrypt.txt/DECRYPT_INSTRUCTION.TXT/HOW_TO_DECRYPT_FILES.TXT/ReadDecryptFilesHere.txt/Coin.Locker.txt/_secret_code.txt/About_Files.txt/Read.txt/DECRYPT_ReadMe.TXT/DecryptAllFiles.txt/FILESAREGONE.TXT/IAMREADYTOPAY.TXT/HELLOTHERE.TXT/READTHISNOW!!!.TXT/SECRETIDHERE.KEY/IHAVEYOURSECRET.KEY/SECRET.KEY/HELPDECYPRT_YOUR_FILES.HTML/help_decrypt_your_files.html/HELP_TO_SAVE_FILES.txt/RECOVERY_FILES.txt/RECOVERY_FILE.TXT/RECOVERY_FILE*.txt/HowtoRESTORE_FILES.txt/HowtoRestore_FILES.txt/howto_recover_file.txt/restorefiles.txt/howrecover+*.txt/_how_recover.txt/recoveryfile*.txt/recoverfile*.txt/recoveryfile*.txt/Howto_Restore_FILES.TXT/help_recover_instructions+*.txt/_Locky_recover_instructions.txt/
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr



Many thanks
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-03 12:12:33 UTC
Permalink
The server expects TLS but you didnt set tls.

Read :
https://www.samba.org/samba/history/samba-4.2.10.html

basicly its now : Default: ldap server require strong auth = yes

You can try to add: ldap server require strong auth = no
But i do advice to setup the TLS parameters and make everything more secure.

Please read these links, MS change some things in GPO also.

MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398

The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622

short version:
Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.


And last, make sure you updated to the last policy set.
https://www.niallbrady.com/2016/02/03/how-can-i-add-new-windows-10-admx-files-to-the-group-policy-central-store-and-then-deploy-them/

To update the policy set, you can also copy the local grouppolicy folder on the windows 10 pc to the server.


Greetz.

Louis
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 13:41
Onderwerp: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hello,
I think I really need some help on this.
Since Samba 4.2.11 upgrade my Windows 10 clients are unable to synchronize group
policies. I have asked about this already here
<https://lists.samba.org/archive/samba/2016-April/199226.html>. Now I
re-investigate the issue with Windows 10 1607 update and still face the same
issue which prevents me from rolling out this configuration in production.
- Samba 4.2.14 in active directory domain controller role
- BIND_DLZ DNS backend
- Windows 10 Pro 1607 clients
I am successfully able to join the clients to the Samba AD domain but they fail
to synchronize group policies and therefore fail to apply logon/logoff scripts
as well as important system settings.
----
The processing of Group Policy failed. Windows could not resolve the computer
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were
The processing of Group Policy failed. Windows could not resolve the user name.
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
----
----
[2016/08/03 13:12:41.571366, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-
code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 13:12:41.571495, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
NT_STATUS_ACCESS_DENIED
----
I am specifically worried about the "unknonwn mech-code" error which might
indicate some issues regarding Kerberos crypto. I am running Samba on Gentoo
along with Heimdal 1.5.3-r2.
Does anybody have a clue where to look for a configuration mistake or whether I
should report this as a bug?
Especially I am concerned because this error did not occur in Samba 4.2.9 (last
version before badlock security update).
Any help or hint would be highly appreciated!
When running gpupdate the following block of messages are repeated multiple
[2016/08/03 13:12:39.715332, 3] ../lib/ldb-
samba/ldb_wrap.c:321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/08/03 13:12:39.716203, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC mechanism spnego
[2016/08/03 13:12:39.716472, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC submechanism gssapi_krb5
[2016/08/03 13:12:39.718868, 5]
../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update)
gensec_gssapi: NO credentials were delegated
[2016/08/03 13:12:39.718993, 5]
../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update)
GSSAPI Connection will be cryptographically sealed
[2016/08/03 13:12:39.728127, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-
code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 13:12:39.728261, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
NT_STATUS_ACCESS_DENIED
[2016/08/03 13:12:39.729278, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/08/03 13:12:39.729352, 5]
../source4/lib/messaging/messaging.c:550(imessaging_cleanup)
imessaging: cleaning up
/var/lib/samba/private/smbd.tmp/msg/msg.16428.49
[2016/08/03 13:12:39.729499, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
# Global parameters
[global]
workgroup = MYDOM
realm = ad.mydom.local
netbios aliases = SOFTWARE
server string = Server
interfaces = 127.0.0.1/8 10.0.1.6/24 fdea:5b48:d4c1:1:1::6/64
bind interfaces only = Yes
server role = active directory domain controller
passdb backend = samba_dsdb
log file = /var/log/samba/smb.%M
max log size = 500
time server = Yes
deadtime = 2
logon script = KIX32.exe logon.kix
logon path = \\%N\profile\.winprofile
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
acl:search = no
idmap config * : backend = tdb
veto files =
/*.k/*.encoderpass/*.locky/*.ecc/*.ezz/*.exx/*.zzz/*.xyz/*.aaa/*.abc/*.ccc
/*.vvv/*.xxx/*.ttt/*.micro/*.encrypted/*.locked/*.crypto/_crypt/*.crinf/*.
r5a/*.xrtn/*.XTBL/*.crypt/*.R16M01D05/*.pzdc/*.good/*.LOL!/*.OMG!/*.RDM/*.
.0x0/*.bleep/*.1999/*.vault/*.HA3/*.toxcrypt/*.magic/*.SUPERCRYPT/*.CTBL/*
.CTB2/*.locky/HELPDECRYPT.TXT/HELP_YOUR_FILES.TXT/HELP_TO_DECRYPT_YOUR_FIL
ES.txt/RECOVERY_KEY.txt/HELP_RESTORE_FILES.txt/HELP_RECOVER_FILES.txt/HELP
_TO_SAVE_FILES.txt/DecryptAllFiles.txt/DECRYPT_INSTRUCTIONS.TXT/INSTRUCCIO
NES_DESCIFRADO.TXT/How_To_Recover_Files.txt/YOUR_FILES.HTML/YOUR_FILES.url
/encryptor_raas_readme_liesmich.txt/Help_Decrypt.txt/DECRYPT_INSTRUCTION.T
XT/HOW_TO_DECRYPT_FILES.TXT/ReadDecryptFilesHere.txt/Coin.Locker.txt/_secr
et_code.txt/About_Files.txt/Read.txt/DECRYPT_ReadMe.TXT/DecryptAllFiles.tx
t/FILESAREGONE.TXT/IAMREADYTOPAY.TXT/HELLOTHERE.TXT/READTHISNOW!!!.TXT/SEC
RETIDHERE.KEY/IHAVEYOURSECRET.KEY/SE
CRET.KEY/HELPDECYPRT_YOUR_FILES.HTML/help_decrypt_your_files.html/HELP_TO_
SAVE_FILES.txt/RECOVERY_FILES.txt/RECOVERY_FILE.TXT/RECOVERY_FILE*.txt/How
toRESTORE_FILES.txt/HowtoRestore_FILES.txt/howto_recover_file.txt/restoref
iles.txt/howrecover+*.txt/_how_recover.txt/recoveryfile*.txt/recoverfile*.
txt/recoveryfile*.txt/Howto_Restore_FILES.TXT/help_recover_instructions+*.
txt/_Locky_recover_instructions.txt/
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
Many thanks
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-03 13:19:03 UTC
Permalink
Hi Louis,

Many many thanks for your very quick and comprehensive reply.
I also found this thread here
<https://lists.samba.org/archive/samba/2016-July/201471.html>

Unfortunately none of the suggestions seem to entirely resolve the issue.

As a first work-around I have inserted
ldap server require strong auth = no
to my smb.conf and re-started Samba.

Unfortunately this didn't change anything. I am still getting the same errors
from gpupdate.exe (with the same errors logged to event log) claiming name
resolution failure while samba logs report:

[2016/08/03 15:17:45.609250, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 15:17:45.609387, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED


I am not fully sure about the MS changes though. My GPO all list "Authenticated
Users" in the "Security Filtering" section in Scope tab. I unsure where to
insert the "Authenticated Users" group in the GPO with read permissions. Does it
mean I should add "Authenticated Users" in the Delegation tab? If yes, then all
my GPO already have this entry in Delegation tab:
- Authenticated Users, Read (from Security Filtering)

I also tried inserting Domain Computers with Read permissions to the Delegation
tab. No change in the result though.

I also tried to remove the "Authenticated Users" entry from Security Filtering
with and without adding it to the Delegation tab at no avail. It still complains
about name resolution failure on domain controller.





I also added the admx templates sucessfully to sysvol but this did not fix the
GPO processing issue (as expected).


In addition also samba-tool ntacl sysvolcheck returns the same error as
indicated in the thread above:

# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/ad.cyberdyne.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175,
in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 249, in run
lp)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1730, in checksysvolacl
direct_db_access)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1681, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

Though according to
<https://lists.samba.org/archive/samba/2016-July/201448.html> this might be a
samba-tool issue.

Though I don't think it's related to the error as it looks like somehow it's not
about permissions or issues on sysvol share level but rather crypto/signature
issues.





Moreover I tried a bit more GPO debugging as instructed here:
<https://lists.samba.org/archive/samba/2016-August/201762.html>

Perhaps the following log line points out an error:
GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed with 5.

The full log can be found here:
<http://pastebin.com/vgbhx0cm>



Many thanks again.
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-03 14:31:57 UTC
Permalink
 

Can you run on a failing computer :

- netdom verify yourpcname

- nslookup yourpcname

All ok?

And is time in sync?

 

Did you install winbind after the update and also and did you change you server services line?

 

Like, i use bind9 dns

My smb.conf contains only this :        server services = -dns

 

The full line is : 

samba-tool testparm -vv | grep "server service"

        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate

 

The thing you have to look at is : winbindd 

And not winbind.

And best is really to setup TLS/SSL

https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

( missing on that site : add TLS_REQCERT allow  to ldap.conf )

 

 

Or a simple setup with own cert.

https://www.spinics.net/lists/samba/msg134098.html

Its debian minded but translate it to your os, most is same.

 

Or make them manually

https://www.google.nl/search?q=setup+own+caroot#q=openssl+create+self+signed+certificate

pik one.

 

 

Now, for the other problem, after above is done/checked.

 

You can clear you GPO history on the pc.

Its recreated when you reboot/login again, so now worries..

 

@echo off

DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History\*.*”

REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f

REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f

DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb

Klist purge

gpupdate /force

exit

 

now reboot your pc,  and check again.

 

 

Greetz,

 

Louis

 

 
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 15:19
Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hi Louis,
Many many thanks for your very quick and comprehensive reply.
I also found this thread here
<https://lists.samba.org/archive/samba/2016-July/201471.html>
Unfortunately none of the suggestions seem to entirely resolve the issue.
As a first work-around I have inserted
     ldap server require strong auth = no
to my smb.conf and re-started Samba.
Unfortunately this didn't change anything. I am still getting the same
errors
from gpupdate.exe (with the same errors logged to event log) claiming name
[2016/08/03 15:17:45.609250,  1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
   gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-
code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 15:17:45.609387,  0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
   gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)
NT_STATUS_ACCESS_DENIED
I am not fully sure about the MS changes though. My GPO all list
"Authenticated
Users" in the "Security Filtering" section in Scope tab. I unsure where to
insert the "Authenticated Users" group in the GPO with read permissions.
Does it
mean I should add "Authenticated Users" in the Delegation tab? If yes,
then all
- Authenticated Users, Read (from Security Filtering)
I also tried inserting Domain Computers with Read permissions to the
Delegation
tab. No change in the result though.
I also tried to remove the "Authenticated Users" entry from Security
Filtering
with and without adding it to the Delegation tab at no avail. It still
complains
about name resolution failure on domain controller.
I also added the admx templates sucessfully to sysvol but this did not fix
the
GPO processing issue (as expected).
In addition also samba-tool ntacl sysvolcheck returns the same error as
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/ad.cyberdyne.local/Policies/{31B2F340-016D-11D2-
945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
0a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
0a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175,
in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line
249, in run
     lp)
   File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line
1730, in checksysvolacl
     direct_db_access)
   File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line
1681, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line
1628, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))
Though according to
<https://lists.samba.org/archive/samba/2016-July/201448.html> this might
be a
samba-tool issue.
Though I don't think it's related to the error as it looks like somehow
it's not
about permissions or issues on sysvol share level but rather
crypto/signature
issues.
<https://lists.samba.org/archive/samba/2016-August/201762.html>
GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed
with 5.
<http://pastebin.com/vgbhx0cm>
Many thanks again.
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
 
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-03 15:51:06 UTC
Permalink
Post by L.P.H. van Belle
- netdom verify yourpcname
It seems to work only with FQDN:


C:\Temp>netdom verify cyb64w10-monster
The format of the specified computer name is invalid.

The command failed to complete successfully.


C:\Temp>netdom verify cyb64w10-monster.ad.cyberdyne.local
The secure channel from CYB64W10-MONSTER.AD.CYBERDYNE.LOCAL to the domain
CYBERDYNE has been verified. The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.

The command completed successfully.
Post by L.P.H. van Belle
- nslookup yourpcname
Seems to work fine:

C:\Temp>nslookup cyb64w10-monster
Server: UnKnown
Address: fdea:5b48:d4c1:1:1::6

Name: cyb64w10-monster.ad.cyberdyne.local
Addresses: fdea:5b48:d4c1:1:1::100
2a02:120b:2c38:2951:8d95:bd76:deaa:73db
fdea:5b48:d4c1:1:8d95:bd76:deaa:73db
10.0.1.119
Post by L.P.H. van Belle
All ok?
To me this looks alright. Isn't it?
Post by L.P.H. van Belle
And is time in sync?
Yes, 100% in sync, synchronized via NTP server.
I am using two external time servers and the following config in my /etc/ntp.conf:
restrict default nomodify nopeer noquery limited kod mssntp
restrict 127.0.0.1
restrict [::1]

As of my understanding with Samba time server enabled this should allow clients
to synchronize the clock. Actually manual verification and manual clock sync
seems to work:

C:\Temp>w32tm /resync
Sending resync command to local computer
The command completed successfully.
Post by L.P.H. van Belle
Did you install winbind after the update and also and did you change you
server services line?
Well, I have installed Samba on Gentoo via official repositories. Winbind was
enabled from the beginning when upgrading from Samba 3.1 to 4.0. The group
policy synchronization worked perfectly fine until 4.2.11 update on 4.2.9 it was
working flawlessly.

My service line looks as follows:
server services = -dns

Full line (samba-tool testparm -vv | grep "server service"):
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
Post by L.P.H. van Belle
And best is really to setup TLS/SSL
Copy that.
<https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC>
Post by L.P.H. van Belle
( missing on that site : add TLS_REQCERT allow to ldap.conf )
Actually from the page I understood if I don't change anything the TLS
certificates are generated but they are only valid 700 days. Though my ones were
generated in November 2015 (perhaps on first Samba 4 startup) I just cleaned
them and let Samba rebuild them on restart. I might go for my own CA and signed
certs valid for longer period later if this turns out to be the culprit.


So now I changed /etc/ldap/ldap.conf and inserted
TLS_REQCERT allow


Then I verified the configuration:

First verify without TLS, this should fail.

# ldapsearch -xLL -H ldap://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local"
Enter LDAP Password:
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.


Then try with TLS, this should succeed.

# ldapsearch -ZZ -xLL -H ldap://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local" | head -5
Enter LDAP Password:
version: 1

dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
objectClass: top
objectClass: group
...


Then try with SSL too.

# ldapsearch -xLL -H ldaps://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local" | head -5
Enter LDAP Password:
version: 1

dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
objectClass: top
objectClass: group
...
Post by L.P.H. van Belle
Now, for the other problem, after above is done/checked.
I think TLS works as expected.
Post by L.P.H. van Belle
You can clear you GPO history on the pc.
Its recreated when you reboot/login again, so now worries..
@echo off
DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group >
Policy\History\*.*”
Post by L.P.H. van Belle
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb
klist purge
gpupdate /force
exit
now reboot your pc, and check again.
I did run those although the Group Policy History and secedit.sdb did not exist
as GPO has never been synced on this machine (fresh Win 10 Pro 1607
installation). Though the klist purge and gpupdate run. Unfortunately gpupdate
immediately showed the same errors again while Samba printing the same errors in
its log:

[2016/08/03 17:48:48.064741, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 17:48:48.064868, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED


Many thanks for your patience trying to debug this issue. I am a bit out of
ideas now how to trace this down. All file server services of Samba seem to work
fine.

Thanks again
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-04 07:12:32 UTC
Permalink
Forgot one extra.

On the win 10, check this reg key.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Hostname

It states you hostname here, but if its not in caps change it to HOSTNAME

In that register key. (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters)
You should see also you dnsdomain at Domain and NV Domain.
NV Hostname should be in CAPS also.
The domains not.

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: donderdag 4 augustus 2016 8:25
Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hai,
No, your output is not good.
Post by r***@bluemail.ch
C:\Temp>netdom verify cyb64w10-monster
The format of the specified computer name is invalid.
Thats not good.
Post by r***@bluemail.ch
C:\Temp>nslookup cyb64w10-monster
Server: UnKnown
Address: fdea:5b48:d4c1:1:1::6
Also not good.
If you resolving is setup correct both should work.
netdom verify cyb64w10-monster
and
netdom verify cyb64w10-monster.ad.cyberdyne.local
Both work for me and my windows 10 gets this policies.
open dos box and type ipconfig /all
check you primary dns suffix AND dns search.
Normaly these are the same, can you check this?
My guess, your missing the dns-search
Are you using ipv6 in your lan? If not, try disable it.
And try again.
If your using ipv6, then disable it, try it and enable it back.
And post the resolv.conf and hosts files
Greetz,
Louis
Post by r***@bluemail.ch
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 17:51
Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
Post by L.P.H. van Belle
- netdom verify yourpcname
C:\Temp>netdom verify cyb64w10-monster
The format of the specified computer name is invalid.
The command failed to complete successfully.
C:\Temp>netdom verify cyb64w10-monster.ad.cyberdyne.local
The secure channel from CYB64W10-MONSTER.AD.CYBERDYNE.LOCAL to the
domain
Post by r***@bluemail.ch
CYBERDYNE has been verified. The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
The command completed successfully.
Post by L.P.H. van Belle
- nslookup yourpcname
C:\Temp>nslookup cyb64w10-monster
Server: UnKnown
Address: fdea:5b48:d4c1:1:1::6
Name: cyb64w10-monster.ad.cyberdyne.local
Addresses: fdea:5b48:d4c1:1:1::100
2a02:120b:2c38:2951:8d95:bd76:deaa:73db
fdea:5b48:d4c1:1:8d95:bd76:deaa:73db
10.0.1.119
Post by L.P.H. van Belle
All ok?
To me this looks alright. Isn't it?
Post by L.P.H. van Belle
And is time in sync?
Yes, 100% in sync, synchronized via NTP server.
restrict default nomodify nopeer noquery limited kod mssntp
restrict 127.0.0.1
restrict [::1]
As of my understanding with Samba time server enabled this should allow clients
to synchronize the clock. Actually manual verification and manual clock sync
C:\Temp>w32tm /resync
Sending resync command to local computer
The command completed successfully.
Post by L.P.H. van Belle
Did you install winbind after the update and also and did you change
you
Post by L.P.H. van Belle
server services line?
Well, I have installed Samba on Gentoo via official repositories.
Winbind
Post by r***@bluemail.ch
was
enabled from the beginning when upgrading from Samba 3.1 to 4.0. The
group
Post by r***@bluemail.ch
policy synchronization worked perfectly fine until 4.2.11 update on
4.2.9
Post by r***@bluemail.ch
it was
working flawlessly.
server services = -dns
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
Post by L.P.H. van Belle
And best is really to setup TLS/SSL
Copy that.
<https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_S
Post by r***@bluemail.ch
amba_AD_DC>
Post by L.P.H. van Belle
( missing on that site : add TLS_REQCERT allow to ldap.conf )
Actually from the page I understood if I don't change anything the TLS
certificates are generated but they are only valid 700 days. Though my ones were
generated in November 2015 (perhaps on first Samba 4 startup) I just cleaned
them and let Samba rebuild them on restart. I might go for my own CA and signed
certs valid for longer period later if this turns out to be the culprit.
So now I changed /etc/ldap/ldap.conf and inserted
TLS_REQCERT allow
First verify without TLS, this should fail.
# ldapsearch -xLL -H ldap://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local"
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
Then try with TLS, this should succeed.
# ldapsearch -ZZ -xLL -H ldap://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local" | head -5
version: 1
dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
objectClass: top
objectClass: group
...
Then try with SSL too.
# ldapsearch -xLL -H ldaps://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local" | head -5
version: 1
dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
objectClass: top
objectClass: group
...
Post by L.P.H. van Belle
Now, for the other problem, after above is done/checked.
I think TLS works as expected.
Post by L.P.H. van Belle
You can clear you GPO history on the pc.
Its recreated when you reboot/login again, so now worries..
@echo off
DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group >
Policy\History\*.*”
Post by L.P.H. van Belle
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb
klist purge
gpupdate /force
exit
now reboot your pc, and check again.
I did run those although the Group Policy History and secedit.sdb did
not
Post by r***@bluemail.ch
exist
as GPO has never been synced on this machine (fresh Win 10 Pro 1607
installation). Though the klist purge and gpupdate run. Unfortunately gpupdate
immediately showed the same errors again while Samba printing the same errors in
[2016/08/03 17:48:48.064741, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown
mech-
Post by r***@bluemail.ch
code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 17:48:48.064868, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
NT_STATUS_ACCESS_DENIED
Many thanks for your patience trying to debug this issue. I am a bit out of
ideas now how to trace this down. All file server services of Samba seem to work
fine.
Thanks again
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-04 08:45:22 UTC
Permalink
Hello,
Post by L.P.H. van Belle
On the win 10, check this reg key.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Hostname
It states you hostname here, but if its not in caps change it to HOSTNAME
Actually the name was in lowercase letters. I changed it to capital letters.
Though without any effect. I actually also thought Windows does not care about
case sensitivity and for hostnames by default it shouldn't matter.
Post by L.P.H. van Belle
In that register key. (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters)
You should see also you dnsdomain at Domain and NV Domain.
NV Hostname should be in CAPS also.
The domains not.
Also this was in lowercase which I changed with no effect.

But I noticed another thing:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters there
are a few important parameters:
Dhcpv6DNSServers:
Here I see correctly my server fdea:5b48:d4c1:1:1::6 listed.

Dhcpv6DomainSearchList:
Here it looks only my suffix cyberdyne.local is listed and not
ad.cyberdyne.local. I have updated my DHCPv6 to include the search suffix as well:
option dhcp6.domain-search "ad.cyberdyne.local", "cyberdyne.local";


Strangely the value of the Dhcpv6DomainSearchList in the registry did not
update. Neither does the value in ipconifig /all

Connection-specific DNS Suffix Search List :
cyberdyne.local

Actually I tried on one of the machines to disable IPv6 entirely (on client side
only). Even this did not do any change to the result.


So for the moment I am operating one client for testing without IPv6 and one
with IPv6 enabled. But none of them seem to synchronize GPO.




Just for completeness here's the complete output from a test client with IPv6
disabled entirely (on client side):

C:\Temp>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : CYB64W10-HPNB
Primary Dns Suffix . . . . . . . : ad.cyberdyne.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ad.cyberdyne.local

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : cyberdyne.local
Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network Connection
Physical Address. . . . . . . . . : 00-1A-4B-79-B0-18
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.0.1.186(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, August 4, 2016 10:39:04 AM
Lease Expires . . . . . . . . . . : Saturday, August 6, 2016 10:39:03 AM
Default Gateway . . . . . . . . . : 10.0.1.6
DHCP Server . . . . . . . . . . . : 10.0.1.6
DNS Servers . . . . . . . . . . . : 10.0.1.6
10.0.2.6
Primary WINS Server . . . . . . . : 10.0.1.6
NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Temp>nslookup cyb64w10-hpnb
Server: skynet.cyberdyne.local
Address: 10.0.1.6

Name: cyb64w10-hpnb.ad.cyberdyne.local
Address: 10.0.1.186

C:\Temp>netdom verify cyb64w10-hpnb
The secure channel from CYB64W10-HPNB to the domain CYBERDYNE has been verified.
The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.

The command completed successfully.

C:\Temp>netdom verify cyb64w10-hpnb.ad.cyberdyne.local
The secure channel from CYB64W10-HPNB.AD.CYBERDYNE.LOCAL to the domain CYBERDYNE
has been verified. The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.

The command completed successfully.

C:\Temp>gpupdate /force
Updating policy...

Computer policy could not be updated successfully. The following errors were
encountered:

The processing of Group Policy failed. Windows could not resolve the computer
name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were
encountered:

The processing of Group Policy failed. Windows could not resolve the user name.
This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html
from the command line to access information about Group Policy results.



On Server side I still get the same logs:

[2016/08/04 10:44:54.784497, 3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/08/04 10:44:54.785818, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC mechanism spnego
[2016/08/04 10:44:54.786480, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC submechanism gssapi_krb5
[2016/08/04 10:44:54.789262, 5]
../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update)
gensec_gssapi: NO credentials were delegated
[2016/08/04 10:44:54.789373, 5]
../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update)
GSSAPI Connection will be cryptographically sealed
[2016/08/04 10:44:54.806151, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/04 10:44:54.806331, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=208,pdu=240) failed:
NT_STATUS_ACCESS_DENIED




best regards,
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-04 09:04:01 UTC
Permalink
Post by r***@bluemail.ch
I actually also thought Windows does not care
about
case sensitivity and for hostnames by default it shouldn't matter.
Thats correct but if windows is buggy..
Source : https://support.microsoft.com/nl-nl/kb/2891966
It was worth a try..


https://support.microsoft.com/en-us/kb/2954031
for the status rapport error, one you can check also.


I see still something incorrect here.
Post by r***@bluemail.ch
C:\Temp>nslookup cyb64w10-hpnb
Server: skynet.cyberdyne.local
Address: 10.0.1.6
C:\Temp>nslookup cyb64w10-hpnb
Server: skynet.cyberdyne.local
Address: 10.0.1.6
Name: cyb64w10-hpnb.ad.cyberdyne.local
Address: 10.0.1.186
SKYNET.AD.CYBERDYNE.LOCAL is the correct AD DC location.
Above still shows : skynet.cyberdyne.local

Review the settings again, if needed test with a dedicated IP.
Preffered ipv4 in the test.

Now im really out to office, im getting late.. so no reply for me untill at least 16:00 or tomorrow.



Greetz,

Louis
Post by r***@bluemail.ch
-----Oorspronkelijk bericht-----
Verzonden: donderdag 4 augustus 2016 10:45
Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hello,
Post by L.P.H. van Belle
On the win 10, check this reg key.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Hostname
It states you hostname here, but if its not in caps change it to
HOSTNAME
Actually the name was in lowercase letters. I changed it to capital
letters.
Though without any effect. I actually also thought Windows does not care
about
case sensitivity and for hostnames by default it shouldn't matter.
Post by L.P.H. van Belle
In that register key.
(HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters)
Post by L.P.H. van Belle
You should see also you dnsdomain at Domain and NV Domain.
NV Hostname should be in CAPS also.
The domains not.
Also this was in lowercase which I changed with no effect.
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
there
Here I see correctly my server fdea:5b48:d4c1:1:1::6 listed.
Here it looks only my suffix cyberdyne.local is listed and not
ad.cyberdyne.local. I have updated my DHCPv6 to include the search suffix
option dhcp6.domain-search "ad.cyberdyne.local", "cyberdyne.local";
Strangely the value of the Dhcpv6DomainSearchList in the registry did not
update. Neither does the value in ipconifig /all
cyberdyne.local
Actually I tried on one of the machines to disable IPv6 entirely (on
client side
only). Even this did not do any change to the result.
So for the moment I am operating one client for testing without IPv6 and
one
with IPv6 enabled. But none of them seem to synchronize GPO.
Just for completeness here's the complete output from a test client with
IPv6
C:\Temp>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : CYB64W10-HPNB
Primary Dns Suffix . . . . . . . : ad.cyberdyne.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ad.cyberdyne.local
Connection-specific DNS Suffix . : cyberdyne.local
Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network
Connection
Physical Address. . . . . . . . . : 00-1A-4B-79-B0-18
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.0.1.186(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, August 4, 2016 10:39:04
AM
Lease Expires . . . . . . . . . . : Saturday, August 6, 2016 10:39:03
AM
Default Gateway . . . . . . . . . : 10.0.1.6
DHCP Server . . . . . . . . . . . : 10.0.1.6
DNS Servers . . . . . . . . . . . : 10.0.1.6
10.0.2.6
Primary WINS Server . . . . . . . : 10.0.1.6
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Temp>nslookup cyb64w10-hpnb
Server: skynet.cyberdyne.local
Address: 10.0.1.6
Name: cyb64w10-hpnb.ad.cyberdyne.local
Address: 10.0.1.186
C:\Temp>netdom verify cyb64w10-hpnb
The secure channel from CYB64W10-HPNB to the domain CYBERDYNE has been
verified.
The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
The command completed successfully.
C:\Temp>netdom verify cyb64w10-hpnb.ad.cyberdyne.local
The secure channel from CYB64W10-HPNB.AD.CYBERDYNE.LOCAL to the domain
CYBERDYNE
has been verified. The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
The command completed successfully.
C:\Temp>gpupdate /force
Updating policy...
Computer policy could not be updated successfully. The following errors
were
The processing of Group Policy failed. Windows could not resolve the
computer
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain
controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were
The processing of Group Policy failed. Windows could not resolve the user
name.
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain
controller has not replicated to the current domain controller).
To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html
from the command line to access information about Group Policy results.
[2016/08/04 10:44:54.784497, 3] ../lib/ldb-
samba/ldb_wrap.c:321(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/08/04 10:44:54.785818, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC mechanism spnego
[2016/08/04 10:44:54.786480, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC submechanism gssapi_krb5
[2016/08/04 10:44:54.789262, 5]
../source4/auth/gensec/gensec_gssapi.c:499(gensec_gssapi_update)
gensec_gssapi: NO credentials were delegated
[2016/08/04 10:44:54.789373, 5]
../source4/auth/gensec/gensec_gssapi.c:514(gensec_gssapi_update)
GSSAPI Connection will be cryptographically sealed
[2016/08/04 10:44:54.806151, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-
code 0
for mech 1 2 840 113554 1 2 2
[2016/08/04 10:44:54.806331, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=208,pdu=240)
NT_STATUS_ACCESS_DENIED
best regards,
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-04 09:26:45 UTC
Permalink
Hello
Post by L.P.H. van Belle
https://support.microsoft.com/en-us/kb/2954031
for the status rapport error, one you can check also.
Looks like nothing to apply on a fresh Windows 10 1607 installation with all
updates applied.
Post by L.P.H. van Belle
I see still something incorrect here.
Post by r***@bluemail.ch
C:\Temp>nslookup cyb64w10-hpnb
Server: skynet.cyberdyne.local
Address: 10.0.1.6
SKYNET.AD.CYBERDYNE.LOCAL is the correct AD DC location.
Above still shows : skynet.cyberdyne.local
Well, good question. Actually the AD DNS domain for me is supplementary. The
cyberdyne.local domain is where I keep all my hosts managed. But if this is
important for Widnows I can change the PTR entries of those IPs to point to the
AD domain. Here we go...

C:\Temp>nslookup 10.0.1.6
Server: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6

Name: skynet.cyberdyne.local
Address: 10.0.1.6


C:\Temp>nslookup 10.0.2.6
Server: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6

Name: skynet.ad.cyberdyne.local
Address: 10.0.2.6


C:\Temp>nslookup fdea:5b48:d4c1:1:1::6
Server: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6

Name: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6


The result though is still the same.

Best regards,
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-04 06:25:28 UTC
Permalink
Hai,

No, your output is not good.
Post by r***@bluemail.ch
C:\Temp>netdom verify cyb64w10-monster
The format of the specified computer name is invalid.
Thats not good.
Post by r***@bluemail.ch
C:\Temp>nslookup cyb64w10-monster
Server: UnKnown
Address: fdea:5b48:d4c1:1:1::6
Also not good.


If you resolving is setup correct both should work.
netdom verify cyb64w10-monster
and
netdom verify cyb64w10-monster.ad.cyberdyne.local

Both work for me and my windows 10 gets this policies.

open dos box and type ipconfig /all

check you primary dns suffix AND dns search.
Normaly these are the same, can you check this?

My guess, your missing the dns-search

Are you using ipv6 in your lan? If not, try disable it.
And try again.
If your using ipv6, then disable it, try it and enable it back.


And post the resolv.conf and hosts files



Greetz,

Louis
Post by r***@bluemail.ch
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 17:51
Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
Post by L.P.H. van Belle
- netdom verify yourpcname
C:\Temp>netdom verify cyb64w10-monster
The format of the specified computer name is invalid.
The command failed to complete successfully.
C:\Temp>netdom verify cyb64w10-monster.ad.cyberdyne.local
The secure channel from CYB64W10-MONSTER.AD.CYBERDYNE.LOCAL to the domain
CYBERDYNE has been verified. The connection
is with the machine \\SKYNET.AD.CYBERDYNE.LOCAL.
The command completed successfully.
Post by L.P.H. van Belle
- nslookup yourpcname
C:\Temp>nslookup cyb64w10-monster
Server: UnKnown
Address: fdea:5b48:d4c1:1:1::6
Name: cyb64w10-monster.ad.cyberdyne.local
Addresses: fdea:5b48:d4c1:1:1::100
2a02:120b:2c38:2951:8d95:bd76:deaa:73db
fdea:5b48:d4c1:1:8d95:bd76:deaa:73db
10.0.1.119
Post by L.P.H. van Belle
All ok?
To me this looks alright. Isn't it?
Post by L.P.H. van Belle
And is time in sync?
Yes, 100% in sync, synchronized via NTP server.
I am using two external time servers and the following config in my
restrict default nomodify nopeer noquery limited kod mssntp
restrict 127.0.0.1
restrict [::1]
As of my understanding with Samba time server enabled this should allow
clients
to synchronize the clock. Actually manual verification and manual clock
sync
C:\Temp>w32tm /resync
Sending resync command to local computer
The command completed successfully.
Post by L.P.H. van Belle
Did you install winbind after the update and also and did you change
you
Post by L.P.H. van Belle
server services line?
Well, I have installed Samba on Gentoo via official repositories. Winbind
was
enabled from the beginning when upgrading from Samba 3.1 to 4.0. The group
policy synchronization worked perfectly fine until 4.2.11 update on 4.2.9
it was
working flawlessly.
server services = -dns
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd,
ntp_signd, kcc, dnsupdate
Post by L.P.H. van Belle
And best is really to setup TLS/SSL
Copy that.
<https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_S
amba_AD_DC>
Post by L.P.H. van Belle
( missing on that site : add TLS_REQCERT allow to ldap.conf )
Actually from the page I understood if I don't change anything the TLS
certificates are generated but they are only valid 700 days. Though my
ones were
generated in November 2015 (perhaps on first Samba 4 startup) I just
cleaned
them and let Samba rebuild them on restart. I might go for my own CA and
signed
certs valid for longer period later if this turns out to be the culprit.
So now I changed /etc/ldap/ldap.conf and inserted
TLS_REQCERT allow
First verify without TLS, this should fail.
# ldapsearch -xLL -H ldap://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local"
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
Then try with TLS, this should succeed.
# ldapsearch -ZZ -xLL -H ldap://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local" | head -5
version: 1
dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
objectClass: top
objectClass: group
...
Then try with SSL too.
# ldapsearch -xLL -H ldaps://localhost -D
"cn=Administrator,cn=Users,dc=ad,dc=cyberdyne,dc=local" -W -b
"dc=ad,dc=cyberdyne,dc=local" | head -5
version: 1
dn: CN=Domain Controllers,CN=Users,DC=ad,DC=cyberdyne,DC=local
objectClass: top
objectClass: group
...
Post by L.P.H. van Belle
Now, for the other problem, after above is done/checked.
I think TLS works as expected.
Post by L.P.H. van Belle
You can clear you GPO history on the pc.
Its recreated when you reboot/login again, so now worries..
@echo off
DEL /S /F /Q “%ALLUSERSPROFILE%\Application Data\Microsoft\Group >
Policy\History\*.*”
Post by L.P.H. van Belle
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb
klist purge
gpupdate /force
exit
now reboot your pc, and check again.
I did run those although the Group Policy History and secedit.sdb did not
exist
as GPO has never been synced on this machine (fresh Win 10 Pro 1607
installation). Though the klist purge and gpupdate run. Unfortunately
gpupdate
immediately showed the same errors again while Samba printing the same
errors in
[2016/08/03 17:48:48.064741, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-
code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 17:48:48.064868, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176)
NT_STATUS_ACCESS_DENIED
Many thanks for your patience trying to debug this issue. I am a bit out
of
ideas now how to trace this down. All file server services of Samba seem
to work
fine.
Thanks again
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-04 07:46:34 UTC
Permalink
Hello Louis,

Thanks for your reply.
Post by L.P.H. van Belle
No, your output is not good.
So let's have a look.
Post by L.P.H. van Belle
Post by r***@bluemail.ch
C:\Temp>netdom verify cyb64w10-monster
The format of the specified computer name is invalid.
Thats not good.
Well, it quite clearly states the format is invalid. If I use the the FQDN of
the AD domain it works fine. The DNS search is also including the AD domain as
well as the primary DNS suffix is set to the AD domain (see below).
Post by L.P.H. van Belle
Post by r***@bluemail.ch
C:\Temp>nslookup cyb64w10-monster
Server: UnKnown
Address: fdea:5b48:d4c1:1:1::6
Also not good.
It resolves fine. Just I missed the correct IPv6 PTR record from the DNS.

I did quickly fix this now (with no change to the result in GPO sync):
C:\Temp>nslookup cyb64w10-monster
Server: skynet.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6

Name: cyb64w10-monster.ad.cyberdyne.local
Addresses: 2a02:120b:2c38:2951:8d95:bd76:deaa:73db
fdea:5b48:d4c1:1:1::100
fdea:5b48:d4c1:1:8d95:bd76:deaa:73db
10.0.1.119
Post by L.P.H. van Belle
open dos box and type ipconfig /all
check you primary dns suffix AND dns search.
Normaly these are the same, can you check this?
My guess, your missing the dns-search
I actually get both suffixes and the primary DNS Suffix is set to
ad.cyberdyne.local. The reason for this is that I am running a DNS zone
including host data for my local LAN (cyberdyne.local) while the AD zone is
entirely managed by bind_dlz (ad.cyberdyne.local). So in my DHCP configuration I
am assigning the cyberdyne.local DNS domain name (dhcp.conf:
option domain-name "cyberyne.local";


C:\Temp>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : cyb64w10-monster
Primary Dns Suffix . . . . . . . : ad.cyberdyne.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ad.cyberdyne.local
cyberdyne.local
Post by L.P.H. van Belle
Are you using ipv6 in your lan? If not, try disable it.
And try again.
If your using ipv6, then disable it, try it and enable it back.
Well, I am using IPv6 mainly for all services and don't want to disable it.
Though I might try this temporary which will be quite a bunch of reconfiguration
to disable IPv6 in all services. So I will come back with results on this later.
Post by L.P.H. van Belle
And post the resolv.conf and hosts files
My resolv.conf:

# Generated by net-scripts for interface lan0
domain ad.cyberdyne.local
search ad.cyberdyne.local cyberdyne.local
nameserver fdea:5b48:d4c1:1:1::6
nameserver 10.0.1.6


my /etc/hosts:

# IPv4 and IPv6 localhost aliases
127.0.0.1 localhost
::1 localhost

10.0.1.6 skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local
fdea:5b48:d4c1:1:1::6 skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local


On clients I don't have any modifications to the stock Windows 10 hosts file,
just containing localhost entries.


best regards,
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-04 10:02:18 UTC
Permalink
Post by r***@bluemail.ch
Well, I am using IPv6 mainly for all services and don't want to disable it.
Though I might try this temporary which will be quite a bunch of reconfiguration
to disable IPv6 in all services. So I will come back with results on this later.
I have completely disabled IPv6 on the server temporary as well as I removed the
second IPv4 address from the interface.

Unfortunately this didn't do any change to the result.

Still getting the same errors in Samba log.

[2016/08/04 11:49:23.546473, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/04 11:49:23.546602, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED


best regards,
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-04 08:14:11 UTC
Permalink
Just I missed the correct IPv6 PTR record from the DNS.                                    

Ok and whats obligated for a correct working kerberos environment.

Ahh.. Yes... dns A and PTR records. ;-) so one thing fixed thats ok..  

 

The PC, ( ipconfig /all ) looks good now.

 

 

Next.. your hosts files...
Post by r***@bluemail.ch
# IPv4 and IPv6 localhost aliases
127.0.0.1       localhost
::1             localhost
10.0.1.6        skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local
fdea:5b48:d4c1:1:1::6   skynet skynet.cyberdyne.local
skynet.ad.cyberdyne.local
 

Which looks ok but it isnt.

 

# look at this layout i made..  ( the localhost.localdomain is optional. )

127.0.0.1            localhost localhost.localdomain

#

10.0.1.6                skynet.ad.cyberdyne.local skynet

fdea:5b48:d4c1:1:1::6   skynet.ad.cyberdyne.local skynet

#

# The following lines are desirable for IPv6 capable hosts

::1     localhost ip6-localhost ip6-loopback

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

 
Post by r***@bluemail.ch
# Generated by net-scripts for interface lan0
domain ad.cyberdyne.local
So you server is in domain ad.cyberdyne.local

 

Now after these changes reboot the server, when up, reboot the pc.

And check again.

 

For the : skynet.cyberdyne.local

setup an alias in your dns, if needed, but since you have dns search also to both domains that “should” not be needed.

Dont make an A record for this in .cyberdyne.local CNAME.

 

p.s. you do know that .local is reserved for apple’s mDNS (zeroconf ) and is “adviced” not to use.

https://en.wikipedia.org/wiki/.local

see also note 5 there.

 

But ! if your already up and running DONT change the domain, that wil give more problems..

 

 

Greetz,

 

Louis

 

 

 
Post by r***@bluemail.ch
-----Oorspronkelijk bericht-----
Verzonden: donderdag 4 augustus 2016 9:47
Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hello Louis,
Thanks for your reply.
 > No, your output is not good.
So let's have a look.
 > >C:\Temp>netdom verify cyb64w10-monster
 > >The format of the specified computer name is invalid.
 > Thats not good.
Well, it quite clearly states the format is invalid. If I use the the FQDN
of
the AD domain it works fine. The DNS search is also including the AD
domain as
well as the primary DNS suffix is set to the AD domain (see below).
 > > C:\Temp>nslookup cyb64w10-monster
 > > Server:  UnKnown
 > > Address:  fdea:5b48:d4c1:1:1::6
 > Also not good.
It resolves fine. Just I missed the correct IPv6 PTR record from the DNS.
C:\Temp>nslookup cyb64w10-monster
Server:  skynet.cyberdyne.local
Address:  fdea:5b48:d4c1:1:1::6
Name:    cyb64w10-monster.ad.cyberdyne.local
Addresses:  2a02:120b:2c38:2951:8d95:bd76:deaa:73db
           fdea:5b48:d4c1:1:1::100
           fdea:5b48:d4c1:1:8d95:bd76:deaa:73db
           10.0.1.119
 > open dos box and type ipconfig /all
 > check you primary dns suffix AND dns search.
 > Normaly these are the same, can you check this?
 > My guess, your missing the dns-search
I actually get both suffixes and the primary DNS Suffix is set to
ad.cyberdyne.local. The reason for this is that I am running a DNS zone
including host data for my local LAN (cyberdyne.local) while the AD zone
is
entirely managed by bind_dlz (ad.cyberdyne.local). So in my DHCP
configuration I
     option domain-name "cyberyne.local";
C:\Temp>ipconfig /all
Windows IP Configuration
    Host Name . . . . . . . . . . . . : cyb64w10-monster
    Primary Dns Suffix  . . . . . . . : ad.cyberdyne.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : ad.cyberdyne.local
                                        cyberdyne.local
 > Are you using ipv6 in your lan? If not, try disable it.
 > And try again.
 > If your using ipv6, then disable it, try it and enable it back.
Well, I am using IPv6 mainly for all services and don't want to disable
it.
Though I might try this temporary which will be quite a bunch of
reconfiguration
to disable IPv6 in all services
later. . So I will come back with results on this
 > And post the resolv.conf and hosts files
# Generated by net-scripts for interface lan0
domain ad.cyberdyne.local
search ad.cyberdyne.local cyberdyne.local
nameserver fdea:5b48:d4c1:1:1::6
nameserver 10.0.1.6
# IPv4 and IPv6 localhost aliases
127.0.0.1       localhost
::1             localhost
10.0.1.6        skynet skynet.cyberdyne.local skynet.ad.cyberdyne.local
fdea:5b48:d4c1:1:1::6   skynet skynet.cyberdyne.local
skynet.ad.cyberdyne.local
On clients I don't have any modifications to the stock Windows 10 hosts
file,
just containing localhost entries.
best regards,
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
 
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-04 09:12:20 UTC
Permalink
Hello
Post by L.P.H. van Belle
Post by r***@bluemail.ch
Just I missed the correct IPv6 PTR record from the DNS.
Ok and whats obligated for a correct working kerberos environment.
Well, I thought Samba bind_dlz is going to configure also the required PTR and
all other kerberos DNS entries in ad.cbyerdyne.local zone which is entirely
managed by Samba.

I don't intend to run any Kerberos services in cyberdyne.local DNS domain.
Post by L.P.H. van Belle
Next.. your hosts files...
Updated according to your suggestions:

# IPv4 and IPv6 localhost aliases
127.0.0.1 localhost localhost.localdomain
10.0.1.6 skynet.ad.cyberdyne.local skynet
fdea:5b48:d4c1:1:1::6 skynet.ad.cyberdyne.local skynet

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

And just for testing to resolve the client I am currently testing with:

# nslookup cyb64w10-hpnb
Server: 10.0.1.6
Address: 10.0.1.6#53

Name: cyb64w10-hpnb.ad.cyberdyne.local
Address: 10.0.1.186
Post by L.P.H. van Belle
Post by r***@bluemail.ch
# Generated by net-scripts for interface lan0
domain ad.cyberdyne.local
So you server is in domain ad.cyberdyne.local
Well actually this was a mistake inserted manually during tests (my bad).
The DNS domain for the server should be cyberdyne.local.

This if fixed after the suggested reboot, the resolv.conf looks as follows:
# Generated by net-scripts for interface lan0
domain cyberdyne.local
search ad.cyberdyne.local cyberdyne.local
nameserver 10.0.1.6
nameserver 10.0.2.6


(yes the server got 2 IPv4 interfaces)
I have assigned both of the DNS search suffix though.
Post by L.P.H. van Belle
Now after these changes reboot the server, when up, reboot the pc.
And check again.
Just did that. Tried gpupdate on the client with IPv6 disabled with the same result.
Post by L.P.H. van Belle
For the : skynet.cyberdyne.local
setup an alias in your dns, if needed, but since you have dns search also to
both domains that “should” not be needed.

I can resolve this name properly as the DNS zone is managed by the server:

C:\Temp>nslookup skynet
Server: skynet.cyberdyne.local
Address: 10.0.1.6

Name: skynet.ad.cyberdyne.local
Address: 10.0.1.6


C:\Temp>nslookup skynet.cyberdyne.local
Server: skynet.cyberdyne.local
Address: 10.0.1.6

Name: skynet.cyberdyne.local
Addresses: fdea:5b48:d4c1:1:1::6
10.0.1.6
10.0.2.6

(from client with IPv6 disabled)
Post by L.P.H. van Belle
Dont make an A record for this in .cyberdyne.local CNAME.
Not sure what you mean by this. Of course the host has an A record
"skynet.cyberdyne.local". The zone ad.cyberdyne.local is managed by bind_dlz and
cyberdyne.local is having it's own A recoreds (for example for the various
network devices, printers etc.).
Post by L.P.H. van Belle
p.s. you do know that .local is reserved for apple’s mDNS (zeroconf ) and is
“adviced” not to use.
Post by L.P.H. van Belle
https://en.wikipedia.org/wiki/.local
I know about this. This Samba domain is runing since > 10 years and got upgraded
to Samba AD somewhen last year. I don't intend to run any mDNS stuff and never
experienced any issues with this. Moreover I don't intend to register a domain
just for internal tests and this is exaclty what .local was meant to be. In
general I can't imagine this issue to be connected to the .local domain.


Meanwhile I have tried also to configure Samba to listen only on IPv4
interfaces. Though this didn't do any change either.


Again, many thanks for your investigations.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-03 14:49:56 UTC
Permalink
https://bugzilla.samba.org/show_bug.cgi?id=11351
Well, I already came across this bug report as my GPMC shows the same error on
"Status" tab of the domain. Though I didn't join ainy Windows domain controller
to the Samba domain. I am running GPMC on my local Windows 10 Pro machine joined
to the domain.

It shows "No Infrastructure Status Information exists for this domain." and
"Click the Detect Now button below to gather infrasturcture status from all of
the domain controllers in this domain.". When I click "Detect Now" it shows "A
processing error occurred collecting date using this base domain controller.
Please change the base domain controller and try again."

When I click on the "Change" link a Window opens with the title "Sleect New
Baseline DC" with no content. So nothing to select there.


So I am not sure if this is correct with Samba or not.

Thanks
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-04 08:23:40 UTC
Permalink
Hai Rowland,

I manage my polices from a windows 7 pc but thats only because im else missing the unix tab, and its no problem to set win 10 polices from a win7.

I'll look if i can setup a win10 and try the GPMC also.
But thats for tomorrow or Monday, im out off the office as of ... now..

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 17:30
Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
On Wed, 3 Aug 2016 16:49:56 +0200
Post by r***@bluemail.ch
https://bugzilla.samba.org/show_bug.cgi?id=11351
Well, I already came across this bug report as my GPMC shows the same
error on "Status" tab of the domain. Though I didn't join ainy
Windows domain controller to the Samba domain. I am running GPMC on
my local Windows 10 Pro machine joined to the domain.
It shows "No Infrastructure Status Information exists for this
domain." and "Click the Detect Now button below to gather
infrasturcture status from all of the domain controllers in this
domain.". When I click "Detect Now" it shows "A processing error
occurred collecting date using this base domain controller. Please
change the base domain controller and try again."
When I click on the "Change" link a Window opens with the title
"Sleect New Baseline DC" with no content. So nothing to select there.
So I am not sure if this is correct with Samba or not.
Thanks
Rainer
I installed win10 in a VM, install RSAT and couldn't get GPMC to work.
I got exactly the same error messages as you.
So, I installed win8.1 in a VM, same result
Finally, I installed win7 in a VM and GPMC worked, they were all
pointed at the same Samba AD DC.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-04 12:10:39 UTC
Permalink
Hello Rowland
Lets go back to basics, can you post you smb.conf again, but this time, obtain it via cat
Sure. As it's bit larger and I don't want to process or omit anything
which could be important here's a complete paste:

<http://pastebin.com/mYa1d5KG>


In short without comments:

[global]
workgroup = CYBERDYNE
realm = ad.cyberdyne.local
netbios name = SKYNET
netbios aliases = SOFTWARE
server string = SkyNet
server role = active directory domain controller
acl:search = no
ldap server require strong auth = no
server services = -dns
idmap_ldb:use rfc2307 = yes

time server = yes

logon script = KIX32.exe logon.kix
logon path = \\%N\profile\.winprofile
logon drive = N:
logon home = \\%N\%U

log file = /var/log/samba/smb.%M
max log size = 500

[netlogon]
path = /var/lib/samba/sysvol/ad.cyberdyne.local/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No
Can you also post your /etc/krb5.conf
Sure:

# cat /etc/krb5.conf
[libdefaults]
default_realm = AD.CYBERDYNE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
AD.CYBERDYNE.LOCAL = {
default_domain = ad.cyberdne.local
kdc = skynet.ad.cyberdyne.local
admin_server = skynet.ad.cyberdyne.local
}

[domain_realm]
.ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
ad.cyberdyne.local = AD.CYBERDYNE.LOCAL




best regards,
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-04 13:00:10 UTC
Permalink
Perhaps I am on the wrong track but I would like to share some
additional observations...

I quickly enabled DNS query logging:
# rndc querylog


Then run another gpupdate on the client.

During the Update I see lots of queries:

04-Aug-2016 14:46:58.414 queries: info: client 10.0.1.186#59270
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local):
view internal: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local
IN SRV + (10.0.1.6)
04-Aug-2016 14:46:59.223 queries: info: client 10.0.1.186#50476
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local):
view internal: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local
IN SRV + (10.0.1.6)
04-Aug-2016 14:46:59.428 queries: info: client 10.0.1.186#58473
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local):
view internal: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local
IN SRV + (10.0.1.6)
... [message repeated 16 times in total]

or with IPv6 enabled:
04-Aug-2016 14:57:42.217 queries: info: client
fdea:5b48:d4c1:1:68f2:fa7c:db26:ce22#53050
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local):
view internal: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local
IN SRV + (fdea:5b48:d4c1:1:1::6)
04-Aug-2016 14:57:42.401 queries: info: client
fdea:5b48:d4c1:1:68f2:fa7c:db26:ce22#63158
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local):
view internal: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local
IN SRV + (fdea:5b48:d4c1:1:1::6)
04-Aug-2016 14:57:42.711 queries: info: client
fdea:5b48:d4c1:1:68f2:fa7c:db26:ce22#64202
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local):
view internal: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local
IN SRV + (fdea:5b48:d4c1:1:1::6)
... [message repeated 16 times in total]


I did query this from the client:

C:\Temp>nslookup -type=SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local
Server: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local
SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = skynet.ad.cyberdyne.local
_msdcs.ad.cyberdyne.local nameserver = skynet.ad.cyberdyne.local
skynet.ad.cyberdyne.local internet address = 10.0.0.6
skynet.ad.cyberdyne.local internet address = 10.0.2.6
skynet.ad.cyberdyne.local internet address = 10.0.1.6
skynet.ad.cyberdyne.local AAAA IPv6 address = fdea:5b48:d4c1:1:1::6
skynet.ad.cyberdyne.local AAAA IPv6 address = 2a02:120b:2c38:2950::1
skynet.ad.cyberdyne.local AAAA IPv6 address = 2a02:120b:2c38:2951::1


And from the server:

# dig -t SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local

; <<>> DiG 9.10.3-P4 <<>> -t SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33143
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local.
IN SRV

;; ANSWER SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.cyberdyne.local.
900 IN SRV 0 100 389 skynet.ad.cyberdyne.local.

;; AUTHORITY SECTION:
_msdcs.ad.cyberdyne.local. 900 IN NS skynet.ad.cyberdyne.local.

;; ADDITIONAL SECTION:
skynet.ad.cyberdyne.local. 900 IN A 10.0.1.6
skynet.ad.cyberdyne.local. 900 IN A 10.0.0.6
skynet.ad.cyberdyne.local. 900 IN A 10.0.2.6
skynet.ad.cyberdyne.local. 900 IN AAAA fdea:5b48:d4c1:1:1::6
skynet.ad.cyberdyne.local. 900 IN AAAA 2a02:120b:2c38:2950::1
skynet.ad.cyberdyne.local. 900 IN AAAA 2a02:120b:2c38:2951::1

;; Query time: 12 msec
;; SERVER: fdea:5b48:d4c1:1:1::6#53(fdea:5b48:d4c1:1:1::6)
;; WHEN: Thu Aug 04 14:53:22 CEST 2016
;; MSG SIZE rcvd: 290



In fact to me it looks like all the adresses returned are valid.
I am not sure why gpupdate issues 16 queries on this

best regards,
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-04 15:51:09 UTC
Permalink
Even some more observations.

I noticed when I join my machine to AD it prompts a second time for the
credentials. It does not matter what I enter or even cancel the dialog
it will always display an error:

Changing the Primary Domain DNS name of this computer to "" failed.
The name will remain "ad.cyberdyne.local".

Well, actualy this is what I want anyway. I found this Microsoft article
about:
<https://support.microsoft.com/en-us/kb/2018583>
But also forcing NetBIOS over TCP did not help. I have the follwowing in
my dhcpd.conf anyway:
option netbios-name-servers 10.0.1.6;
option netbios-node-type 8;


In any case this should not harm as far as I understood.


But I went a bit more into DNS topics and came across a potential issue
or at least nuisance.
I am currently using BIND and it manages the zone cyberdyne.local. Where
I also manage a reverse-DNS zone (zone
"1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa" in). This zone is managing
PTR entries for my local LAN eqipment with fixed IP addresses.

It looks like when a machine is domain-joined the clients try to update
those records and I see the following in my BIND logs (starts after
domain join):

04-Aug-2016 17:09:52.381 update-security: error: client
fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#56593: view internal: update
'1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN' denied
04-Aug-2016 17:09:52.382 update: info: client
fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#54604/key
cyb64w10-monste\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone
'1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN': update failed: rejected
by secure update (REFUSED)


I am in question to myself how to resolve this.
One possibility might be to remove the reverse DNS zone and let
Samba_DLZ manage it. This might work but does not allow me to manage the
PTR records for my static LAN equipment in BIND.

A second possibility might be to allow secure updates. Though I haven't
been able to find some working guide how to allow kerberos-authenticated
secure updates. Somewhere I found to use something like

update-policy {
grant AD.CYBERDYNE.LOCAL krb5-self * PTR;
};

in my zone definition. However it didn't work as expected.
I also found this:
<http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/>
However I didn't go through the complete instruction. As of my
understanding it will forward the verification of the request to an
external script.
Well, I think it's far too complex and kerberos authentication should be
possible with BIND directly.


As a last option I temporary inserted this into my BIND zone configuration:
allow-update { any; };

Of course this is risky as it actually allows any client to manipulate
the PTR entries and it's not meant to be used in production.
The intention was to verify whether those failed DNS updates might have
an impact on the GPO update issue.

It turned out they don't. I am now able to forward-and-reverse lookup
the client address:

C:\Temp>nslookup CYB64W10-HPNB.ad.cyberdyne.local
Server: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6

Name: CYB64W10-HPNB.ad.cyberdyne.local
Addresses: fdea:5b48:d4c1:1:1::102
fdea:5b48:d4c1:1:ec71:fc72:a95b:3d12
10.0.1.186


C:\Temp>nslookup fdea:5b48:d4c1:1:1::102
Server: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6

Name: CYB64W10-HPNB.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::102


C:\Temp>nslookup fdea:5b48:d4c1:1:ec71:fc72:a95b:3d12
Server: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6

Name: CYB64W10-HPNB.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:ec71:fc72:a95b:3d12


C:\Temp>nslookup 10.0.1.186
Server: skynet.ad.cyberdyne.local
Address: fdea:5b48:d4c1:1:1::6

Name: CYB64W10-HPNB.ad.cyberdyne.local
Address: 10.0.1.186


Of coruse all of this did not have any effect on the GPO issue. It still
fails to sync.





In all cases it looks like Windows clients start two transactions all
the time. The first one is cancelled while the second one succeeds. This
might be a samba_dlz issue though:

04-Aug-2016 17:37:15.642 database: info: samba_dlz: starting transaction
on zone ad.cyberdyne.local
04-Aug-2016 17:37:15.644 update-security: error: client
fdea:5b48:d4c1:1:bdaa:87cf:35dc:3a27#51511: view internal: update
'ad.cyberdyne.local/IN' denied
04-Aug-2016 17:37:15.644 database: info: samba_dlz: cancelling
transaction on zone ad.cyberdyne.local
04-Aug-2016 17:37:15.670 database: info: samba_dlz: starting transaction
on zone ad.cyberdyne.local
04-Aug-2016 17:37:15.675 database: info: samba_dlz: allowing update of
signer=cyb64w10-hpnb\$\@AD.CYBERDYNE.LOCAL
name=CYB64W10-HPNB.ad.cyberdyne.local tcpaddr= type=AAAA
key=764-ms-7.2-45281.b1a8208e-5a58-11e6-3496-0013e8e7cd41/160/0
04-Aug-2016 17:37:15.678 database: info: samba_dlz: allowing update of
signer=cyb64w10-hpnb\$\@AD.CYBERDYNE.LOCAL
name=CYB64W10-HPNB.ad.cyberdyne.local tcpaddr= type=A
key=764-ms-7.2-45281.b1a8208e-5a58-11e6-3496-0013e8e7cd41/160/0
04-Aug-2016 17:37:15.681 database: info: samba_dlz: allowing update of
signer=cyb64w10-hpnb\$\@AD.CYBERDYNE.LOCAL
name=CYB64W10-HPNB.ad.cyberdyne.local tcpaddr= type=AAAA
key=764-ms-7.2-45281.b1a8208e-5a58-11e6-3496-0013e8e7cd41/160/0
04-Aug-2016 17:37:15.685 database: info: samba_dlz: allowing update of
signer=cyb64w10-hpnb\$\@AD.CYBERDYNE.LOCAL
name=CYB64W10-HPNB.ad.cyberdyne.local tcpaddr= type=AAAA
key=764-ms-7.2-45281.b1a8208e-5a58-11e6-3496-0013e8e7cd41/160/0
04-Aug-2016 17:37:15.688 database: info: samba_dlz: allowing update of
signer=cyb64w10-hpnb\$\@AD.CYBERDYNE.LOCAL
name=CYB64W10-HPNB.ad.cyberdyne.local tcpaddr= type=A
key=764-ms-7.2-45281.b1a8208e-5a58-11e6-3496-0013e8e7cd41/160/0
04-Aug-2016 17:37:15.688 update: info: client
fdea:5b48:d4c1:1:bdaa:87cf:35dc:3a27#64311/key
cyb64w10-hpnb\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone
'ad.cyberdyne.local/NONE': deleting rrset at
'CYB64W10-HPNB.ad.cyberdyne.local' AAAA
04-Aug-2016 17:37:15.689 update: info: client
fdea:5b48:d4c1:1:bdaa:87cf:35dc:3a27#64311/key
cyb64w10-hpnb\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone
'ad.cyberdyne.local/NONE': deleting rrset at
'CYB64W10-HPNB.ad.cyberdyne.local' A
04-Aug-2016 17:37:15.699 database: info: samba_dlz: subtracted rdataset
CYB64W10-HPNB.ad.cyberdyne.local 'CYB64W10-HPNB.ad.cyberdyne.local.
1200 IN A 10.0.1.186'
04-Aug-2016 17:37:15.701 update: info: client
fdea:5b48:d4c1:1:bdaa:87cf:35dc:3a27#64311/key
cyb64w10-hpnb\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone
'ad.cyberdyne.local/NONE': adding an RR at
'CYB64W10-HPNB.ad.cyberdyne.local' AAAA
2a02:120b:2c38:2951:ec71:fc72:a95b:3d12
04-Aug-2016 17:37:15.704 database: info: samba_dlz: added rdataset
CYB64W10-HPNB.ad.cyberdyne.local 'CYB64W10-HPNB.ad.cyberdyne.local.
1200 IN AAAA 2a02:120b:2c38:2951:ec71:fc72:a95b:3d12'
04-Aug-2016 17:37:15.704 update: info: client
fdea:5b48:d4c1:1:bdaa:87cf:35dc:3a27#64311/key
cyb64w10-hpnb\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone
'ad.cyberdyne.local/NONE': adding an RR at
'CYB64W10-HPNB.ad.cyberdyne.local' AAAA fdea:5b48:d4c1:1:ec71:fc72:a95b:3d12
04-Aug-2016 17:37:15.707 database: info: samba_dlz: added rdataset
CYB64W10-HPNB.ad.cyberdyne.local 'CYB64W10-HPNB.ad.cyberdyne.local.
1200 IN AAAA fdea:5b48:d4c1:1:ec71:fc72:a95b:3d12'
04-Aug-2016 17:37:15.708 update: info: client
fdea:5b48:d4c1:1:bdaa:87cf:35dc:3a27#64311/key
cyb64w10-hpnb\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone
'ad.cyberdyne.local/NONE': adding an RR at
'CYB64W10-HPNB.ad.cyberdyne.local' A 10.0.1.186
04-Aug-2016 17:37:15.711 database: info: samba_dlz: added rdataset
CYB64W10-HPNB.ad.cyberdyne.local 'CYB64W10-HPNB.ad.cyberdyne.local.
1200 IN A 10.0.1.186'
04-Aug-2016 17:37:15.715 database: info: samba_dlz: subtracted rdataset
ad.cyberdyne.local 'ad.cyberdyne.local. 3600 IN SOA
skynet.ad.cyberdyne.local. hostmaster.ad.cyberdyne.local. 690 900 600
86400 3600'
04-Aug-2016 17:37:15.717 database: info: samba_dlz: added rdataset
ad.cyberdyne.local 'ad.cyberdyne.local. 3600 IN SOA
skynet.ad.cyberdyne.local. hostmaster.ad.cyberdyne.local. 691 900 600
86400 3600'
04-Aug-2016 17:37:15.728 database: info: samba_dlz: committed
transaction on zone ad.cyberdyne.local
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-04 19:14:39 UTC
Permalink
Hello Rowland,
No its not, its fairly easy, once you get your head around it. I have
been using something based on that webpage for nearly 4 years now and
only had self inflicted problems.
Thanks for the heads-up. Perhaps my wording wasn't very good on it. I
would actually just prefer something built-in into BIND rather than
using an external script. That's why I was hoping for something like the
krb5 grant. So as I understood you're using the script method instead.
Is it because at the time you put your solution in place there was no
support for Kerberos in BIND or is it because you investigated and found
BIND not to support authorization via Kerberos and Samba?

Perhaps somebody knows more about the Kerberos support in BIND and can
point me to a guide. Else I will likely go for the external script
solution as well for production.

Anyway I need to get a solution for the GPO issues before even to think
about some productive use of Samba 4 with Win10 + AD.


Thank you!
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-05 09:26:07 UTC
Permalink
Hai,
Windows can update the forward zone, but, if I understand it correctly,
it doesn't update the reverse zone, Unix clients does neither
Rowland
--
Some more info on this.

- Windows 7/Static ip's
Here windows does update there forward and reverse zone,
but only when u use static ip, so to avoid problems here,
all my normal pcs have static ip.

- Windows 7/dhcp ip's
My dhcp clients only update te forward zones no reverve,
but this should be fixable, i just havent lookt into this (yet).
( i didnt need it (yet) )

Win 10, im configureing a pc now and settting up the gpo.
When done, i'll test that and report back how that goes.



Greetz,

Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-05 20:54:34 UTC
Permalink
Hello Louis,
Post by L.P.H. van Belle
Win 10, im configureing a pc now and settting up the gpo.
When done, i'll test that and report back how that goes.
I actually set up a Win7 VM to test whether GPO sync works fine with it.
So I installed Windows 7 Professional with the last update rollup installed.
Unfortunately I get exaclty the same errors as I get in Windows 10 Pro.

I am seriously thinking about an issue with my Samba installation or
something which was broken during classicupgrade. I am facing the same
issues on two additional Samba 4.2 installations, both were
classic-upgraded.

Then I started investigating whether Samba provides some kind of
"verification" tool.
Unfortunately I tried 'samba-tool domain provision' once where I found
it's not only verifying but actually resetting the Samba configuration
(Privileges, User Accounts, Machine Accounts etc.).


In fact I would be willing to re-configure my Samba installation from
scratch. Actually there is only little data I would have to re-do and I
did some research on whether it's possible to export this data and
re-import it later. I did find a couple of transfer guides (how to
transfer from one hardware to another) but here I think I would simply
copy the /var/lib/samba and /etc/samba folders which should work.

In my case I am lookning for
- Export user database (including passwords, SID(!!), unix LDAP
attributes etc.)
- Export group database (including SID)
- Export machine accounts (optional, I might re-join the machines)
- Keep domain SID (net getlocalsid / net setlocalsid)
- Anything else?


Actually especially the users database would be a hassle to re-create as
I would have to inform the users and since I am using roaming profiles
they should keep their SID as the user profile backup (mainly ntuser.dat
registry hive) refers to the SID for security descriptors. So I would
run into trouble if the user is assigned a new SID. Moreover some users
have Unix attributes (UID, home directory, shell) attributes which I
should keep as some of them need to log in to the shell too. Needless to
say that changing the owner of all files owned by specific UID would be
troublesome.
But assuming I could export the complete user/group database and
re-import them (all users except built-in ones like Administrator,
service accounts etc.) I would be fine with it.

I already tried
pdbedit -e smbpasswd:/mydir/myfile
pdbedit -i smbpasswd:/mydir/myfile
but it didn't work. The export was fine and the dump was created but
import fails with an obscure message:
build_sam_account: smbpasswd database is corrupt! username <user>
with uid <uid> is not in unix passwd database!
Username not found!

Which is weird as of course the user does not exist when I try to import
it. Moreover looking at the exported file it looks like only the plain
Windows attributes are exported and especially the SID is not retained.
So even when the user is restored it would be an issue to log on with
its old profile assigning permissions to the old SID (e.g. in user
registry hive). And I certainly don't want the users to start
configuring all their profiles from scratch.


Honestly I was a bit busy restoring my Samba installation after
accidentally scratching it and I didn't do any test on GPO sync after I
accidentally scratched it - my bad. I will do this again and verify
whether I can sync GPO properly on a freshly initialized installation
using 'samba-tool domain provision' with my current smb.conf left intact.


Does anybody know whether such a migration of users and machine accounts
to a new installation is possible?

Thanks
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-08 10:10:28 UTC
Permalink
Hai,

Ive tested the following, i use static and dhcp ip here.

Everything on static ip works perfect on win7 and win10.
And at the domain join the a and ptr is created automaticly.
GPO works fine for both.

Dhcp ip.
Win 7 works fine, AD join A and PTR is created and updated when the ip is changes. GPO works fine.


Win 10 works, AD join A and PTR is created and but not updated when the ip is changes. GPO works fine until the ip is updated
So i'll look into the "why" the ptr is not updated on win10.
Besides that it looks normal here.


Rainer,
I dont think there is an inssue with your install.
But i would change the krb5.conf to but im no kerberos guru, i would think its something like below what you need.


[libdefaults]
default_realm = AD.CYBERDYNE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
AD.CYBERDYNE.LOCAL = {
default_domain = ad.cyberdne.local
kdc = skynet.ad.cyberdyne.local
admin_server = skynet.ad.cyberdyne.local
}

[domain_realm]
.ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
.cyberdyne.local = AD.CYBERDYNE.LOCAL
cyberdyne.local = AD.CYBERDYNE.LOCAL

or

[libdefaults]
default_realm = AD.CYBERDYNE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

[domain_realm]
.ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
ad.cyberdyne.local = AD.CYBERDYNE.LOCAL
.cyberdyne.local = AD.CYBERDYNE.LOCAL
cyberdyne.local = AD.CYBERDYNE.LOCAL


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 5 augustus 2016 22:55
Onderwerp: Re: [Samba] Samba 4.2.14 Group Policy (GPO) sync error
Hello Louis,
Post by L.P.H. van Belle
Win 10, im configureing a pc now and settting up the gpo.
When done, i'll test that and report back how that goes.
I actually set up a Win7 VM to test whether GPO sync works fine with it.
So I installed Windows 7 Professional with the last update rollup
installed.
Unfortunately I get exaclty the same errors as I get in Windows 10 Pro.
I am seriously thinking about an issue with my Samba installation or
something which was broken during classicupgrade. I am facing the same
issues on two additional Samba 4.2 installations, both were
classic-upgraded.
Then I started investigating whether Samba provides some kind of
"verification" tool.
Unfortunately I tried 'samba-tool domain provision' once where I found
it's not only verifying but actually resetting the Samba configuration
(Privileges, User Accounts, Machine Accounts etc.).
In fact I would be willing to re-configure my Samba installation from
scratch. Actually there is only little data I would have to re-do and I
did some research on whether it's possible to export this data and
re-import it later. I did find a couple of transfer guides (how to
transfer from one hardware to another) but here I think I would simply
copy the /var/lib/samba and /etc/samba folders which should work.
In my case I am lookning for
- Export user database (including passwords, SID(!!), unix LDAP
attributes etc.)
- Export group database (including SID)
- Export machine accounts (optional, I might re-join the machines)
- Keep domain SID (net getlocalsid / net setlocalsid)
- Anything else?
Actually especially the users database would be a hassle to re-create as
I would have to inform the users and since I am using roaming profiles
they should keep their SID as the user profile backup (mainly ntuser.dat
registry hive) refers to the SID for security descriptors. So I would
run into trouble if the user is assigned a new SID. Moreover some users
have Unix attributes (UID, home directory, shell) attributes which I
should keep as some of them need to log in to the shell too. Needless to
say that changing the owner of all files owned by specific UID would be
troublesome.
But assuming I could export the complete user/group database and
re-import them (all users except built-in ones like Administrator,
service accounts etc.) I would be fine with it.
I already tried
pdbedit -e smbpasswd:/mydir/myfile
pdbedit -i smbpasswd:/mydir/myfile
but it didn't work. The export was fine and the dump was created but
build_sam_account: smbpasswd database is corrupt! username <user>
with uid <uid> is not in unix passwd database!
Username not found!
Which is weird as of course the user does not exist when I try to import
it. Moreover looking at the exported file it looks like only the plain
Windows attributes are exported and especially the SID is not retained.
So even when the user is restored it would be an issue to log on with
its old profile assigning permissions to the old SID (e.g. in user
registry hive). And I certainly don't want the users to start
configuring all their profiles from scratch.
Honestly I was a bit busy restoring my Samba installation after
accidentally scratching it and I didn't do any test on GPO sync after I
accidentally scratched it - my bad. I will do this again and verify
whether I can sync GPO properly on a freshly initialized installation
using 'samba-tool domain provision' with my current smb.conf left intact.
Does anybody know whether such a migration of users and machine accounts
to a new installation is possible?
Thanks
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-08 20:44:02 UTC
Permalink
Hi Louis,
Post by L.P.H. van Belle
Ive tested the following, i use static and dhcp ip here.
I am using DHCP only.
Post by L.P.H. van Belle
Everything on static ip works perfect on win7 and win10.
And at the domain join the a and ptr is created automaticly.
GPO works fine for both.
Can't tell about static setup as it's impractical in my networks.
Post by L.P.H. van Belle
Dhcp ip.
Win 7 works fine, AD join A and PTR is created and updated when the ip is changes. GPO works fine.
Was it a fully patched Widndows 7 Pro? As my one still complains about
being unable to hange the name on domain join and also it fails to
update GPO.
Post by L.P.H. van Belle
Win 10 works, AD join A and PTR is created and but not updated when the ip is changes. GPO works fine until the ip is updated
So i'll look into the "why" the ptr is not updated on win10.
Besides that it looks normal here.
Alright, but I doubt this will solve my problem. It probebly just showed
another problem with Samba which is only partially related. Because my
IPs don't change very often even with DHCP setup it should actually work
for me at least right after Domain join.
Post by L.P.H. van Belle
Rainer,
I dont think there is an inssue with your install.
But i would change the krb5.conf to but im no kerberos guru, i would think its something like below what you need.
I did change my krb5.conf exactly to what you proposed (first proposal
with dns_lookup_realm = false and realm defined), then restarted Samba
and still renter into the same issue.

gpupdate:
The processing of Group Policy failed. Windows could not resolve the
computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were
encountered:

The processing of Group Policy failed. Windows could not resolve the
user name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).

To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from the command line to access information about Group
Policy results.


This happens on at least 3 classicupgraded Samba installations here.


Any idea how to trace it down?

best regards,
Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-08-08 21:05:30 UTC
Permalink
Post by r***@bluemail.ch
Hi Louis,
Post by L.P.H. van Belle
Ive tested the following, i use static and dhcp ip here.
I am using DHCP only.
Post by L.P.H. van Belle
Everything on static ip works perfect on win7 and win10.
And at the domain join the a and ptr is created automaticly.
GPO works fine for both.
Can't tell about static setup as it's impractical in my networks.
Post by L.P.H. van Belle
Dhcp ip.
Win 7 works fine, AD join A and PTR is created and updated when the
ip is changes. GPO works fine.
Was it a fully patched Widndows 7 Pro? As my one still complains about
being unable to hange the name on domain join and also it fails to
update GPO.
Post by L.P.H. van Belle
Win 10 works, AD join A and PTR is created and but not updated when
the ip is changes. GPO works fine until the ip is updated
So i'll look into the "why" the ptr is not updated on win10.
Besides that it looks normal here.
Alright, but I doubt this will solve my problem. It probebly just
showed another problem with Samba which is only partially related.
Because my IPs don't change very often even with DHCP setup it should
actually work for me at least right after Domain join.
Post by L.P.H. van Belle
Rainer,
I dont think there is an inssue with your install.
But i would change the krb5.conf to but im no kerberos guru, i would
think its something like below what you need.
I did change my krb5.conf exactly to what you proposed (first proposal
with dns_lookup_realm = false and realm defined), then restarted Samba
and still renter into the same issue.
The processing of Group Policy failed. Windows could not resolve the
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors
The processing of Group Policy failed. Windows could not resolve the
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).
To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from the command line to access information about Group
Policy results.
This happens on at least 3 classicupgraded Samba installations here.
Any idea how to trace it down?
best regards,
Rainer
Hello Rainer,

I remember this error. In my case the pc tried to connect to the gpo
share not via the server name but via the domain name. In your case
ad.cyberdyne.local.
In my case the domain name sometimes resolved to ad dc servers in
subnet whom where not reachable from the client pc so the connection failed.
Can you browse ad.cyberdyne.local from your client pc? And can it be you
also have addc servers in other non reachable subnets.

Achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
r***@bluemail.ch
2016-08-04 21:20:40 UTC
Permalink
Hi Rowland,
No, the kerberos support was built into Bind, but it isn't Bind that
runs the script, it is DHCP.
Windows can update the forward zone, but, if I understand it correctly,
it doesn't update the reverse zone, Unix clients does neither
Are you sure about this?
I know about the DDNS update from DHCP and I have enabled it for my
cyberdyne.local zone and it works fine. But this will update BIND on
DHCP request and the update is triggered by the DHCP.

In my case I see the Windows client asking to update the DNS (if I read
the log properly):

04-Aug-2016 17:09:52.381 update-security: error: client
fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#56593: view internal: update
'1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN' denied
04-Aug-2016 17:09:52.382 update: info: client
fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#54604/key
cyb64w10-monste\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone
'1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN': update failed: rejected
by secure update (REFUSED)

Therefore the client needs to authenticate to BIND in order to update
its own entry (forward and reverse). I think the forward entry is
updated via kerberos authentication to the bind_dlz module directly by
the client too. It actually also updates the PTR records if I use only
bind_dlz. But in my case I am operating my own reverse zone and here I
don't know how to authenticate Windows clients to update the zone.


Perhaps I am wrong on this point. I need to investigate a bit further
tomorrow.


Thanks for your time and patience!

Rainer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...