Hi, I have (I believe) the exact same error message. I am setting up my personal samba AD server (running on ubuntu 22.04). I can join windows computers without any problem to the domain. I can use RAST (users and groups) from windows to manage the domain (add/create/change users/groups).
I can also join linux computers (ubuntu 23.04 and ubuntu 23.10), and I can login with a domain user. But, when I login, I get errors from the server ``` bp@legion-ubuntu:~ % sudo login legion-ubuntu.sb.lan login: SB\bp Password: Login incorrect legion-ubuntu.sb.lan login: SB\bp Password: Welcome to Ubuntu 23.04 (GNU/Linux 6.2.0-37-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro 3 updates can be applied immediately. To see these additional updates run: apt list --upgradable Your Ubuntu release is not supported anymore. For upgrade information, please visit: http://www.ubuntu.com/releaseendoflife New release '23.10' available. Run 'do-release-upgrade' to upgrade to it. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Apr 17 14:05:59 CEST 2024 on pts/1 Applying machine settings ERROR Error from server: error while updating policy: can't get policies for "legion-ubuntu": failed to retrieve the list of GPO (exited with 1): exit status 1 Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://dc.sb.lan' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to open session: (1, 'LDAP client internal error: NT_STATUS_INVALID_PARAMETER') Failure setting user credentials ``` This prevents me from logging in through normal login screen. My sssd.conf ``` bp@legion-ubuntu:~ % sudo cat /etc/sssd/sssd.conf [sssd] domains = sb.lan config_file_version = 2 services = nss, pam debug_level = 10 [domain/sb.lan] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = SB.LAN realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = sb.lan use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad timeout = 20 ldap_uri = ldap://dc.sb.lan ldap_search_base = dc=sb,dc=lan auth_provider = krb5 krb5_server = dc.sb.lan krb5_passwd = dc.sb.lan krb5_validate = True # https://serverfault.com/questions/872542/debugging-sssd-login-pam-sss-system-error # suggested work around in question ad_gpo_access_control = permissive ``` Any chance you could point me in the right direction? I am sure there is something wrong (I expect it to be client side since windows computers seem to work perfectly fine in the samba AD domain) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to adsys in Ubuntu. https://bugs.launchpad.net/bugs/2043376 Title: adsys cant fetch gpos ubuntu 22.04.3 Status in adsys package in Ubuntu: Incomplete Bug description: VERSIONS: ubuntu 22.04.3 libsmbclient 2:4.15.13+dfsg-0ubuntu1.5 adsysctl 0.9.2~22.04.2 adsysd 0.9.2~22.04.2 Hi when i try the command adsysctl update -m or --all i receive this error: Error from server: error while updating policy: cant get policies for "ubuntuvm": failed to retrieve the list of GPO (exited with -1): signal: killed Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://addc01.domain.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to open session: (1, 'LDAP client internal error: NT_STATUS_INVALID_PARAMETER'). Result of adsysctl service cat -vvv NFO github.com/ubuntu/adsys/internal/config/config.go:73 Init() No configuration file: Config File "adsys" Not Found in "[/home/ubuntuvm /etc /usr/sbin]". We will only use the defaults, env variables or flags. DEBUG Connecting as [[41753:876951]] DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:27 StreamServerInterceptor.func1() New request /service/Cat DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:60 loggedServerStream.RecvMsg() Requesting with parameters: DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:111 Authorizer.IsAllowedFromContext() Check if grpc request peer is authorized DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:191 Authorizer.isAllowed() Polkit call result, authorized: true DEBUG github.com/ubuntu/adsys/internal/ad/ad.go:397 (*AD).ListActiveUsers() [[41745:695267]] ListActiveUsers INFO github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:39 StreamServerInterceptor.func1() Error sent to client: error while updating policy: can't get policies for "ubuntuvm": failed to retrieve the list of GPO (exited with -1): signal: killed DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:33 StreamServerInterceptor.func1.1() Request /service/UpdatePolicy done INFO github.com/ubuntu/adsys/internal/grpc/interceptorschain/chainer.go:16 StreamServer.func1.1.1() New connection from client [[41768:773422]] DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:27 StreamServerInterceptor.func1() [[41768:773422]] New request /service/UpdatePolicy DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:60 loggedServerStream.RecvMsg() [[41768:773422]] Requesting with parameters: IsComputer: false, All: true, Target: , Krb5Cc: DEBUG github.com/ubuntu/adsys/internal/ad/ad.go:571 (*AD).NormalizeTargetName() [[41768:773422]] NormalizeTargetName for "", type "computer" DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:111 Authorizer.IsAllowedFromContext() [[41768:773422]] Check if grpc request peer is authorized DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:150 Authorizer.isAllowed() [[41768:773422]] Authorized as being administrator DEBUG github.com/ubuntu/adsys/internal/ad/ad.go:225 (*AD).GetPolicies() [[41768:773422]] GetPolicies for "ubuntuvm", type "computer" DEBUG github.com/ubuntu/adsys/internal/ad/ad.go:293 (*AD).GetPolicies() [[41768:773422]] Getting gpo list with arguments: "--objectclass computer ldap://addc01.domain.com ubuntuvm" DEBUG github.com/ubuntu/adsys/internal/ad/ad.go:397 (*AD).ListActiveUsers() [[41768:773422]] ListActiveUsers INFO github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:39 StreamServerInterceptor.func1() Error sent to client: error while updating policy: can't get policies for "ubuntuvm": failed to retrieve the list of GPO (exited with -1): signal: killed When I run the commands: export KRB5CCNAME=/var/run/adsys/krb5cc/$(hostname) adsysctl policy debug gpolist-script chmod +x adsys-gpolist ./adsys-gpolist --objectclass computer ldap://<ad-url> $(hostname) adsys-gpolist script get this error: Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://addc01.domain.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to open session: (1, 'LDAP client internal error: NT_STATUS_INVALID_PARAMETER'). and the command smbclient get this error smbclient --option='log level=10' //<ad-url>/SYSVOL/ -k -c 'get <ad-url>/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI /dev/fd/1' | cat I get this error: smbclient --option='log level=10' //<ad-url>/SYSVOL/ -k -c 'get <ad- url>/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI /dev/fd/1' | cat INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 WARNING: The option -k|--kerberos is deprecated! lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 Processing section "[global]" doing parameter workgroup = ironchip.com doing parameter server string = %h server (Samba, Ubuntu) doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter logging = file doing parameter panic action = /usr/share/samba/panic-action %d doing parameter server role = standalone server doing parameter obey pam restrictions = yes doing parameter unix password sync = yes doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . doing parameter pam password change = yes doing parameter map to guest = bad user doing parameter usershare allow guests = yes pm_process() returned Yes lp_servicenumber: couldn't find homes added interface enp0s3 ip=10.0.2.15 bcast=10.0.2.255 netmask=255.255.255.0 Client started (version 4.15.13-Ubuntu). Opening cache file at /run/samba/gencache.tdb sitename_fetch: No stored sitename for realm '' internal_resolve_name: looking up addc01.domain.com#20 (sitename (null)) gencache_set_data_blob: Adding cache entry with key=[NBT/addc01.domain.com#20] and timeout=[jue ene 1 01:00:00 1970 CET] (-1699871025 seconds in the past) namecache_fetch: no entry for addc01.domain.com#20 found. resolve_hosts: Attempting host lookup for name addc01.domain.com<0x20> remove_duplicate_addrs2: looking for duplicate address/port pairs namecache_store: storing 1 address for addc01.domain.com#20: {IP OF DOMAIN} gencache_set_data_blob: Adding cache entry with key=[NBT/addc01.domain.com#20] and timeout=[lun nov 13 11:34:46 2023 CET] (660 seconds ahead) internal_resolve_name: returning 1 addresses: {IP OF DOMAIN} Connecting to {IP OF DOMAIN} at port 445 convert_string_handle: E2BIG: convert_string(UTF-8,CP850): srclen=29 destlen=16 error: No more room Connecting to {IP OF DOMAIN} at port 139 do_connect: Connection to addc01.domain.com failed (Error NT_STATUS_IO_TIMEOUT) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2043376/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
