I am facing GPO sync errors with Samba 4.2.14 (any Samba version newer than 4.2.9 is affected. I have first reported this to the Samba mailing list: <https://lists.samba.org/archive/samba/2016-August/201773.html> This is an excerpt: Since Samba 4.2.11 upgrade my Windows 10 clients are unable to synchronize group policies. I have asked about this already here <https://lists.samba.org/archive/samba/2016-April/199226.html>. Now I re-investigate the issue with Windows 10 1607 update and still face the same issue which prevents me from rolling out this configuration in production. My Setup: - Samba 4.2.14 in active directory domain controller role - BIND_DLZ DNS backend - Windows 10 Pro 1607 clients I am successfully able to join the clients to the Samba AD domain but they fail to synchronize group policies and therefore fail to apply logon/logoff scripts as well as important system settings. Executing 'gpupdate' on the command line yields the following output: ---- The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). User Policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). ---- In short several debugging on the list didn't solve the problem. My guess was therefore that something with the Kerberos handling of Samba goes wrong. I actually found the Samba ebuild disables bundled libraries in favor of the system Heimdal (currently version 1.5.2-rc2) installation and applies some patches to kdc.c in order to make it work with Heimdal 1.5.2-rc2. After trying with a patched ebuild not applying the patches and using bundled libraries my GPO applies sucessfully again. The changes I did to the ebauild are: # diff /usr/portage/net-fs/samba/samba-4.2.14.ebuild samba-4.2.14.ebuild 93c93 < "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch" --- > # "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch" 143,144c143,144 < --bundled-libraries=NONE < --builtin-libraries=NONE --- > # --bundled-libraries=NONE > # --builtin-libraries=NONE 258a259 > I know this is not the final solution as I would like to use the system Heimdal package too avoiding having to use the bundled one but obviously there is some bug in Heimdal 1.5.3-rc2 or incompatibility with Samba. Perhaps the bug is just triggered by some incompatiblity caused by the compilefix patch: --- samba-4.2.3/source4/kdc/kdc.c +++ samba-4.2.3/source4/kdc/kdc.c @@ -967,9 +967,9 @@ * The old behavior in the _kdc_get_preferred_key() * function is use_strongest_server_key=TRUE. */ - kdc->config->as_use_strongest_session_key = false; + kdc->config->tgt_use_strongest_session_key = false; kdc->config->preauth_use_strongest_session_key = false; - kdc->config->tgs_use_strongest_session_key = false; + kdc->config->svc_use_strongest_session_key = false; kdc->config->use_strongest_server_key = true; But trying to build with system Heimdal and without the patch fails as it looks like the system Heimdal installation does not have those members (as_use_strongest_session_key, tgs_use_strongest_session_key) yielding this compile error: ../source4/kdc/kdc.c:970:13: error: ‘krb5_kdc_configuration’ has no member named ‘as_use_strongest_session_key’ kdc->config->as_use_strongest_session_key = false; ^ ../source4/kdc/kdc.c:972:13: error: ‘krb5_kdc_configuration’ has no member named ‘tgs_use_strongest_session_key’ kdc->config->tgs_use_strongest_session_key = false; Perhaps somebody could verify the GPO issue with Gentoo Samba ebuilds (also applies to all newer Samba ebuilds) and come up with a solution other than using the bundled Heimdal. Meanwhile it might be wise to just fallback to the built-in libraries.
Actually the gpupdate issue also exists with Windows 7 clients. Moreover I had an authentication issue updating the DNS name while domain-join was in progress. The DNS issue might be related. But I think the GPO update issue exists with Windows 7 and Windows 10 clients using Gentoo ebuild with system Heimdal.
I would like to say that I have faced the same issue, and confirm that this fix works. I also have a rarely-used Windows 2008 server instance that seems to have completely hosed policies requiring a reinstall, coinciding with my upgrade to Samba 4.2.11 (only noticed after a reboot of that VM). I would also like to point out that it seems bug 594130 is a duplicate of this one. Most likely it will never be safe to use a system Heimdal unless someone wants to port any local changes in the Samba sources to the system Heimdal with every release.
This solves a few issues for me as well.
I can confirm the bug. And broken Group Policy is quite a bug indeed. For what I gather, any samba ebuild >4.2.9 is broken as a DC? Well fsck. I know bundled libraries are evil, so I don't know what's the right thing to do here, but this is in dire need of a fix. I got it going by removing the patch and setting bundles to 'heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,compile_et,NONE'. YMMV?
I have an update on this. It looks like it's fixed by changes done in Samba 4.5.4 ebuild. The ebuild now includes a couple of bundled libraries including Kerberos. Unfortunately version 4.5.4 is still masked. So it will take a while until this version is available to everyone. The official 4.2.x release can be patched as described here to include bundled libraries. The bug is actually not resolved but will eventually become obsolete on the release of Samba 4.5.x ebuild.
The workaround offered here worked for me also. My first symptom was not being able to use the Windows machine DNS tool. Then I established that policies were not being deployed. I'm not happy about using bundled librarys, but Samba is key to my configuration so I'll live with it until we find a better solution.
