export KRB5CCNAME=/var/run/adsys/krb5cc/$hostname adsysctl policy debug gpolist-script chmod +x adsys-gpolist ./adsys-gpolist --objectclass computer ldap://domaincontroller.domain.com <hostname> DEBUG Connecting as [[12227:085002]] DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:27 StreamServerInterceptor.func1() New request /service/GPOListScript DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:60 loggedServerStream.RecvMsg() Requesting with parameters: DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:111 Authorizer.IsAllowedFromContext() Check if grpc request peer is authorized DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:153 Authorizer.isAllowed() Any user always authorized Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://domaincontroller.domain.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to open session: (1, 'LDAP client internal error: NT_STATUS_INVALID_PARAMETER')
sudo smbclient --option='log level=10' //Domaincontroller.domain.com/SYSVOL/ -k -c 'get Domaincontroller.domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}/GPT.INI /dev/fd/1' | cat INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 WARNING: The option -k|--kerberos is deprecated! lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 Processing section "[global]" doing parameter workgroup = domain doing parameter security = ADS doing parameter realm = domain.COM doing parameter encrypt passwords = yes lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated doing parameter idmap config *:range = 16777216-33554431 doing parameter winbind use default domain = yes doing parameter kerberos method = secrets and keytab doing parameter winbind refresh tickets = yes doing parameter template shell = /bin/bash pm_process() returned Yes lp_servicenumber: couldn't find homes added interface eth0 ip=I.P.204.83 bcast=I.P.207.255 netmask=255.255.252.0 Client started (version 4.15.13-Ubuntu). Opening cache file at /run/samba/gencache.tdb sitename_fetch: Returning sitename for realm 'domain.COM': "703-XX001" internal_resolve_name: looking up Domaincontroller.domain.com#20 (sitename 703-XX001) gencache_set_data_blob: Adding cache entry with key=[NBT/Domaincontroller.domain.COM#20] and timeout=[Wed Dec 31 19:00:00 1969 EST] (-1696431102 seconds in the past) namecache_fetch: no entry for Domaincontroller.domain.com#20 found. resolve_hosts: Attempting host lookup for name Domaincontroller.domain.com<0x20> remove_duplicate_addrs2: looking for duplicate address/port pairs namecache_store: storing 1 address for Domaincontroller.domain.com#20: I.P.163.93 gencache_set_data_blob: Adding cache entry with key=[NBT/Domaincontroller.domain.COM#20] and timeout=[Wed Oct 4 11:02:42 2023 EDT] (660 seconds ahead) internal_resolve_name: returning 1 addresses: I.P.163.93 Connecting to I.P.163.93 at port 445 convert_string_handle: E2BIG: convert_string(UTF-8,CP850): srclen=25 destlen=16 error: No more room Connecting to I.P.163.93 at port 139 socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0 session request ok negotiated dialect[SMB3_11] against server[Domaincontroller.domain.com] cli_session_setup_spnego_send: Connect to Domaincontroller.domain.com as <email address hidden> using SPNEGO GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT gensec_update_send: spnego[0x55ab900180e0]: subreq: 0x55ab9001e6f0 gensec_update_done: spnego[0x55ab900180e0]: NT_STATUS_INVALID_PARAMETER tevent_req[0x55ab9001e6f0/../../auth/gensec/spnego.c:1631]: state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct gensec_spnego_update_state (0x55ab9001e8b0)] timer[(nil)] finish[../../auth/gensec/spnego.c:1947] SPNEGO login failed: An invalid parameter was passed to a service or function. session setup failed: NT_STATUS_INVALID_PARAMETER
export KRB5CCNAME= /var/run/ adsys/krb5cc/ $hostname domaincontrolle r.domain. com <hostname> com/ubuntu/ adsys/internal/ grpc/logconnect ions/logconnect ions.go: 27 StreamServerInt erceptor. func1() New request /service/ GPOListScript com/ubuntu/ adsys/internal/ grpc/logconnect ions/logconnect ions.go: 60 loggedServerStr eam.RecvMsg( ) Requesting with parameters: com/ubuntu/ adsys/internal/ authorizer/ authorizer. go:111 Authorizer. IsAllowedFromCo ntext() Check if grpc request peer is authorized com/ubuntu/ adsys/internal/ authorizer/ authorizer. go:153 Authorizer. isAllowed( ) Any user always authorized INVALID_ PARAMETER /domaincontroll er.domain. com' with backend 'ldap': LDAP client internal error: NT_STATUS_ INVALID_ PARAMETER INVALID_ PARAMETER' )
adsysctl policy debug gpolist-script
chmod +x adsys-gpolist
./adsys-gpolist --objectclass computer ldap://
DEBUG Connecting as [[12227:085002]]
DEBUG github.
DEBUG github.
DEBUG github.
DEBUG github.
Failed to bind - LDAP client internal error: NT_STATUS_
Failed to connect to 'ldap:/
Failed to open session: (1, 'LDAP client internal error: NT_STATUS_
sudo smbclient --option='log level=10' //Domaincontrol ler.domain. com/SYSVOL/ -k -c 'get Domaincontrolle r.domain. com/Policies/ {5B925A10- 9572-4FB8- B9A0-DB2DFF9EF3 4B}/GPT. INI /dev/fd/1' | cat password_ audit: 10 password_ json_audit: 10 transaction_ audit: 10 transaction_ json_audit: 10 group_json_ audit: 10 password_ audit: 10 password_ json_audit: 10 transaction_ audit: 10 transaction_ json_audit: 10 group_json_ audit: 10 global_ parameter: WARNING: The "encrypt passwords" option is deprecated 255.255. 252.0 gencache. tdb resolve_ name: looking up Domaincontrolle r.domain. com#20 (sitename 703-XX001) set_data_ blob: Adding cache entry with key=[NBT/ Domaincontrolle r.domain. COM#20] and timeout=[Wed Dec 31 19:00:00 1969 EST] (-1696431102 seconds in the past) r.domain. com#20 found. r.domain. com<0x20> duplicate_ addrs2: looking for duplicate address/port pairs r.domain. com#20: I.P.163.93 set_data_ blob: Adding cache entry with key=[NBT/ Domaincontrolle r.domain. COM#20] and timeout=[Wed Oct 4 11:02:42 2023 EDT] (660 seconds ahead) resolve_ name: returning 1 addresses: I.P.163.93 string_ handle: E2BIG: convert_ string( UTF-8,CP850) : srclen=25 destlen=16 error: No more room Domaincontrolle r.domain. com] setup_spnego_ send: Connect to Domaincontrolle r.domain. com as <email address hidden> using SPNEGO resume_ ccache' registered krb5_import_ cred ccache[ FILE:/tmp/ krb5cc_ 0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. INTERNAL_ ERROR spnego_ client_ negTokenInit_ step: Could not find a suitable mechtype in NEG_TOKEN_INIT 0x55ab900180e0] : subreq: 0x55ab9001e6f0 0x55ab900180e0] : NT_STATUS_ INVALID_ PARAMETER tevent_ req[0x55ab9001e 6f0/../ ../auth/ gensec/ spnego. c:1631] : state[3] error[- 796367167633856 9203 (0x917B5ACDC000 000D)] state[struct gensec_ spnego_ update_ state (0x55ab9001e8b0)] timer[(nil)] finish[ ../../auth/ gensec/ spnego. c:1947] INVALID_ PARAMETER
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_
dsdb_
dsdb_
dsdb_
dsdb_group_audit: 10
dsdb_
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_
dsdb_
dsdb_
dsdb_
dsdb_group_audit: 10
dsdb_
Processing section "[global]"
doing parameter workgroup = domain
doing parameter security = ADS
doing parameter realm = domain.COM
doing parameter encrypt passwords = yes
lpcfg_do_
doing parameter idmap config *:range = 16777216-33554431
doing parameter winbind use default domain = yes
doing parameter kerberos method = secrets and keytab
doing parameter winbind refresh tickets = yes
doing parameter template shell = /bin/bash
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=I.P.204.83 bcast=I.P.207.255 netmask=
Client started (version 4.15.13-Ubuntu).
Opening cache file at /run/samba/
sitename_fetch: Returning sitename for realm 'domain.COM': "703-XX001"
internal_
gencache_
namecache_fetch: no entry for Domaincontrolle
resolve_hosts: Attempting host lookup for name Domaincontrolle
remove_
namecache_store: storing 1 address for Domaincontrolle
gencache_
internal_
Connecting to I.P.163.93 at port 445
convert_
Connecting to I.P.163.93 at port 139
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
session request ok
negotiated dialect[SMB3_11] against server[
cli_session_
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_
Failed to start GENSEC client mech gse_krb5: NT_STATUS_
gensec_
gensec_update_send: spnego[
gensec_update_done: spnego[
SPNEGO login failed: An invalid parameter was passed to a service or function.
session setup failed: NT_STATUS_