root@LCXVDU22NPE4030:~# export KRB5CCNAME=/var/run/adsys/krb5cc/LCXVDU22NPE4030 adsysctl policy debug gpolist-script chmod +x adsys-gpolist ./adsys-gpolist --objectclass computer ldap://N060ADKCDC109.domain.com LCXVDU22NPE4030 0000000000cEntCTX-Ubuntu-Edge smb://domain.com/SysVol/domain.com/Policies/{F7E97A8D-7DB1-4571-956A-005D1658DC35} 0000000000cEntCtx-Ubuntu-Test smb://domain.com/SysVol/domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}
root@LCXVDU22NPE4030:~# smbclient --option='log level=10' //N060ADKCDC109.domain.com/SYSVOL/ -k -c 'get domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}/GPT.INI /dev/fd/1' | cat INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 WARNING: The option -k|--kerberos is deprecated! lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 Processing section "[global]" doing parameter workgroup = domain doing parameter security = ADS doing parameter realm = domain.COM doing parameter encrypt passwords = yes lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated doing parameter idmap config *:range = 16777216-33554431 doing parameter winbind use default domain = yes doing parameter kerberos method = secrets and keytab doing parameter winbind refresh tickets = yes doing parameter template shell = /bin/bash pm_process() returned Yes lp_servicenumber: couldn't find homes added interface eth0 ip=10.34.204.247 bcast=10.34.207.255 netmask=255.255.252.0 Client started (version 4.15.13-Ubuntu). Opening cache file at /run/samba/gencache.tdb sitename_fetch: Returning sitename for realm 'domain.COM': "703-XX001" internal_resolve_name: looking up N060ADKCDC109.domain.com#20 (sitename 703-XX001) namecache_fetch: name N060ADKCDC109.domain.com#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs Connecting to 10.254.163.93 at port 445 convert_string_handle: E2BIG: convert_string(UTF-8,CP850): srclen=25 destlen=16 error: No more room Connecting to 10.254.163.93 at port 139 socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0 session request ok negotiated dialect[SMB3_11] against server[N060ADKCDC109.domain.com] cli_session_setup_spnego_send: Connect to N060ADKCDC109.domain.com as LCXVDU22NPE4030$@domain.COM using SPNEGO GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gensec_update_send: gse_krb5[0x55f4ae1acd70]: subreq: 0x55f4ae1909a0 gensec_update_send: spnego[0x55f4ae1a6030]: subreq: 0x55f4ae1ab820 gensec_update_done: gse_krb5[0x55f4ae1acd70]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f4ae1909a0/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x55f4ae190b60)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859] gensec_update_done: spnego[0x55f4ae1a6030]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f4ae1ab820/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55f4ae1ab9e0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] gensec_update_send: gse_krb5[0x55f4ae1acd70]: subreq: 0x55f4ae1a5ab0 gensec_update_send: spnego[0x55f4ae1a6030]: subreq: 0x55f4ae1b5cc0 gensec_update_done: gse_krb5[0x55f4ae1acd70]: NT_STATUS_OK tevent_req[0x55f4ae1a5ab0/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x55f4ae1a5c70)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:866] gensec_update_done: spnego[0x55f4ae1a6030]: NT_STATUS_OK tevent_req[0x55f4ae1b5cc0/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55f4ae1b5e80)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] session setup ok signed SMB2 message (sign_algo_id=1) signed SMB2 message (sign_algo_id=1) signed SMB2 message (sign_algo_id=1) signed SMB2 message (sign_algo_id=1) tconx ok dos_clean_name [\domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI] unix_clean_name [\domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI] map_open_params_to_ntcreate: fname = \domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI, deny_mode = 0x40, open_func = 0x1 map_open_params_to_ntcreate: file \domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI, access_mask = 0x120089, share_mode = 0x3, create_disposition = 0x1, create_options = 0x40 private_flags = 0x0 signed SMB2 message (sign_algo_id=1) signed SMB2 message (sign_algo_id=1) getting file \domain.com\Policies\{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}\GPT.INI of size 60 as /dev/fd/1 signed SMB2 message (sign_algo_id=1) [General] Version=13 displayName=New Group Policy Object signed SMB2 message (sign_algo_id=1) (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec) signed SMB2 message (sign_algo_id=1) root@LCXVDU22NPE4030:~# -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to adsys in Ubuntu. https://bugs.launchpad.net/bugs/2024377 Title: Adsys can't fetch GPOs Status in adsys package in Ubuntu: Confirmed Bug description: Bad, maybe no understandable english ahead. Can't find anything related to this on Github, Canonical Forums, Reddit or StackOverflow. On Ubuntu 22.04, I've followed the Wiki tutorial and verified all steps on Integration Ubuntu Desktop whitepaper. Currently using SSSD backend, I can log with Active Directory users however when adsys is installed I can't fetch GPOs. In this version the error is: ERROR Error from server: error while updating policy: can't get policies for "ubuntu": can't download all gpos and assets: one or more error while fetching GPOs and assets: can't download "ubuntuRoot": can't check if ubuntuRoot needs refreshing: no GPT.INI file: cannot open smb://addc01.domain.com.br/SysVol/domain.com.br/Policies/{DF072E7E-6F2F-46D1-A90F-699415F72F2E}/GPT.INI: invalid argument It happens when using "adsysctl update -m" or "adsysctl update usern...@domain.com.br /tmp/krb5c_getentId_randomdnumber" and just "adsysctl update" too. I've upgrade the machine to 22.10 and the error changed to: ERROR Error from server: error while updating policy: can't get policies for "ubuntu": failed to retrieve the list of GPO (exited with 1): exit status 1 Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://addc01.domain.com.br' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to open session: (1, 'LDAP client internal error: NT_STATUS_INVALID_PARAMETER'). After upgrade to 23.04 the error persist same as the above. Full info 22.04 (-vvvv verbose): INFO No configuration file: Config File "adsys" Not Found in "[/home/jzprates /root /etc /usr/sbin]". We will only use the defaults, env variables or flags. DEBUG Connecting as [[2504:109556]] DEBUG New request /service/UpdatePolicy DEBUG Requesting with parameters: IsComputer: true, All: false, Target: ubuntu, Krb5Cc: DEBUG NormalizeTargetName for "ubuntu", type "computer" DEBUG Check if grpc request peer is authorized DEBUG Authorized as being administrator DEBUG GetPolicies for "ubuntu", type "computer" DEBUG Getting gpo list with arguments: "--objectclass computer ldap://addc01.domain.com.br ubuntu" DEBUG GPO "ubuntuRoot" for "ubuntu" available at "smb://addc01.domain.com.br/SysVol/domain.com.br/Policies/{DF072E7E-6F2F-46D1-A90F-699415F72F2E}" DEBUG Analyzing "assets" DEBUG Analyzing "ubuntuRoot" INFO No assets directory with GPT.INI file found on AD, skipping assets download ERROR Error from server: error while updating policy: can't get policies for "ubuntu": can't download all gpos and assets: one or more error while fetching GPOs and assets: can't download "ubuntuRoot": can't check if ubuntuRoot needs refreshing: no GPT.INI file: cannot open smb://addc01.domain.com.br/SysVol/domain.com.br/Policies/{DF072E7E-6F2F-46D1-A90F-699415F72F2E}/GPT.INI: invalid argument Full info 23.04 (-vvvv verbose): INFO No configuration file: Config File "adsys" Not Found in "[/home/jzprates /root /etc /usr/sbin]". DEBUG Connecting as [[58811:006019]] DEBUG New request /service/UpdatePolicy DEBUG Requesting with parameters: IsComputer: true, All: false, Target: ubuntu, Krb5Cc: DEBUG NormalizeTargetName for "ubuntu", type "computer" DEBUG Check if grpc request peer is authorized DEBUG Authorized as being administrator DEBUG GetPolicies for "ubuntu", type "computer" DEBUG Getting gpo list with arguments: "--objectclass computer ldap://addc01.domain.com.br ubuntu" ERROR Error from server: error while updating policy: can't get policies for "ubuntu": failed to retrieve the list of GPO (exited with 1): exit status 1 Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://addc01.domain.com.br' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to open session: (1, 'LDAP client internal error: NT_STATUS_INVALID_PARAMETER') Additional info: Domain Controller and machine are on the same subnet without firewall on any level; Domain Controller is a Windows Server 2019 updated to the last security version; Both machine and user are on the same OU with "no heritage" enabled and just one policy added to permit usern...@domain.com.br to become root; The info header directory is "/home/jzprates" on both logs because I've collected them using the local account using "sudo adsysctl update -m -vvvv"; If I disable Adsys login on pam-auth-update, Ubuntu creates a homedir and enter correctly with domain users. ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: adsys 0.11.0 ProcVersionSignature: Ubuntu 6.2.0-23.23-generic 6.2.12 Uname: Linux 6.2.0-23-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Mon Jun 19 11:22:10 2023 InstallationDate: Installed on 2023-06-13 (5 days ago) InstallationMedia: Ubuntu 22.04.2 LTS "Jammy Jellyfish" - Release amd64 (20230223) RelatedPackageVersions: sssd 2.8.1-1ubuntu1 python3-samba 2:4.17.7+dfsg-1ubuntu1 SourcePackage: adsys UpgradeStatus: Upgraded to lunar on 2023-06-16 (2 days ago) modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf: [deleted] modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2024377/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp