samba-gpupdate fails(LdapErr: DSID-0C090C90 to perform this operation a successful bind must be completed on the connection)

when supporting the bug I could not select python3-samba as culprit. but python3-samba provides samba-gpupdate.

> when supporting the bug I could not select python3-samba as culprit. but python3-samba provides samba-
> gpupdate.

Thanks, that's fine, bugs can only be filed against a source package in Ubuntu (samba, in this case).

The only thing that comes to mind that could affect this, in samba 4.21.x, from the release notes[1], is the ldap channel binding support:

"""
LDAP TLS/SASL channel binding support
=====================================

The ldap server supports SASL binds with
kerberos or NTLMSSP over TLS connections
now (either ldaps or starttls).

Setups where 'ldap server require strong auth = allow_sasl_over_tls'
was required before, can now most likely move to the
default of 'ldap server require strong auth = yes'.

If SASL binds without correct tls channel bindings are required
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
should be used now, as 'allow_sasl_over_tls' will generate a
warning in every start of 'samba', as well as '[samba-tool ]testparm'.

This is similar to LdapEnforceChannelBinding under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
on Windows.

All client tools using ldaps also include the correct
channel bindings now.
"""

Can you perhaps bump the logging and see if something useful shows up in the samba logs?

1. https://www.samba.org/samba/history/samba-4.21.0.html

Thats the kernel output when running "samba-gpupdate"

Thats the samba-crash-log

if you need more or something specific just tell me...

Thanks. Pasting the crash here for information:

Traceback:
 Traceback (most recent call last):
   File "/usr/sbin/samba-gpupdate", line 135, in <module>
     apply_gp(lp, creds, store, gp_extensions, username,
     ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              opts.target, opts.force)
              ^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 1009, in apply_gp
     gpos = get_gpo_list(dc_hostname, creds, lp, username)
   File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 848, in get_gpo_list
     uac, dn = find_samaccount(samdb, username.split('\\')[-1])
               ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3/dist-packages/samba/gp/gpclass.py", line 694, in find_samaccount
     res = samdb.search(samdb.get_default_basedn(), ldb.SCOPE_SUBTREE,
                        '(sAMAccountName={})'.format(samaccountname), attrs)
 _ldb.LdbError: (1, '000004DC: LdapErr: DSID-0C090C92, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c')

I wonder if there might be a setting I can use in sssd.conf or smb.conf to force my local samba instance to use a stronger auth mechanism ? As I understand it is a client side issue. The microsoft servers will use the stronger auth as a default behaviour ?

Can you share your /etc/samba/smb.conf please? And logs from /var/log/samba/log.*

Checking the manual page for samba-gpupdate, there are some debugging options you could try:

       -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL debug level

Can you try some different values for -d? Perhaps start with 3. Max is 10 I think, which is a LOT.

If nothing is printed out to your terminal, then these logs will be somewhere in /var/log/samba/.

hi, here is my smb.conf:

$ cat /etc/samba/smb.conf
[global]
      idmap config * : backend = tdb
      idmap config * : range = 10000-20000
      idmap config MYAD : backend = rid
      idmap config MYAD : range = 20001-99999
      kerberos method = secrets and keytab
      security = ADS
      usershare allow guests = No
      workgroup = MYAD

here is the output of #samba-gpupdate -d 3

here is the output of a working machine running 24.04.02

I would be happy for some steps, to reproduce, to downgrade samba 4.21 to 4.19 in order to test the rest of 25.04...