export KRB5CCNAME=/var/run/adsys/krb5cc/$hostname
adsysctl policy debug gpolist-script
chmod +x adsys-gpolist
./adsys-gpolist --objectclass computer ldap://domaincontroller.domain.com
<hostname>
DEBUG Connecting as [[12227:085002]]
DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:27
StreamServerInterceptor.func1() New request /service/GPOListScript
DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:60
loggedServerStream.RecvMsg() Requesting with parameters:
DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:111
Authorizer.IsAllowedFromContext() Check if grpc request peer is authorized
DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:153
Authorizer.isAllowed() Any user always authorized
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://domaincontroller.domain.com' with backend 'ldap':
LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to open session: (1, 'LDAP client internal error:
NT_STATUS_INVALID_PARAMETER')
sudo smbclient --option='log level=10' //Domaincontroller.domain.com/SYSVOL/ -k
-c 'get
Domaincontroller.domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}/GPT.INI
/dev/fd/1' | cat
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = domain
doing parameter security = ADS
doing parameter realm = domain.COM
doing parameter encrypt passwords = yes
lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated
doing parameter idmap config *:range = 16777216-33554431
doing parameter winbind use default domain = yes
doing parameter kerberos method = secrets and keytab
doing parameter winbind refresh tickets = yes
doing parameter template shell = /bin/bash
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=I.P.204.83 bcast=I.P.207.255 netmask=255.255.252.0
Client started (version 4.15.13-Ubuntu).
Opening cache file at /run/samba/gencache.tdb
sitename_fetch: Returning sitename for realm 'domain.COM': "703-XX001"
internal_resolve_name: looking up Domaincontroller.domain.com#20 (sitename
703-XX001)
gencache_set_data_blob: Adding cache entry with
key=[NBT/Domaincontroller.domain.COM#20] and timeout=[Wed Dec 31 19:00:00 1969
EST] (-1696431102 seconds in the past)
namecache_fetch: no entry for Domaincontroller.domain.com#20 found.
resolve_hosts: Attempting host lookup for name Domaincontroller.domain.com<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for Domaincontroller.domain.com#20:
I.P.163.93
gencache_set_data_blob: Adding cache entry with
key=[NBT/Domaincontroller.domain.COM#20] and timeout=[Wed Oct 4 11:02:42 2023
EDT] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: I.P.163.93
Connecting to I.P.163.93 at port 445
convert_string_handle: E2BIG: convert_string(UTF-8,CP850): srclen=25 destlen=16
error: No more room
Connecting to I.P.163.93 at port 139
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1,
TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0,
IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072,
SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1,
TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
session request ok
negotiated dialect[SMB3_11] against server[Domaincontroller.domain.com]
cli_session_setup_spnego_send: Connect to Domaincontroller.domain.com as
[email protected] using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous
failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the
caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in
NEG_TOKEN_INIT
gensec_update_send: spnego[0x55ab900180e0]: subreq: 0x55ab9001e6f0
gensec_update_done: spnego[0x55ab900180e0]: NT_STATUS_INVALID_PARAMETER
tevent_req[0x55ab9001e6f0/../../auth/gensec/spnego.c:1631]: state[3]
error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct
gensec_spnego_update_state (0x55ab9001e8b0)] timer[(nil)]
finish[../../auth/gensec/spnego.c:1947]
SPNEGO login failed: An invalid parameter was passed to a service or function.
session setup failed: NT_STATUS_INVALID_PARAMETER
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to adsys in Ubuntu.
https://bugs.launchpad.net/bugs/2024377
Title:
Adsys can't fetch GPOs
Status in adsys package in Ubuntu:
Confirmed
Bug description:
Bad, maybe no understandable english ahead.
Can't find anything related to this on Github, Canonical Forums,
Reddit or StackOverflow.
On Ubuntu 22.04, I've followed the Wiki tutorial and verified all
steps on Integration Ubuntu Desktop whitepaper. Currently using SSSD
backend, I can log with Active Directory users however when adsys is
installed I can't fetch GPOs. In this version the error is:
ERROR Error from server: error while updating policy: can't get
policies for "ubuntu": can't download all gpos and assets: one or more
error while fetching GPOs and assets: can't download "ubuntuRoot":
can't check if ubuntuRoot needs refreshing: no GPT.INI file: cannot
open
smb://addc01.domain.com.br/SysVol/domain.com.br/Policies/{DF072E7E-6F2F-46D1-A90F-699415F72F2E}/GPT.INI:
invalid argument
It happens when using "adsysctl update -m" or "adsysctl update
[email protected] /tmp/krb5c_getentId_randomdnumber" and just
"adsysctl update" too.
I've upgrade the machine to 22.10 and the error changed to:
ERROR Error from server: error while updating policy: can't get policies for
"ubuntu": failed to retrieve the list of GPO (exited with 1): exit status 1
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://addc01.domain.com.br' with backend 'ldap': LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
Failed to open session: (1, 'LDAP client internal error:
NT_STATUS_INVALID_PARAMETER').
After upgrade to 23.04 the error persist same as the above.
Full info 22.04 (-vvvv verbose):
INFO No configuration file: Config File "adsys" Not Found in "[/home/jzprates
/root /etc /usr/sbin]".
We will only use the defaults, env variables or flags.
DEBUG Connecting as [[2504:109556]]
DEBUG New request /service/UpdatePolicy
DEBUG Requesting with parameters: IsComputer: true, All: false, Target:
ubuntu, Krb5Cc:
DEBUG NormalizeTargetName for "ubuntu", type "computer"
DEBUG Check if grpc request peer is authorized
DEBUG Authorized as being administrator
DEBUG GetPolicies for "ubuntu", type "computer"
DEBUG Getting gpo list with arguments: "--objectclass computer
ldap://addc01.domain.com.br ubuntu"
DEBUG GPO "ubuntuRoot" for "ubuntu" available at
"smb://addc01.domain.com.br/SysVol/domain.com.br/Policies/{DF072E7E-6F2F-46D1-A90F-699415F72F2E}"
DEBUG Analyzing "assets"
DEBUG Analyzing "ubuntuRoot"
INFO No assets directory with GPT.INI file found on AD, skipping assets
download
ERROR Error from server: error while updating policy: can't get policies for
"ubuntu": can't download all gpos and assets: one or more error while fetching
GPOs and assets: can't download "ubuntuRoot": can't check if ubuntuRoot needs
refreshing: no GPT.INI file: cannot open
smb://addc01.domain.com.br/SysVol/domain.com.br/Policies/{DF072E7E-6F2F-46D1-A90F-699415F72F2E}/GPT.INI:
invalid argument
Full info 23.04 (-vvvv verbose):
INFO No configuration file: Config File "adsys" Not Found in "[/home/jzprates
/root /etc /usr/sbin]".
DEBUG Connecting as [[58811:006019]]
DEBUG New request /service/UpdatePolicy
DEBUG Requesting with parameters: IsComputer: true, All: false, Target:
ubuntu, Krb5Cc:
DEBUG NormalizeTargetName for "ubuntu", type "computer"
DEBUG Check if grpc request peer is authorized
DEBUG Authorized as being administrator
DEBUG GetPolicies for "ubuntu", type "computer"
DEBUG Getting gpo list with arguments: "--objectclass computer
ldap://addc01.domain.com.br ubuntu"
ERROR Error from server: error while updating policy: can't get policies for
"ubuntu": failed to retrieve the list of GPO (exited with 1): exit status 1
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://addc01.domain.com.br' with backend 'ldap': LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
Failed to open session: (1, 'LDAP client internal error:
NT_STATUS_INVALID_PARAMETER')
Additional info:
Domain Controller and machine are on the same subnet without firewall on any
level;
Domain Controller is a Windows Server 2019 updated to the last security
version;
Both machine and user are on the same OU with "no heritage" enabled and just
one policy added to permit [email protected] to become root;
The info header directory is "/home/jzprates" on both logs because I've
collected them using the local account using "sudo adsysctl update -m -vvvv";
If I disable Adsys login on pam-auth-update, Ubuntu creates a homedir and
enter correctly with domain users.
ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: adsys 0.11.0
ProcVersionSignature: Ubuntu 6.2.0-23.23-generic 6.2.12
Uname: Linux 6.2.0-23-generic x86_64
ApportVersion: 2.26.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Mon Jun 19 11:22:10 2023
InstallationDate: Installed on 2023-06-13 (5 days ago)
InstallationMedia: Ubuntu 22.04.2 LTS "Jammy Jellyfish" - Release amd64
(20230223)
RelatedPackageVersions:
sssd 2.8.1-1ubuntu1
python3-samba 2:4.17.7+dfsg-1ubuntu1
SourcePackage: adsys
UpgradeStatus: Upgraded to lunar on 2023-06-16 (2 days ago)
modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf:
[deleted]
modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2024377/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
