Ubuntu
adsys package

Bug #2024377
Comment #9

Comment 9 for bug 2024377

Revision history for this message

James Martin (jm76432) wrote on 2023-10-06:

root@LCXVDU22NPE4030:~# export KRB5CCNAME=/var/run/adsys/krb5cc/LCXVDU22NPE4030
adsysctl policy debug gpolist-script
chmod +x adsys-gpolist
./adsys-gpolist --objectclass computer ldap://N060ADKCDC109.domain.com LCXVDU22NPE4030
0000000000cEntCTX-Ubuntu-Edge smb://domain.com/SysVol/domain.com/Policies/{F7E97A8D-7DB1-4571-956A-005D1658DC35}
0000000000cEntCtx-Ubuntu-Test smb://domain.com/SysVol/domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}

root@LCXVDU22NPE4030:~# smbclient --option='log level=10' //N060ADKCDC109.domain.com/SYSVOL/ -k -c 'get domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}/GPT.INI /dev/fd/1' | cat
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = domain
doing parameter security = ADS
doing parameter realm = domain.COM
doing parameter encrypt passwords = yes
lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated
doing parameter idmap config *:range = 16777216-33554431
doing parameter winbind use default domain = yes
doing parameter kerberos method = secrets and keytab
doing parameter winbind refresh tickets = yes
doing parameter template shell = /bin/bash
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=10.34.204.247 bcast=10.34.207.255 netmask=255.255.252.0
Client started (version 4.15.13-Ubuntu).
Opening cache file at /run/samba/gencache.tdb
sitename_fetch: Returning sitename for realm 'domain.COM': "703-XX001"
internal_resolve_name: looking up N060ADKCDC109.domain.com#20 (sitename 703-XX001)
namecache_fetch: name N060ADKCDC109.domain.com#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 10.254.163.93 at port 445
convert_string_handle: E2BIG: convert_string(UTF-8,CP850): srclen=25 destlen=16 error: No more room
Connecting to 10.254.163.93 at port 139
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
session request ok
negotiated dialect[SMB3_11] against server[N060ADKCDC109.domain.com]
cli_session_setup_spnego_send: Connect to N060ADKCDC109.domain.com as LCXVDU22NPE4030$@domain.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x55f4ae1acd70]: subreq: 0x55f4ae1909a0
gensec_update_send: spnego[0x55f4ae1a6030]: subreq: 0x55f4ae1ab820
gensec_update_done: gse_krb5[0x55f4ae1acd70]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f4ae1909a0/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x55f4ae190b60)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x55f4ae1a6030]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f4ae1ab820/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55f4ae1ab9e0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
gensec_update_send: gse_krb5[0x55f4ae1acd70]: subreq: 0x55f4ae1a5ab0
gensec_update_send: spnego[0x55f4ae1a6030]: subreq: 0x55f4ae1b5cc0
gensec_update_done: gse_krb5[0x55f4ae1acd70]: NT_STATUS_OK tevent_req[0x55f4ae1a5ab0/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x55f4ae1a5c70)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:866]
gensec_update_done: spnego[0x55f4ae1a6030]: NT_STATUS_OK tevent_req[0x55f4ae1b5cc0/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55f4ae1b5e80)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
session setup ok
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
tconx ok
dos_clean_name [\domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI]
unix_clean_name [\domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI]
map_open_params_to_ntcreate: fname = \domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI, deny_mode = 0x40, open_func = 0x1
map_open_params_to_ntcreate: file \domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI, access_mask = 0x120089, share_mode = 0x3, create_disposition = 0x1, create_options = 0x40 private_flags = 0x0
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
getting file \domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI of size 60 as /dev/fd/1 signed SMB2 message (sign_algo_id=1)
[General]
Version=13
displayName=New Group Policy Object
signed SMB2 message (sign_algo_id=1)
(0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
signed SMB2 message (sign_algo_id=1)
root@LCXVDU22NPE4030:~#

root@LCXVDU22NPE4030:~# export KRB5CCNAME=/var/run/adsys/krb5cc/LCXVDU22NPE4030
adsysctl policy debug gpolist-script
chmod +x adsys-gpolist
./adsys-gpolist --objectclass computer ldap://N060ADKCDC109.domain.com LCXVDU22NPE4030
0000000000cEntCTX-Ubuntu-Edge	smb://domain.com/SysVol/domain.com/Policies/{F7E97A8D-7DB1-4571-956A-005D1658DC35}
0000000000cEntCtx-Ubuntu-Test	smb://domain.com/SysVol/domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}

root@LCXVDU22NPE4030:~# smbclient --option='log level=10' //N060ADKCDC109.domain.com/SYSVOL/ -k -c 'get domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}/GPT.INI /dev/fd/1' | cat
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = domain
doing parameter security = ADS
doing parameter realm = domain.COM
doing parameter encrypt passwords = yes
lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated
doing parameter idmap config *:range = 16777216-33554431
doing parameter winbind use default domain = yes
doing parameter kerberos method = secrets and keytab
doing parameter winbind refresh tickets = yes
doing parameter template shell = /bin/bash
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=10.34.204.247 bcast=10.34.207.255 netmask=255.255.252.0
Client started (version 4.15.13-Ubuntu).
Opening cache file at /run/samba/gencache.tdb
sitename_fetch: Returning sitename for realm 'domain.COM': "703-XX001"
internal_resolve_name: looking up N060ADKCDC109.domain.com#20 (sitename 703-XX001)
namecache_fetch: name N060ADKCDC109.domain.com#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 10.254.163.93 at port 445
convert_string_handle: E2BIG: convert_string(UTF-8,CP850): srclen=25 destlen=16 error: No more room
Connecting to 10.254.163.93 at port 139
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
 session request ok
 negotiated dialect[SMB3_11] against server[N060ADKCDC109.domain.com]
cli_session_setup_spnego_send: Connect to N060ADKCDC109.domain.com as LCXVDU22NPE4030$@domain.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x55f4ae1acd70]: subreq: 0x55f4ae1909a0
gensec_update_send: spnego[0x55f4ae1a6030]: subreq: 0x55f4ae1ab820
gensec_update_done: gse_krb5[0x55f4ae1acd70]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f4ae1909a0/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)]  state[struct gensec_gse_update_state (0x55f4ae190b60)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x55f4ae1a6030]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f4ae1ab820/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x55f4ae1ab9e0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
gensec_update_send: gse_krb5[0x55f4ae1acd70]: subreq: 0x55f4ae1a5ab0
gensec_update_send: spnego[0x55f4ae1a6030]: subreq: 0x55f4ae1b5cc0
gensec_update_done: gse_krb5[0x55f4ae1acd70]: NT_STATUS_OK tevent_req[0x55f4ae1a5ab0/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)]  state[struct gensec_gse_update_state (0x55f4ae1a5c70)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:866]
gensec_update_done: spnego[0x55f4ae1a6030]: NT_STATUS_OK tevent_req[0x55f4ae1b5cc0/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x55f4ae1b5e80)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
 session setup ok
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
 tconx ok
dos_clean_name [\domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI]
unix_clean_name [\domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI]
map_open_params_to_ntcreate: fname = \domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI, deny_mode = 0x40, open_func = 0x1
map_open_params_to_ntcreate: file \domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI, access_mask = 0x120089, share_mode = 0x3, create_disposition = 0x1, create_options = 0x40 private_flags = 0x0
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
getting file \domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI of size 60 as /dev/fd/1 signed SMB2 message (sign_algo_id=1)
[General]
Version=13
displayName=New Group Policy Object
signed SMB2 message (sign_algo_id=1)
(0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
signed SMB2 message (sign_algo_id=1)
root@LCXVDU22NPE4030:~#

Ubuntuadsys package

Comment 9 for bug 2024377

Ubuntu
adsys package