[solved] Windows standard users can't access DCs sysvol and user GPOs are not applying (error 1058)

I’ve just noticed I’m having issues with windows clients, group policies and sysvol/netlogon shares on UCS 4.4 domain controllers as samba4 AD.

My two main issues are:

1. Group policies for computers are applying. But GPO for users are not applying. I’m getting windows error 1058:

The processing of Group Policy failed. Windows attempted to read the file \replaceddomain.com.au\sysvol\replaceddomain.com.au\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved.

2. Standard users can’t view the sysvol or netlogon shares on the domain controllers directly (\\dcm1\sysvol) or via IP address (\\10.20.x.x\sysvol) or the domain address (\\replaceddomain.com.au\sysvol). From explorer they just get the credentials popup over and over and from the cli with net view they just get system error 5 access is denied.
   I can view all shares on a member file server (so kerberos is working?) and logins to the domain work without issue; just viewing the DC master/backup share listing or going directly to sysvol/netlogon does not work at all. Domain Admin users can view the sysvol/netlogon shares on the DCs. file ownership/permissions/acls seem to match a default UCS install too.

Have searched out the following UCS forum topics which have aspects of the issue I’m having:

• Problems evaluating group policies
• Netlogon & Sysvol Zugriff verweigert - seems to have same issues I do.
• Kein Zugriff auf SYSVOL - same symptoms for share access, his solution of sysvolreset didn’t help me
• Suddenly not all GPOs get applied - similar symptoms re. GPO policies failing, tried deleting policy history on client with no luck.

And have found the following windows topics and issues online re. the MS16-072 GPO changes and the MS15-011 hardened UNC paths changes:

• https://blogs.technet.microsoft.com/leesteve/2017/08/09/demystifying-the-unc-hardening-dilemma/
• https://support.microsoft.com/en-us/help/3163622/ms16-072-security-update-for-group-policy-june-14-2016
• https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-executi
• https://community.spiceworks.com/topic/1119601-windows-10-group-policy-issue?page=1
• https://community.spiceworks.com/topic/1666296-beware-known-issues-with-update-kb3159398?page=1
• https://social.technet.microsoft.com/Forums/lync/en-US/4f3b560d-9c35-413e-9483-0e5be519e5d6/group-policy-cannot-apply-when-using-security-filtering?forum=winserverGP

I’m assuming my issues are coming from a combination of the hardened UNC paths changes in win10 (although my win7 machines have the same problem) and the GPO changes that force windows to read computer and user policies as the machine account context rather than the user account.

But I can’t find any combination of any mentioned fixes in all the above links that helps, and hoping someone here can help me narrow this down.

I’ve tried:

1. Based on problems evaluating group policies SDB have checked:

   • Time sync is good.
   • gpupdate /force works for computer GPO fails for user GPO.
   • DNS all seems to work.
   • tried sysvolreset and check, all good.
   • no missing or mismatched revisions as far as I can tell.

2. setting Hardened UNC paths via computer GPO and via regedit directly on the win10 clients to wildcards (\\*\SYSVOL, \\*\NETLOGON), domain names (\\replacedomain.com.au\SYSVOL), server names (\\dcm1.replaceddomain.com.au\SYSVOL) with combinations of RequireMutualAuthentication=0, RequireIntegrity=0, RequirePrivacy=0 without any change to standard users ability to access the DC shares.

3. Changing the GPO security filtering and delegation to authenticated users and/or domain computers:

   • If I set the domain computers group (read/apply) in the security filter and the authenticated users (read) group in the delegation my user policies don’t give me error 1058 and complete but they are also completely filtered out by the domain computers security filter and don’t apply anything to users (gpresult /r shows filtered policies).

   • If I set authenticated users (read/apply) in security filter and domain computers (read) in delegation I receive error 1058 for user policies and none of them apply as GPO client gives up after first access denied failure.

4. I’ve used samba-tool ntacl sysvolreset and samba-tool ntacl sysvolcheck and there are no issues there.

5. The xattr for the sysvol/netlogon folders look to be OK (have compared against a fresh 4.4 install and against the UCS forum threads linked above). I have also tried adding in a domain computers group ACL for the sysvol folder with no change.

6. Based on thread above I enabled samba/max/protocol = SMB3 and min/protocol = SMB2

7. un-joining and re-joining machine (even deleting completely the machine account) no change.

8. Createing new user to ensure clean profile, same issues with re. to share access and user GPO application.

System Info:

• UCS Version: 4.4-0 errata147 (Blumenthal)
• UMC Version: 11.0.4-16A~4.4.0.201905101433

More Symptoms details:

• Domain logons work without issue.
• browsing of file server shares (where all my user docs/redirection are located) work without issue.
• This was previously working for win7/10 clients and has stopped at some point (maybe 4.3->4.4 upgrade?) as existing user policies applied to standard user accounts are preserved.
• There are no issues reported under the UCS system diagnostics.
• sysvol reset and check are good.

I’m assuming that if I can crack the sysvol share access issue for standard users then the GPO authenticated users security filtering will work, but at a bit of a loss of how to troubleshoot that now.

Thanks all.

Some more info, hope it helps.

Isolation testing

• Windows 7 domain joined machine:

  • gpupdate works. The machine will apply all computer and user GPOs.
  • Trying to view \\replaced.company.com.au\sysvol\ with explorer gives a credentials dialog and with net view on cli gives an access denied error. So it seems GPOs apply but still can’t browse as a user.

• Windows 10 domain joined machine:

  • gpupdate applies computer policies but errors out with 1058 on user policies (that work on win7).
  • Trying to view \\replaced.company.com.au\sysvol\ with explorer gives a credentials dialog and with net view on cli gives an access denied error. So it seems GPOs apply but still can’t browse as a user.

• GPO delegation / filtering

  • The default setup is that authenticated users has read/apply permissions. This works for win7 but not win10 (error 1058)
  • Have tried changing this to domain computers read/apply and authenticated users read only. This allows User GPOs to complete processing on win10 (which allows me to get gpresult info) but no user GPOs apply as the security filtering captures no user groups. With win10 it seems anything other than domain computers in security filtering give error 1058.

ACL on /var/lib/samba/sysvol/

root@dcm1:/var/lib/samba# getfacl sysvol
# file: sysvol
# owner: Administrator
# group: Administrators
user::rwx
user:Administrator:rwx
user:5010:r-x
user:5035:rwx
group::rwx
group:Authenticated\040Users:r-x
group:System:rwx
group:Administrators:rwx
group:Server\040Operators:r-x
mask::rwx
other::---
default:user::rwx
default:user:Administrator:rwx
default:user:5010:r-x
default:user:5035:rwx
default:group::---
default:group:Authenticated\040Users:r-x
default:group:System:rwx
default:group:Administrators:rwx
default:group:Server\040Operators:r-x
default:mask::rwx
default:other::---

Samba testparm output

Press enter to see a dump of your service definitions

# Global parameters
[global]
        bind interfaces only = Yes
        deadtime = 15
        debug pid = Yes
        domain master = Yes
        interfaces = lo eth0
        ldap server require strong auth = allow_sasl_over_tls
        logging = file
        logon drive = H:
        logon home = \\filestore\%U
        logon path = \\filestore\%U\windows-profiles\%a
        machine password timeout = 0
        map to guest = Bad User
        max log size = 0
        max open files = 32808
        max xmit = 65535
        name resolve order = wins host bcast
        obey pam restrictions = Yes
        passdb backend = samba_dsdb
        passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed*
        preferred master = Yes
        realm = <REPLACED.COMPANY>.COM.AU
        server min protocol = SMB2
        server role = active directory domain controller
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        server string = Univention Corporate Server
        template homedir = /home/%D-%U
        template shell = /bin/bash
        tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
        tls certfile = /etc/univention/ssl/dcm1.<replaced.company>.com.au/cert.pem
        tls keyfile = /etc/univention/ssl/dcm1.<replaced.company>.com.au/private.key
        tls verify peer = ca_and_name
        usershare max shares = 0
        winbind separator = +
        wins support = Yes
        workgroup = <REPLACED>
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        acl:search = no
        spoolss: architecture = Windows x64
        idmap config * : range = 300000-400000
        kccsrv:samba_kcc = False
        dsdb:schema update allowed = no
        nmbd_proxy_logon:cldap_server = 127.0.0.1
        server role check:inhibit = yes
        idmap config * : backend = tdb
        acl allow execute always = Yes
        admin users = administrator join-backup
        include = /etc/samba/base.conf
        kernel oplocks = Yes
        map archive = No
        vfs objects = dfs_samba4 acl_xattr
[netlogon]
        case sensitive = No
        comment = Domain logon service
        path = /var/lib/samba/sysvol/<replaced.company>.com.au/scripts
        read only = No

[sysvol]
        acl xattr update mtime = Yes
        case sensitive = No
        path = /var/lib/samba/sysvol
        read only = No

[homes]
        browseable = No
        comment = Heimatverzeichnisse
        create mask = 0700
        directory mask = 0700
        hide files = /windows-profiles/
        read only = No
        vfs objects = acl_xattr

[printers]
        browseable = No
        comment = Drucker
        create mask = 0700
        path = /tmp
        printable = Yes

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        read only = No
        write list = root Administrator @Printer-Admins

/var/log/samba/log.smb output when connecting to \\\replaced.company.com.au\

[2019/06/19 15:06:23.731624,  1, pid=13394] ../../source3/smbd/session.c:70(session_claim)
  pam_session rejected the session for <REPLACED>+standarduser1 [smb/3161656998]
[2019/06/19 15:06:23.731666,  1, pid=13394] ../../source3/smbd/smb2_sesssetup.c:465(smbd_smb2_auth_generic_return)
  smb2: Failed to claim session for vuid=3161656998
[2019/06/19 15:06:24.142672,  0, pid=13408] ../../source3/auth/pampass.c:89(smb_pam_error_handler)
  smb_pam_error_handler: PAM: session setup failed : System error
[2019/06/19 15:06:24.144318,  1, pid=13408] ../../source3/smbd/session.c:70(session_claim)
  pam_session rejected the session for <REPLACED>+standarduser1 [smb/600177647]
[2019/06/19 15:06:24.144359,  1, pid=13408] ../../source3/smbd/smb2_sesssetup.c:465(smbd_smb2_auth_generic_return)
  smb2: Failed to claim session for vuid=600177647

So basically coming to the end of my rope, just started grepping for any errors anywhere in the logs and I could see a lot of messages:

Jun 20 10:18:35 dcm1 univention-mount-homedir: Failed to mount home directory: '/home/<username>'

Basically the same as this thread: Login via SSH fails for a single user: Failed to mount home directory

If I remove the home share attribute from the user account under POSIX (Linux/UNIX) section then sysvol/netlogon browsing works as it should!! I guess the failing home mount, failed the user login through samba to pam and broke the sysvol browsing!

So now I have a work-around that I can blank out the home share attribute and get my user GPOs working again.

Looks like NFS mounts are failing from the file server.

Fileserver systemctl status:

● nfs-server.service - NFS server and services
   Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2019-06-20 16:58:03 AEST; 7min ago
  Process: 3968 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=1/FAILURE)
      CPU: 2ms

Jun 20 16:58:03 filestore systemd[1]: Starting NFS server and services...
Jun 20 16:58:03 filestore exportfs[3968]: exportfs: Failed to stat /var/lib/univention-client-boot: No such file or directory
Jun 20 16:58:03 filestore systemd[1]: nfs-server.service: Control process exited, code=exited status=1
Jun 20 16:58:03 filestore systemd[1]: Failed to start NFS server and services.
Jun 20 16:58:03 filestore systemd[1]: nfs-server.service: Unit entered failed state.
Jun 20 16:58:03 filestore systemd[1]: nfs-server.service: Failed with result 'exit-code'.
Warning: nfs-server.service changed on disk. Run 'systemctl daemon-reload' to reload units.

Is it that Failed to stat /var/lib/univention-client-boot: No such file or directory thats the issue?

Used to run UCC clients from this file server (not now, app was uninstalled) and it’s come through a few upgrades. Some sort of hang over from earlier like this other example for NFS?

edit:
Looking in UCR there seem to be leftover values from UCC.

root@filestore:/var/lib# ucr search ucc
appcenter/prudence/docker/ucc: yes

logrotate/syslog-ucc/.*: <empty>
 Configuration options for logging UCC-client rsyslog-messages (for possible options see description of ucrv logrotate/*)

logrotate/syslog-ucc/rotate/count: 7
 Configuration options for logging UCC-client rsyslog-messages (for possible options see description of ucrv logrotate/*)

logrotate/syslog-ucc/rotate: daily
 Configuration options for logging UCC-client rsyslog-messages (for possible options see description of ucrv logrotate/*)

security/packetfilter/package/ucc-remotelog/tcp/514/all: ACCEPT
 Variables following the scheme 'security/packetfilter/PACKAGE/*' are packet filter rules shipped by UCS packages (see 'security/packetfilter/use_packages'). They should not be modified.

security/packetfilter/package/ucc-remotelog/udp/514/all: ACCEPT
 Variables following the scheme 'security/packetfilter/PACKAGE/*' are packet filter rules shipped by UCS packages (see 'security/packetfilter/use_packages'). They should not be modified.

ucc/image/defaultid/desktop: ucc30desktop

ucc/image/defaultid/thinclient: ucc30thin

ucc/image/download/url: http://ucc-images.software-univention.de/download/ucc-images/

ucc/image/path: /var/lib/univention-client-boot/

ucc/pxe/append: syslog=y syslogserver=<server IP>

ucc/pxe/bootsplash: true

ucc/pxe/loglevel: 0

ucc/pxe/nfsroot: <server IP>

ucc/pxe/timezone: <server timezone>

ucc/pxe/traditionalinterfacenames: true
 If set to 'false', predictable network interface names will be deactivated. As this collides with UCC default settings, the value is 'true' by default. If the variable is unset, it is evaluated as 'false'.

ucc/pxe/vga: 788

Can these all be safely deleted?

Yes, it is. The NFS server refuses to start if any of the directories to export is missing.

In your case there’s likely a share configured for that directory in the UMC (“Domain” → “Shares”). Just remove that one share, and the NFS server should start up again.

Yeah, those can all be removed. It’s possible that there are configuration files lying around from packages in state rc (removed, but config-files present). See the output of dpkg -l | grep -E '^rc.*ucc' and if that looks fine, purge them with dpkg --purge <package1> <package2>… (or the somewhat dangerous but automatic dpkg -l | awk '/^rc.*ucc/ { print $2 }' | xargs -r dpkg --purge ).

Thanks again Moritz, that was it.

• removed UCC before last upgrade, it left some detritus behind (that share definition included) although it removed the actual folder.
• That killed the NFS server which broke S4 auth for syvol browsing on the windows clients which broke user GPOs

Quite the chain of events, this has been a learning experience.

…no offense, but I’d like to revitalize this ticket…
We also can’t reach the sysvol or netlogon shares with any user.
As described above we checked the home shares, but these do not seem to be set in our system.
Only under Home share path you can find the respective username, which, however cannot be deleted.

Interesting enough, we experience the issue on all systems we can reach, so it seems to be no single case.

Anything else we can try?
Maybe ldapmodify, but this seems a bit to rude to me, doesn’t it?

thanks
Sascha

We had this issue and found that disabling UE-V in group policy solve it for us. Thankfully we no longer used it, so if you do that’s not really a solution. It seems to be linked to NIC drivers (Maybe Intel, more likely Realtek) but updating those didn’t fix it. It also appears when the latest windows updates are installed, although I wasn’t able to test which one.