Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 591212 - net-fs/samba-4.2.14 with app-crypt/heimdal and Windows 10: gpupdate: The processing of Group Policy failed.
Summary: net-fs/samba-4.2.14 with app-crypt/heimdal and Windows 10: gpupdate: The proc...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's SAMBA Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-13 20:53 UTC by Rainer Meier
Modified: 2017-04-07 20:48 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rainer Meier 2016-08-13 20:53:37 UTC
I am facing GPO sync errors with Samba 4.2.14 (any Samba version newer than 4.2.9 is affected.

I have first reported this to the Samba mailing list:
<https://lists.samba.org/archive/samba/2016-August/201773.html>

This is an excerpt:

Since Samba 4.2.11 upgrade my Windows 10 clients are unable to synchronize group 
policies. I have asked about this already here 
<https://lists.samba.org/archive/samba/2016-April/199226.html>. Now I 
re-investigate the issue with Windows 10 1607 update and still face the same 
issue which prevents me from rolling out this configuration in production.

My Setup:
- Samba 4.2.14 in active directory domain controller role
- BIND_DLZ DNS backend
- Windows 10 Pro 1607 clients


I am successfully able to join the clients to the Samba AD domain but they fail 
to synchronize group policies and therefore fail to apply logon/logoff scripts 
as well as important system settings.

Executing 'gpupdate' on the command line yields the following output:
----
The processing of Group Policy failed. Windows could not resolve the computer 
name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain 
controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were 
encountered:

The processing of Group Policy failed. Windows could not resolve the user name. 
This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain 
controller has not replicated to the current domain controller).
----

In short several debugging on the list didn't solve the problem. My guess was therefore that something with the Kerberos handling of Samba goes wrong.

I actually found the Samba ebuild disables bundled libraries in favor of the system Heimdal (currently version 1.5.2-rc2) installation and applies some patches to kdc.c in order to make it work with Heimdal 1.5.2-rc2.

After trying with a patched ebuild not applying the patches and using bundled libraries my GPO applies sucessfully again. The changes I did to the ebauild are:

# diff /usr/portage/net-fs/samba/samba-4.2.14.ebuild samba-4.2.14.ebuild
93c93
<       "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch"
---
>       # "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch"
143,144c143,144
<               --bundled-libraries=NONE
<               --builtin-libraries=NONE
---
>               # --bundled-libraries=NONE
>               # --builtin-libraries=NONE
258a259
>


I know this is not the final solution as I would like to use the system Heimdal package too avoiding having to use the bundled one but obviously there is some bug in Heimdal 1.5.3-rc2 or incompatibility with Samba.



Perhaps the bug is just triggered by some incompatiblity caused by the compilefix patch:

--- samba-4.2.3/source4/kdc/kdc.c
+++ samba-4.2.3/source4/kdc/kdc.c
@@ -967,9 +967,9 @@
          * The old behavior in the _kdc_get_preferred_key()
          * function is use_strongest_server_key=TRUE.
          */
-       kdc->config->as_use_strongest_session_key = false;
+       kdc->config->tgt_use_strongest_session_key = false;
         kdc->config->preauth_use_strongest_session_key = false;
-       kdc->config->tgs_use_strongest_session_key = false;
+       kdc->config->svc_use_strongest_session_key = false;
         kdc->config->use_strongest_server_key = true;


But trying to build with system Heimdal and without the patch fails as it looks like the system Heimdal installation does not have those members (as_use_strongest_session_key, tgs_use_strongest_session_key) yielding this compile error:


../source4/kdc/kdc.c:970:13: error: ‘krb5_kdc_configuration’ has no 
member named ‘as_use_strongest_session_key’
   kdc->config->as_use_strongest_session_key = false;
              ^
../source4/kdc/kdc.c:972:13: error: ‘krb5_kdc_configuration’ has no 
member named ‘tgs_use_strongest_session_key’
   kdc->config->tgs_use_strongest_session_key = false;



Perhaps somebody could verify the GPO issue with Gentoo Samba ebuilds (also applies to all newer Samba ebuilds) and come up with a solution other than using the bundled Heimdal. Meanwhile it might be wise to just fallback to the built-in libraries.
Comment 1 Rainer Meier 2016-08-15 20:41:25 UTC
Actually the gpupdate issue also exists with Windows 7 clients. Moreover I had an authentication issue updating the DNS name while domain-join was in progress. The DNS issue might be related.

But I think the GPO update issue exists with Windows 7 and Windows 10 clients using Gentoo ebuild with system Heimdal.
Comment 2 Douglas Paul 2016-09-20 12:24:19 UTC
I would like to say that I have faced the same issue, and confirm that this fix works.

I also have a rarely-used Windows 2008 server instance that seems to have completely hosed policies requiring a reinstall, coinciding with my upgrade to Samba 4.2.11 (only noticed after a reboot of that VM).

I would also like to point out that it seems bug 594130 is a duplicate of this one.

Most likely it will never be safe to use a system Heimdal unless someone wants to port any local changes in the Samba sources to the system Heimdal with every release.
Comment 3 rick vernam 2016-09-29 00:59:19 UTC
This solves a few issues for me as well.
Comment 4 Mattias Merilai 2016-12-08 12:25:52 UTC
I can confirm the bug. And broken Group Policy is quite a bug indeed. For what I gather, any samba ebuild >4.2.9 is broken as a DC? Well fsck.
I know bundled libraries are evil, so I don't know what's the right thing to do here, but this is in dire need of a fix.
I got it going by removing the patch and setting bundles to 'heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,compile_et,NONE'. YMMV?
Comment 5 Rainer Meier 2017-01-20 11:26:07 UTC
I have an update on this.
It looks like it's fixed by changes done in Samba 4.5.4 ebuild. The ebuild now includes a couple of bundled libraries including Kerberos.

Unfortunately version 4.5.4 is still masked. So it will take a while until this version is available to everyone.

The official 4.2.x release can be patched as described here to include bundled libraries.

The bug is actually not resolved but will eventually become obsolete on the release of Samba 4.5.x ebuild.
Comment 6 James Poole 2017-04-07 20:48:11 UTC
   The workaround offered here worked for me also.
   My first symptom was not being able to use the Windows machine DNS tool.  Then I established that policies were not being deployed.

   I'm not happy about using bundled librarys, but Samba is key to my configuration so I'll live with it until we find a better solution.