Discussion:
Permission denied on GPT.ini (Event ID 1058)
(too old to reply)
l***@gmail.com
2016-03-18 17:29:32 UTC
Permalink
Are you currently replicating the sysvol folder between DC's?
Hi list,
Having a multi-DC Samba 4.1.17 (Debian) setup, we use Computer GPOs.
Machines randomly encounter event 1058 (translation is roughly "GPO
processing failed. Windows failed to read file
\\domain\sysvol\domain\Policies\SomeGUID\gpt.ini from a domain
controller"). It seems to be an issue with computer account because
User's GPO applies nicely.
Replication (both drs show repl & ldap-cmp) shows no error nor
difference on the DC used for GPO fetching (according to tcpdump since
I found no way to get it through windows logs). Rising loglevel to 5
show that domain\COMPUTERNAME$ is not found as an user but the same
occurs for "working" stations. ntacl sysvolreset doesn't change anything.
Can somebody point me in the right direction to troubleshoot this?
Regards
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
l***@gmail.com
2016-03-18 17:50:44 UTC
Permalink
Hi,
Yes using rsync followed by a samba-tool ntacl sysvolreset
Regards
Post by l***@gmail.com
Are you currently replicating the sysvol folder between DC's?
Hi list,
Having a multi-DC Samba 4.1.17 (Debian) setup, we use Computer GPOs.
Machines randomly encounter event 1058 (translation is roughly "GPO
processing failed. Windows failed to read file
\\domain\sysvol\domain\Policies\SomeGUID\gpt.ini from a domain
controller"). It seems to be an issue with computer account because
User's GPO applies nicely.
Replication (both drs show repl & ldap-cmp) shows no error nor
difference on the DC used for GPO fetching (according to tcpdump
since I found no way to get it through windows logs). Rising
loglevel to 5 show that domain\COMPUTERNAME$ is not found as an user
but the same occurs for "working" stations. ntacl sysvolreset
doesn't change anything.
Can somebody point me in the right direction to troubleshoot this?
Regards
Have you tried running 'gpresult /H GPReport.html' on the workstation
and see if it provides any details? You can also run 'Group Policy
Results' from within Microsoft Group Policy Management snap in.

Are you using Item level targeting in your GPO?
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
l***@gmail.com
2016-03-18 19:58:48 UTC
Permalink
Post by l***@gmail.com
Have you tried running 'gpresult /H GPReport.html' on the workstation
and see if it provides any details? You can also run 'Group Policy
Results' from within Microsoft Group Policy Management snap in.
Yes, it show an error about maximum kerberos tickets exceeded but I
take that for a generic error message…
Post by l***@gmail.com
Are you using Item level targeting in your GPO?
No
When this error happens, can you confirm if you can manually navigate to
the file? Open file explorer and enter the UNC path.

ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini

On the workstation having the issue.
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Klaus Hartnegg
2016-03-20 16:03:32 UTC
Permalink
Yes but in that case I'm not using the machine account anymore but the currently logged in user account. That's why I guess it is related to some machine account configuration issue but I can find no way to test machine account access…
psexec -i -s cmd.exe
must be run as admin
will open a new window
try there:
echo %username%
looks like machine account

hope this helps,
Klaus
--
Message sent from a mobile device, please excuse brevity and typos
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-03-21 14:53:36 UTC
Permalink
Hai,

Today i had a "about" same problem.

Check the following.

1) Get the Policy id ( like ": {78732DBF-5381-497B-9B25-00A278270A1F} from
PATH_TO_SYSVOL_FOLDER/Policies/
2) run getfacl on the folder like :
getfacl \{78751DBF-5381-497B-9B25-00A278270A1F\}/

here in my case i noticed the following.
I had a user set on one specific policie, i changed that users to a newly created group.

After looking with getfacl i noticed, that the user was still on GPT.INI
and not the group.
Reculting in the Permission denied on GPT.ini.

For now i fixed it by getting setting the inheritance of the folder to the files again.

Resume what i think and others must test also.

When creating the policy for the first time it sets the correct U+G rights.
After changing this, not.

Other quick fix is, add the computer($) to the group.

I hope people know what i mean, if not, ask me.


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: maandag 21 maart 2016 10:45
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Post by Klaus Hartnegg
Am 19.03.2016 um 08:16 schrieb Sébastien Le Ray <sebastien-
Yes but in that case I'm not using the machine account anymore but the
currently logged in user account. That's why I guess it is related to some
machine account configuration issue but I can find no way to test machine
account access?
Post by Klaus Hartnegg
psexec -i -s cmd.exe
must be run as admin
will open a new window
echo %username%
looks like machine account
Hi,
This gives me the machine account name which I already know.
BUT I used pushd \\path\to\sysvol in the spawned cmd.exe and I
successfully mounted the supposedly unreadable share (tries all 5 DCs)
and type'd the GPT.ini
If someone has any further investigation track, I'll take it
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2016-03-22 14:11:18 UTC
Permalink
I just saw this thread while browsing my emails and I want to report
that I get this frequently but randomly on every Samba4 domain I run. It
is completely random in that it affects a PC today, but a week from now
that same PC may work just fine. It may then affect a different PC which
had no issues prior.

Also, if I click the link to "gpt.ini" in the event log the file DOES
open and I can view it all day long. It is almost as though the system
lies to me in saying it cannot access the file, but it can. I have been
dealing with this for two years now.

Finally, this seems to occur MUCH more frequently on domains which have
multiple DCs. A single DC domain may have this happen once in a year,
and only for a moment, whereas a multiple DC domain may have this happen
regularly.

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by l***@gmail.com
Post by l***@gmail.com
Have you tried running 'gpresult /H GPReport.html' on the workstation
and see if it provides any details? You can also run 'Group Policy
Results' from within Microsoft Group Policy Management snap in.
Yes, it show an error about maximum kerberos tickets exceeded but I
take that for a generic error message…
Post by l***@gmail.com
Are you using Item level targeting in your GPO?
No
When this error happens, can you confirm if you can manually navigate to
the file? Open file explorer and enter the UNC path.
ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini
On the workstation having the issue.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-03-22 15:37:15 UTC
Permalink
In addition,.. a handy to know.

Windows resolves NetBIOS names by using one of the following four methods.
1 = B-Node (broadcast)
2 = P-Node (point-to-point)
4 = M-Node (mixed)
8 = H-Node (hybrid)

In the registry look for NodeType and/or DhcpNodeType
When you cannot view other workgroup computers, remove these keys and reboot.

If you still see a wrong node-type after reboot, check you dhcp option 46.
Still not working, try manualy creating the NodeType registry key.


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 22 maart 2016 16:17
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hai
In the end, i found the problem today.
The pc win7-64b with this problem had a wrongy network settting and 2
nics.
I removed 1 nic.
Ipconfig /all gaves what whas wrong.
The nodetype was wrong.
The "problem" pc had mixed set.
And not hybrid (0x8) (H Node)
After changing this back to H-node and removeing the 2e nic.
Rebooted the pc and it works again now.
Hope this helps someone.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 22 maart 2016 15:11
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
I just saw this thread while browsing my emails and I want to report
that I get this frequently but randomly on every Samba4 domain I run. It
is completely random in that it affects a PC today, but a week from now
that same PC may work just fine. It may then affect a different PC which
had no issues prior.
Also, if I click the link to "gpt.ini" in the event log the file DOES
open and I can view it all day long. It is almost as though the system
lies to me in saying it cannot access the file, but it can. I have been
dealing with this for two years now.
Finally, this seems to occur MUCH more frequently on domains which have
multiple DCs. A single DC domain may have this happen once in a year,
and only for a moment, whereas a multiple DC domain may have this happen
regularly.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by l***@gmail.com
Post by l***@gmail.com
Have you tried running 'gpresult /H GPReport.html' on the
workstation
Post by l***@gmail.com
Post by l***@gmail.com
and see if it provides any details? You can also run 'Group Policy
Results' from within Microsoft Group Policy Management snap in.
Yes, it show an error about maximum kerberos tickets exceeded but I
take that for a generic error message?
Post by l***@gmail.com
Are you using Item level targeting in your GPO?
No
When this error happens, can you confirm if you can manually navigate
to
Post by l***@gmail.com
the file? Open file explorer and enter the UNC path.
ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini
On the workstation having the issue.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mj
2016-03-23 13:08:25 UTC
Permalink
Hi Sébastien,
Clicking on the link in the events viewer (which *never* fails) opens it
as the logged in user, that's why I'm convinced the issue is tied to
machine accounts handling
I have had problems with machine accounts accessing sysvol folders on
smba DCs. I solved this by adding a gid & uid to the machine accounts.

Perhaps try that?

MJ
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mj
2016-03-23 16:01:08 UTC
Permalink
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields in RSAT
I added them using LAM, because yes: using RSAT i also could not.

(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2016-03-26 21:04:14 UTC
Permalink
I add UNIX attributes (gid/uid) using RSAT. You need to select an
additional option when installing the tools. I believe it is "something
for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to
set the uid/gid as well as group memberships for UNIX systems. I have
done this on my networks, but I may have forgotten it on this one. I
will check. I still have the issue, it is not a "node type" issue.

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields in RSAT
I added them using LAM, because yes: using RSAT i also could not.
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-03-29 09:57:41 UTC
Permalink
I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs
were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
In others words, if you configure correctly idmap into smb.conf I expect
you don't need any more declaring UID/GID for machine accounts.

Anyway here my machines get access to their GPO: I tested one computer's
GPO this morning, the one giving the possibility to use userPrincipalName
without @samba.domain.tld when logging into a computer. That worked so the
GPO was applied and my machines have no UID/GID nor my smb.conf contains
anything about idmap:
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller

server services = -dns
idmap_ldb:use rfc2307 = yes

# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99

#kccsrv:samba_kcc=true

[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------

But my nsswitch.conf is configured to use winbind:
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind

And that works:
For users:
id administrator
uid=0(root) gid=0(root) groupes=0(root)
For computers:
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)

So idmapping seems to be enabled by default as there are no UID/GID
declared on DC200 computer:
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7

So I still expect an issue about mapping computer accounts to UNIX/Linux
local user.

Hoping this helps, cheers,

mathias
Post by Ryan Ashley
I add UNIX attributes (gid/uid) using RSAT. You need to select an
additional option when installing the tools. I believe it is "something
for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to
set the uid/gid as well as group memberships for UNIX systems. I have
done this on my networks, but I may have forgotten it on this one. I
will check. I still have the issue, it is not a "node type" issue.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields in RSAT
I added them using LAM, because yes: using RSAT i also could not.
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-03-29 13:14:05 UTC
Permalink
To see which DC is used by Windows client: open a MSDOS console, type
"set", look for LOGONSERVER=\\<your_dc>

<your_dc> is the DC used to connect on.

If issue comes from one DC I would have on sysvol synchronisation between
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if
you have only GPO issue).
Hi
Same here, GPO work without UID/GID on machine account (since issue
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change except a
reboot
So I guess root issue is the kerberos one "max reference tickets exceeded"
but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't be fixed
by sysvolreset (!), I manually fixed ntacl but this does not seem to have
fixed anything
Regards
Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs
were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
In others words, if you configure correctly idmap into smb.conf I expect
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one computer's
GPO this morning, the one giving the possibility to use userPrincipalName
GPO was applied and my machines have no UID/GID nor my smb.conf contains
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)
So idmapping seems to be enabled by default as there are no UID/GID
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to UNIX/Linux
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select an
Post by Ryan Ashley
additional option when installing the tools. I believe it is "something
for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to
set the uid/gid as well as group memberships for UNIX systems. I have
done this on my networks, but I may have forgotten it on this one. I
will check. I still have the issue, it is not a "node type" issue.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields in RSAT
I added them using LAM, because yes: using RSAT i also could not.
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-03-29 13:16:38 UTC
Permalink
About sysvolreset errors: send them to us. There is (at least) one error
from sysvolcheck which is not too much important (if I have well understood
it): ACL is set on FS to Local Admins when it should be Domain admins (or
the contrary). That one should be a simple warning, or it is and it can be
ignored (once more: according to my memory).
Post by mathias dufresne
To see which DC is used by Windows client: open a MSDOS console, type
"set", look for LOGONSERVER=\\<your_dc>
<your_dc> is the DC used to connect on.
If issue comes from one DC I would have on sysvol synchronisation between
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if
you have only GPO issue).
Hi
Same here, GPO work without UID/GID on machine account (since issue
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change except a
reboot
So I guess root issue is the kerberos one "max reference tickets
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't be
fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to
have fixed anything
Regards
Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs
were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
In others words, if you configure correctly idmap into smb.conf I expect
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one computer's
GPO this morning, the one giving the possibility to use userPrincipalName
GPO was applied and my machines have no UID/GID nor my smb.conf contains
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)
So idmapping seems to be enabled by default as there are no UID/GID
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to UNIX/Linux
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select an
Post by Ryan Ashley
additional option when installing the tools. I believe it is "something
for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to
set the uid/gid as well as group memberships for UNIX systems. I have
done this on my networks, but I may have forgotten it on this one. I
will check. I still have the issue, it is not a "node type" issue.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields in RSAT
I added them using LAM, because yes: using RSAT i also could not.
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-03-29 13:46:31 UTC
Permalink
But still, events log show a warning about kerberos ticket from LsaSrv
source and right after a permission denied on GPT.ini
And a getfacl of the problem GPO SID please, i'll check.

And a output of ipconfig /all on the problem pc.

And question, dedicated IP or dhcp IP?


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 15:41
CC: samba
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
LOGONSERVER is the server used to authenticate currently logged in user,
this does not mean that it is the one on which machine GPO was fetched
(which seem to be round-robinized, but maybe not)
Got no more sysvolcheck error, manually fixed those (what a pain)
But still, events log show a warning about kerberos ticket from LsaSrv
source and right after a permission denied on GPT.ini
Regards
Post by mathias dufresne
About sysvolreset errors: send them to us. There is (at least) one error
from sysvolcheck which is not too much important (if I have well
understood
Post by mathias dufresne
it): ACL is set on FS to Local Admins when it should be Domain admins
(or
Post by mathias dufresne
the contrary). That one should be a simple warning, or it is and it can
be
Post by mathias dufresne
ignored (once more: according to my memory).
Post by mathias dufresne
To see which DC is used by Windows client: open a MSDOS console, type
"set", look for LOGONSERVER=\\<your_dc>
<your_dc> is the DC used to connect on.
If issue comes from one DC I would have on sysvol synchronisation
between
Post by mathias dufresne
Post by mathias dufresne
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
issue if
Post by mathias dufresne
Post by mathias dufresne
you have only GPO issue).
2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
Hi
Same here, GPO work without UID/GID on machine account (since issue
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change except a
reboot
So I guess root issue is the kerberos one "max reference tickets
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't be
fixed by sysvolreset (!), I manually fixed ntacl but this does not
seem to
Post by mathias dufresne
Post by mathias dufresne
have fixed anything
Regards
Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought idmap
stuffs
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
In others words, if you configure correctly idmap into smb.conf I
expect
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one
computer's
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
GPO this morning, the one giving the possibility to use
userPrincipalName
so
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
the
GPO was applied and my machines have no UID/GID nor my smb.conf
contains
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)
So idmapping seems to be enabled by default as there are no UID/GID
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to
UNIX/Linux
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select an
Post by Ryan Ashley
additional option when installing the tools. I believe it is
"something
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
for NIS attributes". This adds the "UNIX" tab to ADUC and allows you
to
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
set the uid/gid as well as group memberships for UNIX systems. I
have
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
done this on my networks, but I may have forgotten it on this one. I
will check. I still have the issue, it is not a "node type" issue.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields
in
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
RSAT
I added them using LAM, because yes: using RSAT i also could not.
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-03-29 14:18:17 UTC
Permalink
I dont read any france but translators work ok. ;-) pfew..

Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
Or try short without firewalls on, on the DC's.

Other options to try is recude the MaxPacketSize in windows.

Looks like a to big package which is rejected.

Ow and above is also needed on the DNS port 53.
Open tcp and udp.

If the upd packages are to big, tcp is tried.


And let us know the result.

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:10
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hi
French windows version
LSA Error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/computer.domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a été
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
GPT.ini error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a été
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
\{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
# file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
# owner: root
# group: 10000
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000008:r-x
group::rwx
group:10000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000007:rwx
group:3000008:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000008:r-x
default:group::---
default:group:10000:rwx
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000007:rwx
default:group:3000008:r-x
default:mask::rwx
default:other::---
DHCP IP
Regards
Post by L.P.H. van Belle
But still, events log show a warning about kerberos ticket from LsaSrv
source and right after a permission denied on GPT.ini
And a getfacl of the problem GPO SID please, i'll check.
And a output of ipconfig /all on the problem pc.
And question, dedicated IP or dhcp IP?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Ray
Post by L.P.H. van Belle
Verzonden: dinsdag 29 maart 2016 15:41
CC: samba
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
LOGONSERVER is the server used to authenticate currently logged in
user,
Post by L.P.H. van Belle
this does not mean that it is the one on which machine GPO was fetched
(which seem to be round-robinized, but maybe not)
Got no more sysvolcheck error, manually fixed those (what a pain)
But still, events log show a warning about kerberos ticket from LsaSrv
source and right after a permission denied on GPT.ini
Regards
Post by mathias dufresne
About sysvolreset errors: send them to us. There is (at least) one
error
Post by L.P.H. van Belle
Post by mathias dufresne
from sysvolcheck which is not too much important (if I have well
understood
Post by mathias dufresne
it): ACL is set on FS to Local Admins when it should be Domain admins
(or
Post by mathias dufresne
the contrary). That one should be a simple warning, or it is and it
can
Post by L.P.H. van Belle
be
Post by mathias dufresne
ignored (once more: according to my memory).
Post by mathias dufresne
To see which DC is used by Windows client: open a MSDOS console, type
"set", look for LOGONSERVER=\\<your_dc>
<your_dc> is the DC used to connect on.
If issue comes from one DC I would have on sysvol synchronisation
between
Post by mathias dufresne
Post by mathias dufresne
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
issue if
Post by mathias dufresne
Post by mathias dufresne
you have only GPO issue).
2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
Hi
Same here, GPO work without UID/GID on machine account (since issue
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change except
a
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
reboot
So I guess root issue is the kerberos one "max reference tickets
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't be
fixed by sysvolreset (!), I manually fixed ntacl but this does not
seem to
Post by mathias dufresne
Post by mathias dufresne
have fixed anything
Regards
Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought idmap
stuffs
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
In others words, if you configure correctly idmap into smb.conf I
expect
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one
computer's
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
GPO this morning, the one giving the possibility to use
userPrincipalName
so
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
the
GPO was applied and my machines have no UID/GID nor my smb.conf
contains
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
controllers)
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)
So idmapping seems to be enabled by default as there are no UID/GID
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to
UNIX/Linux
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select an
Post by Ryan Ashley
additional option when installing the tools. I believe it is
"something
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
for NIS attributes". This adds the "UNIX" tab to ADUC and allows
you
Post by L.P.H. van Belle
to
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
set the uid/gid as well as group memberships for UNIX systems. I
have
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
done this on my networks, but I may have forgotten it on this one.
I
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
will check. I still have the issue, it is not a "node type" issue.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid
fields
Post by L.P.H. van Belle
in
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
RSAT
I added them using LAM, because yes: using RSAT i also could not.
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-03-29 14:52:45 UTC
Permalink
Ok, where your pc's get the DNS info from?
Server : AD-DC + DNS
Or
Server : AD-DC
+
Some other server with DNS


Can you give the output of
dig NS your.domain.tld

and tel us what what is.
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:31
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
No firewall configured on DCs
telnet dc 88 & 53 works fine (so TCP at least is OK).
53 isn't mandatory since AD zone is a delegation so clients never talk
to AD NS directly
Regards
Post by L.P.H. van Belle
I dont read any france but translators work ok. ;-) pfew..
Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
Or try short without firewalls on, on the DC's.
Other options to try is recude the MaxPacketSize in windows.
Looks like a to big package which is rejected.
Ow and above is also needed on the DNS port 53.
Open tcp and udp.
If the upd packages are to big, tcp is tried.
And let us know the result.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:10
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hi
French windows version
LSA Error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/computer.domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a
été
Post by L.P.H. van Belle
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
GPT.ini error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a
été
Post by L.P.H. van Belle
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
\{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
# file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
# owner: root
# group: 10000
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000008:r-x
group::rwx
group:10000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000007:rwx
group:3000008:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000008:r-x
default:group::---
default:group:10000:rwx
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000007:rwx
default:group:3000008:r-x
default:mask::rwx
default:other::---
DHCP IP
Regards
Post by L.P.H. van Belle
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
And a getfacl of the problem GPO SID please, i'll check.
And a output of ipconfig /all on the problem pc.
And question, dedicated IP or dhcp IP?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Ray
Post by L.P.H. van Belle
Verzonden: dinsdag 29 maart 2016 15:41
CC: samba
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
LOGONSERVER is the server used to authenticate currently logged in
user,
Post by L.P.H. van Belle
this does not mean that it is the one on which machine GPO was
fetched
Post by L.P.H. van Belle
Post by L.P.H. van Belle
(which seem to be round-robinized, but maybe not)
Got no more sysvolcheck error, manually fixed those (what a pain)
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
Regards
Post by mathias dufresne
About sysvolreset errors: send them to us. There is (at least) one
error
Post by L.P.H. van Belle
Post by mathias dufresne
from sysvolcheck which is not too much important (if I have well
understood
Post by mathias dufresne
it): ACL is set on FS to Local Admins when it should be Domain
admins
Post by L.P.H. van Belle
Post by L.P.H. van Belle
(or
Post by mathias dufresne
the contrary). That one should be a simple warning, or it is and it
can
Post by L.P.H. van Belle
be
Post by mathias dufresne
ignored (once more: according to my memory).
Post by mathias dufresne
To see which DC is used by Windows client: open a MSDOS console,
type
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"set", look for LOGONSERVER=\\<your_dc>
<your_dc> is the DC used to connect on.
If issue comes from one DC I would have on sysvol synchronisation
between
Post by mathias dufresne
Post by mathias dufresne
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
issue if
Post by mathias dufresne
Post by mathias dufresne
you have only GPO issue).
2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
Hi
Same here, GPO work without UID/GID on machine account (since
issue
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change
except
Post by L.P.H. van Belle
a
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
reboot
So I guess root issue is the kerberos one "max reference tickets
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't
be
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
fixed by sysvolreset (!), I manually fixed ntacl but this does not
seem to
Post by mathias dufresne
Post by mathias dufresne
have fixed anything
Regards
Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought
idmap
Post by L.P.H. van Belle
Post by L.P.H. van Belle
stuffs
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
were here to replace RFC2307 UID/GID declared into AD/LDAP
objects.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
In others words, if you configure correctly idmap into smb.conf I
expect
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one
computer's
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
GPO this morning, the one giving the possibility to use
userPrincipalName
worked
Post by L.P.H. van Belle
Post by L.P.H. van Belle
so
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
the
GPO was applied and my machines have no UID/GID nor my smb.conf
contains
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
controllers)
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
password
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to
UNIX/Linux
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select an
Post by Ryan Ashley
additional option when installing the tools. I believe it is
"something
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
for NIS attributes". This adds the "UNIX" tab to ADUC and allows
you
Post by L.P.H. van Belle
to
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
set the uid/gid as well as group memberships for UNIX systems. I
have
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
done this on my networks, but I may have forgotten it on this
one.
Post by L.P.H. van Belle
I
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
will check. I still have the issue, it is not a "node type"
issue.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid
fields
Post by L.P.H. van Belle
in
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
RSAT
I added them using LAM, because yes: using RSAT i also could
not.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-03-29 15:03:58 UTC
Permalink
Ok, same as im running.

DC => (replicated zones) => Slave DNS << == Client pc's.

Have you tried to reset the network id manualy from withing windows.
( where you change/add the computer to the network )
The button "change network-id."

I have seen these things also with pc's which are wrongly syspreped.
Which cases same SID's for the pc's.

But please try also if you point the problem pc to the DCs as dns, please do try it.
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:58
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Company's dns which recurse on AD DC for my.ad.domain subdomain
Regards
Post by L.P.H. van Belle
Ok, where your pc's get the DNS info from?
Server : AD-DC + DNS
Or
Server : AD-DC
+
Some other server with DNS
Can you give the output of
dig NS your.domain.tld
and tel us what what is.
-----Oorspronkelijk bericht-----
Ray
Post by L.P.H. van Belle
Verzonden: dinsdag 29 maart 2016 16:31
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
No firewall configured on DCs
telnet dc 88 & 53 works fine (so TCP at least is OK).
53 isn't mandatory since AD zone is a delegation so clients never talk
to AD NS directly
Regards
Post by L.P.H. van Belle
I dont read any france but translators work ok. ;-) pfew..
Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
Or try short without firewalls on, on the DC's.
Other options to try is recude the MaxPacketSize in windows.
Looks like a to big package which is rejected.
Ow and above is also needed on the DNS port 53.
Open tcp and udp.
If the upd packages are to big, tcp is tried.
And let us know the result.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:10
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hi
French windows version
LSA Error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour
le
Post by L.P.H. van Belle
Post by L.P.H. van Belle
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/computer.domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence
a
Post by L.P.H. van Belle
été
Post by L.P.H. van Belle
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
GPT.ini error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour
le
Post by L.P.H. van Belle
Post by L.P.H. van Belle
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence
a
Post by L.P.H. van Belle
été
Post by L.P.H. van Belle
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
\{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
# file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
# owner: root
# group: 10000
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000008:r-x
group::rwx
group:10000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000007:rwx
group:3000008:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000008:r-x
default:group::---
default:group:10000:rwx
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000007:rwx
default:group:3000008:r-x
default:mask::rwx
default:other::---
DHCP IP
Regards
Post by L.P.H. van Belle
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
And a getfacl of the problem GPO SID please, i'll check.
And a output of ipconfig /all on the problem pc.
And question, dedicated IP or dhcp IP?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Le
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Ray
Post by L.P.H. van Belle
Verzonden: dinsdag 29 maart 2016 15:41
CC: samba
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
LOGONSERVER is the server used to authenticate currently logged in
user,
Post by L.P.H. van Belle
this does not mean that it is the one on which machine GPO was
fetched
Post by L.P.H. van Belle
Post by L.P.H. van Belle
(which seem to be round-robinized, but maybe not)
Got no more sysvolcheck error, manually fixed those (what a pain)
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
Regards
Post by mathias dufresne
About sysvolreset errors: send them to us. There is (at least) one
error
Post by L.P.H. van Belle
Post by mathias dufresne
from sysvolcheck which is not too much important (if I have well
understood
Post by mathias dufresne
it): ACL is set on FS to Local Admins when it should be Domain
admins
Post by L.P.H. van Belle
Post by L.P.H. van Belle
(or
Post by mathias dufresne
the contrary). That one should be a simple warning, or it is and
it
Post by L.P.H. van Belle
Post by L.P.H. van Belle
can
Post by L.P.H. van Belle
be
Post by mathias dufresne
ignored (once more: according to my memory).
2016-03-29 15:14 GMT+02:00 mathias dufresne
Post by mathias dufresne
To see which DC is used by Windows client: open a MSDOS console,
type
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"set", look for LOGONSERVER=\\<your_dc>
<your_dc> is the DC used to connect on.
If issue comes from one DC I would have on sysvol synchronisation
between
Post by mathias dufresne
Post by mathias dufresne
DC, ACL on all sysvol, DNS entries (but I don't think that's a
DNS
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
issue if
Post by mathias dufresne
Post by mathias dufresne
you have only GPO issue).
2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
Hi
Same here, GPO work without UID/GID on machine account (since
issue
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change
except
Post by L.P.H. van Belle
a
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
reboot
So I guess root issue is the kerberos one "max reference tickets
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that
won't
Post by L.P.H. van Belle
be
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
fixed by sysvolreset (!), I manually fixed ntacl but this does
not
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
seem to
Post by mathias dufresne
Post by mathias dufresne
have fixed anything
Regards
Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought
idmap
Post by L.P.H. van Belle
Post by L.P.H. van Belle
stuffs
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
were here to replace RFC2307 UID/GID declared into AD/LDAP
objects.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
In others words, if you configure correctly idmap into smb.conf
I
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
expect
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one
computer's
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
GPO this morning, the one giving the possibility to use
userPrincipalName
worked
Post by L.P.H. van Belle
Post by L.P.H. van Belle
so
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
the
GPO was applied and my machines have no UID/GID nor my smb.conf
contains
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path =
/var/lib/samba/sysvol/samba.domain.tld/scripts
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
controllers)
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
password
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to
UNIX/Linux
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select
an
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
additional option when installing the tools. I believe it is
"something
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
for NIS attributes". This adds the "UNIX" tab to ADUC and
allows
Post by L.P.H. van Belle
Post by L.P.H. van Belle
you
Post by L.P.H. van Belle
to
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
set the uid/gid as well as group memberships for UNIX systems.
I
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
have
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
done this on my networks, but I may have forgotten it on this
one.
Post by L.P.H. van Belle
I
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
will check. I still have the issue, it is not a "node type"
issue.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid
fields
Post by L.P.H. van Belle
in
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
RSAT
I added them using LAM, because yes: using RSAT i also could
not.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-03-29 14:55:43 UTC
Permalink
And i found this link.

http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm

also good to read.
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:31
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
No firewall configured on DCs
telnet dc 88 & 53 works fine (so TCP at least is OK).
53 isn't mandatory since AD zone is a delegation so clients never talk
to AD NS directly
Regards
Post by L.P.H. van Belle
I dont read any france but translators work ok. ;-) pfew..
Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
Or try short without firewalls on, on the DC's.
Other options to try is recude the MaxPacketSize in windows.
Looks like a to big package which is rejected.
Ow and above is also needed on the DNS port 53.
Open tcp and udp.
If the upd packages are to big, tcp is tried.
And let us know the result.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:10
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hi
French windows version
LSA Error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/computer.domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a
été
Post by L.P.H. van Belle
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
GPT.ini error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a
été
Post by L.P.H. van Belle
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
\{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
# file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
# owner: root
# group: 10000
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000008:r-x
group::rwx
group:10000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000007:rwx
group:3000008:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000008:r-x
default:group::---
default:group:10000:rwx
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000007:rwx
default:group:3000008:r-x
default:mask::rwx
default:other::---
DHCP IP
Regards
Post by L.P.H. van Belle
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
And a getfacl of the problem GPO SID please, i'll check.
And a output of ipconfig /all on the problem pc.
And question, dedicated IP or dhcp IP?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Ray
Post by L.P.H. van Belle
Verzonden: dinsdag 29 maart 2016 15:41
CC: samba
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
LOGONSERVER is the server used to authenticate currently logged in
user,
Post by L.P.H. van Belle
this does not mean that it is the one on which machine GPO was
fetched
Post by L.P.H. van Belle
Post by L.P.H. van Belle
(which seem to be round-robinized, but maybe not)
Got no more sysvolcheck error, manually fixed those (what a pain)
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
Regards
Post by mathias dufresne
About sysvolreset errors: send them to us. There is (at least) one
error
Post by L.P.H. van Belle
Post by mathias dufresne
from sysvolcheck which is not too much important (if I have well
understood
Post by mathias dufresne
it): ACL is set on FS to Local Admins when it should be Domain
admins
Post by L.P.H. van Belle
Post by L.P.H. van Belle
(or
Post by mathias dufresne
the contrary). That one should be a simple warning, or it is and it
can
Post by L.P.H. van Belle
be
Post by mathias dufresne
ignored (once more: according to my memory).
Post by mathias dufresne
To see which DC is used by Windows client: open a MSDOS console,
type
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"set", look for LOGONSERVER=\\<your_dc>
<your_dc> is the DC used to connect on.
If issue comes from one DC I would have on sysvol synchronisation
between
Post by mathias dufresne
Post by mathias dufresne
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
issue if
Post by mathias dufresne
Post by mathias dufresne
you have only GPO issue).
2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
Hi
Same here, GPO work without UID/GID on machine account (since
issue
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change
except
Post by L.P.H. van Belle
a
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
reboot
So I guess root issue is the kerberos one "max reference tickets
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't
be
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
fixed by sysvolreset (!), I manually fixed ntacl but this does not
seem to
Post by mathias dufresne
Post by mathias dufresne
have fixed anything
Regards
Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought
idmap
Post by L.P.H. van Belle
Post by L.P.H. van Belle
stuffs
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
were here to replace RFC2307 UID/GID declared into AD/LDAP
objects.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
In others words, if you configure correctly idmap into smb.conf I
expect
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one
computer's
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
GPO this morning, the one giving the possibility to use
userPrincipalName
worked
Post by L.P.H. van Belle
Post by L.P.H. van Belle
so
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
the
GPO was applied and my machines have no UID/GID nor my smb.conf
contains
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
controllers)
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
password
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to
UNIX/Linux
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select an
Post by Ryan Ashley
additional option when installing the tools. I believe it is
"something
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
for NIS attributes". This adds the "UNIX" tab to ADUC and allows
you
Post by L.P.H. van Belle
to
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
set the uid/gid as well as group memberships for UNIX systems. I
have
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
done this on my networks, but I may have forgotten it on this
one.
Post by L.P.H. van Belle
I
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
will check. I still have the issue, it is not a "node type"
issue.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid
fields
Post by L.P.H. van Belle
in
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
RSAT
I added them using LAM, because yes: using RSAT i also could
not.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-03-22 15:16:59 UTC
Permalink
Hai

In the end, i found the problem today.

The pc win7-64b with this problem had a wrongy network settting and 2 nics.
I removed 1 nic.
Ipconfig /all gaves what whas wrong.

The nodetype was wrong.
The "problem" pc had mixed set.
And not hybrid (0x8) (H Node)
After changing this back to H-node and removeing the 2e nic.
Rebooted the pc and it works again now.

Hope this helps someone.


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 22 maart 2016 15:11
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
I just saw this thread while browsing my emails and I want to report
that I get this frequently but randomly on every Samba4 domain I run. It
is completely random in that it affects a PC today, but a week from now
that same PC may work just fine. It may then affect a different PC which
had no issues prior.
Also, if I click the link to "gpt.ini" in the event log the file DOES
open and I can view it all day long. It is almost as though the system
lies to me in saying it cannot access the file, but it can. I have been
dealing with this for two years now.
Finally, this seems to occur MUCH more frequently on domains which have
multiple DCs. A single DC domain may have this happen once in a year,
and only for a moment, whereas a multiple DC domain may have this happen
regularly.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by l***@gmail.com
Post by l***@gmail.com
Have you tried running 'gpresult /H GPReport.html' on the workstation
and see if it provides any details? You can also run 'Group Policy
Results' from within Microsoft Group Policy Management snap in.
Yes, it show an error about maximum kerberos tickets exceeded but I
take that for a generic error message?
Post by l***@gmail.com
Are you using Item level targeting in your GPO?
No
When this error happens, can you confirm if you can manually navigate to
the file? Open file explorer and enter the UNC path.
ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini
On the workstation having the issue.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-03-30 10:01:21 UTC
Permalink
I found this one.
Check which one works for you.

http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm

Im sure this is not a samba configuration problem.


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:18
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
I dont read any france but translators work ok. ;-) pfew..
Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
Or try short without firewalls on, on the DC's.
Other options to try is recude the MaxPacketSize in windows.
Looks like a to big package which is rejected.
Ow and above is also needed on the DNS port 53.
Open tcp and udp.
If the upd packages are to big, tcp is tried.
And let us know the result.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:10
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hi
French windows version
LSA Error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/computer.domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a été
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
GPT.ini error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a été
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
\{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
# file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
# owner: root
# group: 10000
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000008:r-x
group::rwx
group:10000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000007:rwx
group:3000008:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000008:r-x
default:group::---
default:group:10000:rwx
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000007:rwx
default:group:3000008:r-x
default:mask::rwx
default:other::---
DHCP IP
Regards
Post by L.P.H. van Belle
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
And a getfacl of the problem GPO SID please, i'll check.
And a output of ipconfig /all on the problem pc.
And question, dedicated IP or dhcp IP?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Ray
Post by L.P.H. van Belle
Verzonden: dinsdag 29 maart 2016 15:41
CC: samba
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
LOGONSERVER is the server used to authenticate currently logged in
user,
Post by L.P.H. van Belle
this does not mean that it is the one on which machine GPO was
fetched
Post by L.P.H. van Belle
(which seem to be round-robinized, but maybe not)
Got no more sysvolcheck error, manually fixed those (what a pain)
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
Regards
Post by mathias dufresne
About sysvolreset errors: send them to us. There is (at least) one
error
Post by L.P.H. van Belle
Post by mathias dufresne
from sysvolcheck which is not too much important (if I have well
understood
Post by mathias dufresne
it): ACL is set on FS to Local Admins when it should be Domain
admins
Post by L.P.H. van Belle
(or
Post by mathias dufresne
the contrary). That one should be a simple warning, or it is and it
can
Post by L.P.H. van Belle
be
Post by mathias dufresne
ignored (once more: according to my memory).
Post by mathias dufresne
To see which DC is used by Windows client: open a MSDOS console,
type
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"set", look for LOGONSERVER=\\<your_dc>
<your_dc> is the DC used to connect on.
If issue comes from one DC I would have on sysvol synchronisation
between
Post by mathias dufresne
Post by mathias dufresne
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
issue if
Post by mathias dufresne
Post by mathias dufresne
you have only GPO issue).
2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
Hi
Same here, GPO work without UID/GID on machine account (since
issue
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change
except
a
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
reboot
So I guess root issue is the kerberos one "max reference tickets
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't
be
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
fixed by sysvolreset (!), I manually fixed ntacl but this does not
seem to
Post by mathias dufresne
Post by mathias dufresne
have fixed anything
Regards
Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought
idmap
Post by L.P.H. van Belle
stuffs
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
were here to replace RFC2307 UID/GID declared into AD/LDAP
objects.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
In others words, if you configure correctly idmap into smb.conf I
expect
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one
computer's
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
GPO this morning, the one giving the possibility to use
userPrincipalName
worked
Post by L.P.H. van Belle
so
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
the
GPO was applied and my machines have no UID/GID nor my smb.conf
contains
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
controllers)
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
password
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to
UNIX/Linux
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select an
Post by Ryan Ashley
additional option when installing the tools. I believe it is
"something
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
for NIS attributes". This adds the "UNIX" tab to ADUC and allows
you
Post by L.P.H. van Belle
to
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
set the uid/gid as well as group memberships for UNIX systems. I
have
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
done this on my networks, but I may have forgotten it on this
one.
I
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
will check. I still have the issue, it is not a "node type"
issue.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid
fields
Post by L.P.H. van Belle
in
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
RSAT
I added them using LAM, because yes: using RSAT i also could
not.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2016-04-14 14:42:25 UTC
Permalink
Sorry for my delayed response, my job has had me out of state for a
while. I wanted to add that I am not getting the Kerberos error in my
event logs. It just flat out claims that it cannot read gpt.ini for some
reason. This happens randomly, whether dc01 or dc02 is the logon server,
and the strange part is that most PCs can work fine, but one or two
randomly won't.

In other words, if pc1 and pc3 are using dc01, and pc2 is using dc02,
pc1 and pc2 work fine, but pc3 says it can't read the gpt.ini on dc01.
This may persist for weeks, then it suddenly works.

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
I found this one.
Check which one works for you.
http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm
Im sure this is not a samba configuration problem.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:18
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
I dont read any france but translators work ok. ;-) pfew..
Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
Or try short without firewalls on, on the DC's.
Other options to try is recude the MaxPacketSize in windows.
Looks like a to big package which is rejected.
Ow and above is also needed on the DNS port 53.
Open tcp and udp.
If the upd packages are to big, tcp is tried.
And let us know the result.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:10
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hi
French windows version
LSA Error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/computer.domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a été
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
GPT.ini error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a été
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
\{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
# file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
# owner: root
# group: 10000
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000008:r-x
group::rwx
group:10000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000007:rwx
group:3000008:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000008:r-x
default:group::---
default:group:10000:rwx
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000007:rwx
default:group:3000008:r-x
default:mask::rwx
default:other::---
DHCP IP
Regards
Post by L.P.H. van Belle
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
And a getfacl of the problem GPO SID please, i'll check.
And a output of ipconfig /all on the problem pc.
And question, dedicated IP or dhcp IP?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Ray
Post by L.P.H. van Belle
Verzonden: dinsdag 29 maart 2016 15:41
CC: samba
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
LOGONSERVER is the server used to authenticate currently logged in
user,
Post by L.P.H. van Belle
this does not mean that it is the one on which machine GPO was
fetched
Post by L.P.H. van Belle
(which seem to be round-robinized, but maybe not)
Got no more sysvolcheck error, manually fixed those (what a pain)
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
Regards
Post by mathias dufresne
About sysvolreset errors: send them to us. There is (at least) one
error
Post by L.P.H. van Belle
Post by mathias dufresne
from sysvolcheck which is not too much important (if I have well
understood
Post by mathias dufresne
it): ACL is set on FS to Local Admins when it should be Domain
admins
Post by L.P.H. van Belle
(or
Post by mathias dufresne
the contrary). That one should be a simple warning, or it is and it
can
Post by L.P.H. van Belle
be
Post by mathias dufresne
ignored (once more: according to my memory).
Post by mathias dufresne
To see which DC is used by Windows client: open a MSDOS console,
type
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"set", look for LOGONSERVER=\\<your_dc>
<your_dc> is the DC used to connect on.
If issue comes from one DC I would have on sysvol synchronisation
between
Post by mathias dufresne
Post by mathias dufresne
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
issue if
Post by mathias dufresne
Post by mathias dufresne
you have only GPO issue).
2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
Hi
Same here, GPO work without UID/GID on machine account (since
issue
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change
except
a
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
reboot
So I guess root issue is the kerberos one "max reference tickets
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't
be
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
fixed by sysvolreset (!), I manually fixed ntacl but this does not
seem to
Post by mathias dufresne
Post by mathias dufresne
have fixed anything
Regards
Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought
idmap
Post by L.P.H. van Belle
stuffs
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
were here to replace RFC2307 UID/GID declared into AD/LDAP
objects.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
In others words, if you configure correctly idmap into smb.conf I
expect
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one
computer's
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
GPO this morning, the one giving the possibility to use
userPrincipalName
worked
Post by L.P.H. van Belle
so
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
the
GPO was applied and my machines have no UID/GID nor my smb.conf
contains
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
controllers)
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
password
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to
UNIX/Linux
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select an
Post by Ryan Ashley
additional option when installing the tools. I believe it is
"something
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
for NIS attributes". This adds the "UNIX" tab to ADUC and allows
you
Post by L.P.H. van Belle
to
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
set the uid/gid as well as group memberships for UNIX systems. I
have
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
done this on my networks, but I may have forgotten it on this
one.
I
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
will check. I still have the issue, it is not a "node type"
issue.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid
fields
Post by L.P.H. van Belle
in
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
RSAT
I added them using LAM, because yes: using RSAT i also could
not.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jonathan Hunter
2016-04-14 16:03:57 UTC
Permalink
I hate 'me too' replies - but I have also been struggling with this for
some years in my multi-DC environment. (yes, replicated sysvol via lsyncd +
rsync; permissions looked identical via getfacl last time I checked).
Sometimes a client machine will run gpupdate just fine; other times it will
fail, seemingly randomly.

My next step was going to be to run wireshark on a client machine to see if
the problem follows a particular DC or pattern - as someone has already
said elsewhere in this thread, the LOGONSERVER isn't necessarily the DC
that GPOs are fetched from.

I don't have UIDs/GIDs for my machine accounts but maybe I should try to
add them.. Unfortunately every time I sit down to troubleshoot this, the
client machine runs gpupdate with no errors at all; and of course every
time I make a GPO update that needs to be pushed out, it chooses that time
to not work.. :)

I will try and do some wireshark work and let you know what I find.. It's
definitely "not just you", though - and I'm glad it's not just me, as well!
:-)
Post by Ryan Ashley
Sorry for my delayed response, my job has had me out of state for a
while. I wanted to add that I am not getting the Kerberos error in my
event logs. It just flat out claims that it cannot read gpt.ini for some
reason. This happens randomly, whether dc01 or dc02 is the logon server,
and the strange part is that most PCs can work fine, but one or two
randomly won't.
In other words, if pc1 and pc3 are using dc01, and pc2 is using dc02,
pc1 and pc2 work fine, but pc3 says it can't read the gpt.ini on dc01.
This may persist for weeks, then it suddenly works.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
I found this one.
Check which one works for you.
http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm
Post by L.P.H. van Belle
Im sure this is not a samba configuration problem.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Post by L.P.H. van Belle
Verzonden: dinsdag 29 maart 2016 16:18
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
I dont read any france but translators work ok. ;-) pfew..
Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
Or try short without firewalls on, on the DC's.
Other options to try is recude the MaxPacketSize in windows.
Looks like a to big package which is rejected.
Ow and above is also needed on the DNS port 53.
Open tcp and udp.
If the upd packages are to big, tcp is tried.
And let us know the result.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:10
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hi
French windows version
LSA Error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/computer.domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a
été
Post by L.P.H. van Belle
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
GPT.ini error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a
été
Post by L.P.H. van Belle
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
\{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
# file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
# owner: root
# group: 10000
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000008:r-x
group::rwx
group:10000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000007:rwx
group:3000008:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000008:r-x
default:group::---
default:group:10000:rwx
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000007:rwx
default:group:3000008:r-x
default:mask::rwx
default:other::---
DHCP IP
Regards
Post by L.P.H. van Belle
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
And a getfacl of the problem GPO SID please, i'll check.
And a output of ipconfig /all on the problem pc.
And question, dedicated IP or dhcp IP?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Le
Post by L.P.H. van Belle
Ray
Post by L.P.H. van Belle
Verzonden: dinsdag 29 maart 2016 15:41
CC: samba
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
LOGONSERVER is the server used to authenticate currently logged in
user,
Post by L.P.H. van Belle
this does not mean that it is the one on which machine GPO was
fetched
Post by L.P.H. van Belle
(which seem to be round-robinized, but maybe not)
Got no more sysvolcheck error, manually fixed those (what a pain)
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
Regards
Post by mathias dufresne
About sysvolreset errors: send them to us. There is (at least) one
error
Post by L.P.H. van Belle
Post by mathias dufresne
from sysvolcheck which is not too much important (if I have well
understood
Post by mathias dufresne
it): ACL is set on FS to Local Admins when it should be Domain
admins
Post by L.P.H. van Belle
(or
Post by mathias dufresne
the contrary). That one should be a simple warning, or it is and it
can
Post by L.P.H. van Belle
be
Post by mathias dufresne
ignored (once more: according to my memory).
Post by mathias dufresne
To see which DC is used by Windows client: open a MSDOS console,
type
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"set", look for LOGONSERVER=\\<your_dc>
<your_dc> is the DC used to connect on.
If issue comes from one DC I would have on sysvol synchronisation
between
Post by mathias dufresne
Post by mathias dufresne
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
issue if
Post by mathias dufresne
Post by mathias dufresne
you have only GPO issue).
2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
Hi
Same here, GPO work without UID/GID on machine account (since
issue
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change
except
a
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
reboot
So I guess root issue is the kerberos one "max reference tickets
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't
be
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
fixed by sysvolreset (!), I manually fixed ntacl but this does not
seem to
Post by mathias dufresne
Post by mathias dufresne
have fixed anything
Regards
Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought
idmap
Post by L.P.H. van Belle
stuffs
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
were here to replace RFC2307 UID/GID declared into AD/LDAP
objects.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
In others words, if you configure correctly idmap into smb.conf I
expect
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one
computer's
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
GPO this morning, the one giving the possibility to use
userPrincipalName
worked
Post by L.P.H. van Belle
so
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
the
GPO was applied and my machines have no UID/GID nor my smb.conf
contains
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
controllers)
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
password
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to
UNIX/Linux
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select an
Post by Ryan Ashley
additional option when installing the tools. I believe it is
"something
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
for NIS attributes". This adds the "UNIX" tab to ADUC and allows
you
Post by L.P.H. van Belle
to
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
set the uid/gid as well as group memberships for UNIX systems. I
have
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
done this on my networks, but I may have forgotten it on this
one.
I
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
will check. I still have the issue, it is not a "node type"
issue.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid
fields
Post by L.P.H. van Belle
in
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
RSAT
I added them using LAM, because yes: using RSAT i also could
not.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
"If we knew what it was we were doing, it would not be called research,
would it?"
- Albert Einstein
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-04-18 09:57:31 UTC
Permalink
Hai,

Yeah, you have probely one of these 2 problems. ( or both )

1)
This is probely because your "computer" *(user) does not have any acces.
Recheck you permissions on the share and and folders for that specific policie.

2)
Connections specific suffic and/or network suffic is wrong.
Check if you pc is setup correct with dhcp.
Ipconfig /all ( check these, and make sure you have "hybrib" (H-node)

This is not a samba problem but a configuration problem,
or a corruption in you ip stack, (netsh int ip reset) can help also.

I've posted a link before this one, go throug it, here are multiple good options to check out.

http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm



Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: maandag 18 april 2016 11:22
Aan: Jonathan Hunter; samba
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hi list
I have another box hitting the problem
It's rather strange since manual run of gpupdate terminates smoothly,
the only failure seem to be on boot time (sadly this seem to prevent the
boot scripts to be run, which is of course what we need?)
My guess was that the issue was raising when boot up GPO fetching wasn't
performed on the DC on which machine authentication was done (as I said
before, this is due to the fact that sysvol is supposed to be a DFS
share so it is accessed through \\domain.fqdn\ which, when using samba,
is a dumb round robin). So what I did was to remove all DNS entry for
domain.fqdn except for the site DC IP, thus ensuring that GPO was
fetched from the same machine? Without success
I ran wireshark during machine boot up sequence is basically
dig -t SRV _ldap._tcp.dc._msdcs.domain.fqdn
<= all domain controllers
=> pick one to get my site
<= your site is XXX
dig -t SRV _ldap._tcp.XXX._sites.dc._msdcs.domain.fqdn
<= site DC
All subsequent communication is made with the DC the box fetched? Still
no success
I can see SMB2 negociate procotol request/response, DNS updates, but
GPT.ini reading still fails
Regards
Post by Jonathan Hunter
I hate 'me too' replies - but I have also been struggling with this for
some years in my multi-DC environment. (yes, replicated sysvol via
lsyncd +
Post by Jonathan Hunter
rsync; permissions looked identical via getfacl last time I checked).
Sometimes a client machine will run gpupdate just fine; other times it
will
Post by Jonathan Hunter
fail, seemingly randomly.
My next step was going to be to run wireshark on a client machine to see
if
Post by Jonathan Hunter
the problem follows a particular DC or pattern - as someone has already
said elsewhere in this thread, the LOGONSERVER isn't necessarily the DC
that GPOs are fetched from.
I don't have UIDs/GIDs for my machine accounts but maybe I should try to
add them.. Unfortunately every time I sit down to troubleshoot this, the
client machine runs gpupdate with no errors at all; and of course every
time I make a GPO update that needs to be pushed out, it chooses that
time
Post by Jonathan Hunter
to not work.. :)
I will try and do some wireshark work and let you know what I find..
It's
Post by Jonathan Hunter
definitely "not just you", though - and I'm glad it's not just me, as
well!
Post by Jonathan Hunter
:-)
Post by Ryan Ashley
Sorry for my delayed response, my job has had me out of state for a
while. I wanted to add that I am not getting the Kerberos error in my
event logs. It just flat out claims that it cannot read gpt.ini for
some
Post by Jonathan Hunter
Post by Ryan Ashley
reason. This happens randomly, whether dc01 or dc02 is the logon
server,
Post by Jonathan Hunter
Post by Ryan Ashley
and the strange part is that most PCs can work fine, but one or two
randomly won't.
In other words, if pc1 and pc3 are using dc01, and pc2 is using dc02,
pc1 and pc2 work fine, but pc3 says it can't read the gpt.ini on dc01.
This may persist for weeks, then it suddenly works.
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by L.P.H. van Belle
I found this one.
Check which one works for you.
http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-
8508-phase-1.htm
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Im sure this is not a samba configuration problem.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Post by L.P.H. van Belle
Verzonden: dinsdag 29 maart 2016 16:18
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
I dont read any france but translators work ok. ;-) pfew..
Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
Or try short without firewalls on, on the DC's.
Other options to try is recude the MaxPacketSize in windows.
Looks like a to big package which is rejected.
Ow and above is also needed on the DNS port 53.
Open tcp and udp.
If the upd packages are to big, tcp is tried.
And let us know the result.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 16:10
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hi
French windows version
LSA Error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour
le
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/computer.domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence
a
Post by Jonathan Hunter
Post by Ryan Ashley
été
Post by L.P.H. van Belle
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
GPT.ini error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l?événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Utilisateur : Système
Ordinateur : computer.domain
Le système de sécurité a détecté une erreur d?authentification pour
le
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
serveur cifs/domain. Le code de la panne à partir du protocole
d?authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence
a
Post by Jonathan Hunter
Post by Ryan Ashley
été
Post by L.P.H. van Belle
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
\{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
# file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
# owner: root
# group: 10000
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000008:r-x
group::rwx
group:10000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000007:rwx
group:3000008:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000008:r-x
default:group::---
default:group:10000:rwx
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000007:rwx
default:group:3000008:r-x
default:mask::rwx
default:other::---
DHCP IP
Regards
Post by L.P.H. van Belle
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
And a getfacl of the problem GPO SID please, i'll check.
And a output of ipconfig /all on the problem pc.
And question, dedicated IP or dhcp IP?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Le
Post by L.P.H. van Belle
Ray
Post by L.P.H. van Belle
Verzonden: dinsdag 29 maart 2016 15:41
CC: samba
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID
1058)
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
LOGONSERVER is the server used to authenticate currently logged in
user,
Post by L.P.H. van Belle
this does not mean that it is the one on which machine GPO was
fetched
Post by L.P.H. van Belle
(which seem to be round-robinized, but maybe not)
Got no more sysvolcheck error, manually fixed those (what a pain)
But still, events log show a warning about kerberos ticket from
LsaSrv
Post by L.P.H. van Belle
source and right after a permission denied on GPT.ini
Regards
Post by mathias dufresne
About sysvolreset errors: send them to us. There is (at least)
one
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
error
Post by L.P.H. van Belle
Post by mathias dufresne
from sysvolcheck which is not too much important (if I have well
understood
Post by mathias dufresne
it): ACL is set on FS to Local Admins when it should be Domain
admins
Post by L.P.H. van Belle
(or
Post by mathias dufresne
the contrary). That one should be a simple warning, or it is and
it
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
can
Post by L.P.H. van Belle
be
Post by mathias dufresne
ignored (once more: according to my memory).
2016-03-29 15:14 GMT+02:00 mathias dufresne
Post by mathias dufresne
To see which DC is used by Windows client: open a MSDOS console,
type
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"set", look for LOGONSERVER=\\<your_dc>
<your_dc> is the DC used to connect on.
If issue comes from one DC I would have on sysvol
synchronisation
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
between
Post by mathias dufresne
Post by mathias dufresne
DC, ACL on all sysvol, DNS entries (but I don't think that's a
DNS
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
issue if
Post by mathias dufresne
Post by mathias dufresne
you have only GPO issue).
2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
Hi
Same here, GPO work without UID/GID on machine account (since
issue
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change
except
a
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
reboot
So I guess root issue is the kerberos one "max reference
tickets
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that
won't
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
be
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
fixed by sysvolreset (!), I manually fixed ntacl but this does
not
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
seem to
Post by mathias dufresne
Post by mathias dufresne
have fixed anything
Regards
Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought
idmap
Post by L.P.H. van Belle
stuffs
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
were here to replace RFC2307 UID/GID declared into AD/LDAP
objects.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
In others words, if you configure correctly idmap into
smb.conf I
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
expect
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
you don't need any more declaring UID/GID for machine
accounts.
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Anyway here my machines get access to their GPO: I tested one
computer's
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
GPO this morning, the one giving the possibility to use
userPrincipalName
worked
Post by L.P.H. van Belle
so
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
the
GPO was applied and my machines have no UID/GID nor my
smb.conf
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
contains
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path =
/var/lib/samba/sysvol/samba.domain.tld/scripts
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
controllers)
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
password
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to
UNIX/Linux
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
local user.
Hoping this helps, cheers,
mathias
2016-03-26 22:04 GMT+01:00 Ryan Ashley
I add UNIX attributes (gid/uid) using RSAT. You need to select
an
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
additional option when installing the tools. I believe it is
"something
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
for NIS attributes". This adds the "UNIX" tab to ADUC and
allows
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
you
Post by L.P.H. van Belle
to
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
set the uid/gid as well as group memberships for UNIX
systems. I
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
have
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
done this on my networks, but I may have forgotten it on this
one.
I
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
will check. I still have the issue, it is not a "node type"
issue.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid
fields
Post by L.P.H. van Belle
in
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
RSAT
I added them using LAM, because yes: using RSAT i also could
not.
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
Post by mj
(lam: www.ldap-account-manager.org/)
--
To unsubscribe from this list go to the following URL and
read
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
the
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
Post by Ryan Ashley
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read
the
Post by Jonathan Hunter
Post by Ryan Ashley
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-04-18 10:58:29 UTC
Permalink
Ok, try this.

Gif the pc a uid and check again.
If it works then, its a share or security right.

Gpupdate /force works because at that point you "user"/user has a uid and gid.

The error occurs at start up because the COMPUTERNAME$ doent have access to that gpt.ini.

Resetting sysvol in that case doent help because the right on the gpt.ini is set by the group you assigned to the policy.
( so can be an inherrentance problem also )


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: maandag 18 april 2016 12:46
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hi
Post by L.P.H. van Belle
Hai,
Yeah, you have probely one of these 2 problems. ( or both )
1)
This is probely because your "computer" *(user) does not have any
acces.
Post by L.P.H. van Belle
Recheck you permissions on the share and and folders for that specific
policie.
Performed sysvolreset, checked access in Windows, all DC the same
(authenticated users & enterprise DC can read, system, domain/enterprise
admins have full control)
How do you explain that manual gpupdate /force works with no issue
Tried to leave/rejoin domain (with machine account deletion after leave)
??? no change
Post by L.P.H. van Belle
2)
Connections specific suffic and/or network suffic is wrong.
Check if you pc is setup correct with dhcp.
Ipconfig /all ( check these, and make sure you have "hybrib" (H-node)
Node type is hybrid. Wireshark show that DNS queries are performed
against right suffices and does not show any DNS error
Post by L.P.H. van Belle
This is not a samba problem but a configuration problem,
or a corruption in you ip stack, (n ) can help also.
Done without success
Post by L.P.H. van Belle
I've posted a link before this one, go throug it, here are multiple good
options to check out.
Post by L.P.H. van Belle
http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-
phase-1.htm
Yeah checked a good part of them with no success. This seems more like
some random voodoo. And a good part of them involves configuration on
windows DC?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-04-18 13:35:22 UTC
Permalink
Ok,

 
I don't think so, I launch gpupdate using local admin account, so as I
understand it, only computer account is used (since local admin as no
existence on the domain)
Why a local admin, please use a ?domain admin? ..

 

Test as follow.

Open de security tab of the GPT.INI.

Advanced settings, last tab, effective settings,

At objecttype, deselect all, select computer.

Search for : COMPUTERNAME$

It should resolve to your computer.

Klik ok, now check the security settings again here.

Must have at least :

Traverse Folder / Execute file.

List folder/ Read Data

Read Attributes.

Read Exended Attributes.

Read permissions.

 

 
wbinfo -i COMPUTERNAME$ & wbinfo -r COMPUTERNAME$ correctly returns him
as member of domain computers (with proper gid) and a custom group to
which it was added
When thats ok, keep it as is now, looks good.

 

After checking you rights,

You can try this also if we speak of windows 7, try this.

( just found this )

 

Open CMD Box as Administrator.

 

Run :

DEL /S /F /Q "%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History\*.*"

gpupdate /force ( or reboot )

 

Greetz,

 

Louis

 
-----Oorspronkelijk bericht-----
Verzonden: maandag 18 april 2016 15:03
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Post by L.P.H. van Belle
Ok, try this.
Gif the pc a uid and check again.
If it works then, its a share or security right.
Gpupdate /force works because at that point you "user"/user has a uid
and gid.
I don't think so, I launch gpupdate using local admin account, so as I
understand it, only computer account is used (since local admin as no
existence on the domain)
Post by L.P.H. van Belle
The error occurs at start up because the COMPUTERNAME$ doent have access
to that gpt.ini.
wbinfo -i COMPUTERNAME$ & wbinfo -r COMPUTERNAME$ correctly returns him
as member of domain computers (with proper gid) and a custom group to
which it was added
I added an uidNumber to the machine, should I explicitely add it to the
GPO access rights?
Regards
 
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-04-18 14:45:12 UTC
Permalink
Ok based on the MS link.

Have you enabled under Computer Configuration in the navigation tree on the left side, navigate to Administrative Templates\System\Logon

Enable "Always wait for the network at computer startup and logon"

If not done yet.

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: maandag 18 april 2016 16:38
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Post by L.P.H. van Belle
Ok,
I don't think so, I launch gpupdate using local admin account, so as I
understand it, only computer account is used (since local admin as no
existence on the domain)
Why a local admin, please use a ?domain admin? ..
No incidence (since in fact interactive update always work :) )
Post by L.P.H. van Belle
Test as follow.
Open de security tab of the GPT.INI.
Advanced settings, last tab, effective settings,
At objecttype, deselect all, select computer.
Search for : COMPUTERNAME$
It should resolve to your computer.
Klik ok, now check the security settings again here.
Traverse Folder / Execute file.
List folder/ Read Data
Read Attributes.
Read Exended Attributes.
Read permissions.
DEL /S /F /Q "%ALLUSERSPROFILE%\Application Data\Microsoft\Group
Policy\History\*.*"
Post by L.P.H. van Belle
gpupdate /force
This works (as usual)
Post by L.P.H. van Belle
( or reboot )
This fails
Analyzing the complete boot sequence, I see several errors
DHCP starting
DHCPv6 starting
NETLOGON error no domain controller found
LSASrv issue (max reference tickets exceeded)
GPO error (failure to read GPT.INI)
It looks like this: https://support.microsoft.com/en-us/kb/2421599 but
suggested fix doesn't make any difference.
It may be related to SSD enabled machines which boot too fast, but
cannot remember if non-SSD ones hit the bug too
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
lists
2016-04-18 15:10:23 UTC
Permalink
Hi Sébastien,

This link once helped me, when some drive mappings didn't work for a
particular user:

https://support.microsoft.com/en-us/kb/979731

I removed the xml file under:
\users\All Users\Microsoft\Group Policy\History\<GUID>\Preferences
(find the appropriate GUID in the event viewer)

Reboot, and our drive mappings were back.

Another thing that we needed to do in the past, to get some policies to
apply, was to assign a uid/gid to workstation accounts.

I don't think these 'solutions'apply to your case, but then again... who
knows...

MJ
Post by L.P.H. van Belle
Ok based on the MS link.
Have you enabled under Computer Configuration in the navigation tree
on the left side, navigate to Administrative Templates\System\Logon
Enable "Always wait for the network at computer startup and logon"
If not done yet.
Greetz,
Louis
Yes it is. The GpNetworkStartTimeoutPolicyValue key has been manually
set to 120 (but this does not make any difference, moreover the
corresponding GPO is also set)
What I cannot get is that GPO processing shouldn't start until network
is available, so something seems to "trick" windows in believing that
network is available (I disabled all but ethernet adapter in BIOS…)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jonathan Hunter
2016-04-19 10:37:33 UTC
Permalink
Good explanation, makes sense - thank you!

I am having a different issue, then, I think - on occasion gpupdate fails
(after the machine has been running; not just booted up) but then on
occasion it works again (nothing changed as far as I can tell). I'll
continue to debug this one as well :)
I think I finally solved it…
This is indeed not related to Samba (I guess), and I have to say that I
don't know if there is a proper fix
Some machines fails to apply GPO at startup. Manual launches of gpupdate
are successful, only boot up ones fail (that is, everything related to
software installation or startup scripts).
Events log shows error about accessing GPT.ini (without telling what the
error exactly is).
Manual access to said GPT.ini (either through user account or using the
computer account), is successful
I guess this is some kind of race condition related to network
initialisation which isn't totally finished when GPO processing starts. The
faster the boot, the higher the risk to trigger the condition (thus
SSD-enabled machines are good candidates). As I said in a previous mail,
something seems to trick windows into believing that the network is
available while it's not. And this something turns out to be… IPv6
Disabling IPv6 on the network interface solves the problem, enabling it
triggers it.
I guess this is because IPv6 autoconfiguration is immediate (no need to
get DHCP ack) while IPv4 needs to wait for DHCP process to finish, below is
Standard PC
[Some boot stuff involving slow disk I/O]
IPv6 ready => network available
[Some boot stuff involving slow disk I/O]
IPv4 DHCP ACK => IPv4 available
[Some boot stuff involving slow disk I/O]
GPO processing
SSD PC
[some bot stuff invol… finished]
GPO processing waits for network
IPv6 ready => network available
GPO says "cannot read the file"
IPv4 ready => nobody cares
Note: configuring system to prefer IPv4 over IPv6 does not change anything
(seems consistent since IPv4 is not available so cannot be preferred when
GPO processing starts).
Thank you for your help, I hope this will help someone (if people
encountering the same problem can test this "fix" and report back I would
appreciate).
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
"If we knew what it was we were doing, it would not be called research,
would it?"
- Albert Einstein
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2016-04-21 14:56:15 UTC
Permalink
IPv6 is disabled on all systems where I am having the issue, so it is
not a fix here. All systems have a GID, all users have a UID. It fails
on startup and when running gpupdate, with or without the force
parameter. That is why I am lost. DNS works correctly and I can ping the
domain name and it will ping one server or the other. I have reset and
checked the sysvol permissions to no avail. It really is like it just
chooses not to read the file. Normally I would blame Windows, but the
fact that this does NOT happen on domains with actual Windows Server
systems in place of Samba systems combined with the many reports in this
thread lead me to believe it is something we are overlooking.

1) Network connectivity to servers? Yes
2) DNS and DHCP correct? Yes
3) Can run gpupdate manually? No
4) Can update policy at boot? No
5) Computers/Users have UID/GID? Yes
6) Sysvol permissions correct? Yes
7) IPv6 disabled? Yes

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Jonathan Hunter
Good explanation, makes sense - thank you!
I am having a different issue, then, I think - on occasion gpupdate fails
(after the machine has been running; not just booted up) but then on
occasion it works again (nothing changed as far as I can tell). I'll
continue to debug this one as well :)
I think I finally solved it…
This is indeed not related to Samba (I guess), and I have to say that I
don't know if there is a proper fix
Some machines fails to apply GPO at startup. Manual launches of gpupdate
are successful, only boot up ones fail (that is, everything related to
software installation or startup scripts).
Events log shows error about accessing GPT.ini (without telling what the
error exactly is).
Manual access to said GPT.ini (either through user account or using the
computer account), is successful
I guess this is some kind of race condition related to network
initialisation which isn't totally finished when GPO processing starts. The
faster the boot, the higher the risk to trigger the condition (thus
SSD-enabled machines are good candidates). As I said in a previous mail,
something seems to trick windows into believing that the network is
available while it's not. And this something turns out to be… IPv6
Disabling IPv6 on the network interface solves the problem, enabling it
triggers it.
I guess this is because IPv6 autoconfiguration is immediate (no need to
get DHCP ack) while IPv4 needs to wait for DHCP process to finish, below is
Standard PC
[Some boot stuff involving slow disk I/O]
IPv6 ready => network available
[Some boot stuff involving slow disk I/O]
IPv4 DHCP ACK => IPv4 available
[Some boot stuff involving slow disk I/O]
GPO processing
SSD PC
[some bot stuff invol… finished]
GPO processing waits for network
IPv6 ready => network available
GPO says "cannot read the file"
IPv4 ready => nobody cares
Note: configuring system to prefer IPv4 over IPv6 does not change anything
(seems consistent since IPv4 is not available so cannot be preferred when
GPO processing starts).
Thank you for your help, I hope this will help someone (if people
encountering the same problem can test this "fix" and report back I would
appreciate).
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-04-21 15:13:22 UTC
Permalink
Because of "3) Can run gpupdate manually? No" I would go back to other
threads speaking about GPO issue. This one seemed to me very dedicated to
issue with GPO during boot up.

Sorry to not help more :/
Post by Ryan Ashley
IPv6 is disabled on all systems where I am having the issue, so it is
not a fix here. All systems have a GID, all users have a UID. It fails
on startup and when running gpupdate, with or without the force
parameter. That is why I am lost. DNS works correctly and I can ping the
domain name and it will ping one server or the other. I have reset and
checked the sysvol permissions to no avail. It really is like it just
chooses not to read the file. Normally I would blame Windows, but the
fact that this does NOT happen on domains with actual Windows Server
systems in place of Samba systems combined with the many reports in this
thread lead me to believe it is something we are overlooking.
1) Network connectivity to servers? Yes
2) DNS and DHCP correct? Yes
3) Can run gpupdate manually? No
4) Can update policy at boot? No
5) Computers/Users have UID/GID? Yes
6) Sysvol permissions correct? Yes
7) IPv6 disabled? Yes
Lead IT/IS Specialist
Reach Technology FP, Inc
Post by Jonathan Hunter
Good explanation, makes sense - thank you!
I am having a different issue, then, I think - on occasion gpupdate fails
(after the machine has been running; not just booted up) but then on
occasion it works again (nothing changed as far as I can tell). I'll
continue to debug this one as well :)
I think I finally solved it…
This is indeed not related to Samba (I guess), and I have to say that I
don't know if there is a proper fix
Some machines fails to apply GPO at startup. Manual launches of gpupdate
are successful, only boot up ones fail (that is, everything related to
software installation or startup scripts).
Events log shows error about accessing GPT.ini (without telling what the
error exactly is).
Manual access to said GPT.ini (either through user account or using the
computer account), is successful
I guess this is some kind of race condition related to network
initialisation which isn't totally finished when GPO processing starts.
The
Post by Jonathan Hunter
faster the boot, the higher the risk to trigger the condition (thus
SSD-enabled machines are good candidates). As I said in a previous mail,
something seems to trick windows into believing that the network is
available while it's not. And this something turns out to be… IPv6
Disabling IPv6 on the network interface solves the problem, enabling it
triggers it.
I guess this is because IPv6 autoconfiguration is immediate (no need to
get DHCP ack) while IPv4 needs to wait for DHCP process to finish,
below is
Post by Jonathan Hunter
Standard PC
[Some boot stuff involving slow disk I/O]
IPv6 ready => network available
[Some boot stuff involving slow disk I/O]
IPv4 DHCP ACK => IPv4 available
[Some boot stuff involving slow disk I/O]
GPO processing
SSD PC
[some bot stuff invol… finished]
GPO processing waits for network
IPv6 ready => network available
GPO says "cannot read the file"
IPv4 ready => nobody cares
Note: configuring system to prefer IPv4 over IPv6 does not change
anything
Post by Jonathan Hunter
(seems consistent since IPv4 is not available so cannot be preferred
when
Post by Jonathan Hunter
GPO processing starts).
Thank you for your help, I hope this will help someone (if people
encountering the same problem can test this "fix" and report back I
would
Post by Jonathan Hunter
appreciate).
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mj
2016-04-21 15:13:28 UTC
Permalink
Hi,

How to test access with a machine account:

* Install psexec from
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
* open a cmd.cmd as administrator
* type:
psexec -i -s cmd.exe
* In the new cmd (running as the computer account) type:

echo %username%

Now check if you can access the gpo folders.

Perhaps this way you can check / verify if machine accounts actually
access the required files.

MJ
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2016-06-16 18:18:15 UTC
Permalink
Sorry it has been a while, but error 87I was not near the client in
question for an extended period. I have now been by and spent a day, and
somewhat fixed the issue. How? I turned off the second DC. After
gpupdate couldn't talk to DC02, it tried DC01 and updated. It fixed
every little issue on the entire domain.

Now for the nitty-gritty. I tried using psexec as described in the
previous post and it succeeded, so both machine accounts AND user
accounts can open and read the gpt.ini file, despite the error being
logged. This is with both DCs on, before I shut the second one down.

I have a script on a cron job which runs once every 15min. It copies
over the sysvol from the primary DC and then does a sysvolreset to reset
the permissions per the second controller's IDs. I only edit group
policy on the main DC for this reason. Perhaps this is where my issue
lies? Maybe we just need DFS support or NTFRS between DCs. Either way my
suspicion is that despite the sysvolreset, something isn't right. What
are your thoughts? I am currently running on only the primary DC.

Lead IT/IS Specialist
Reach Technology FP, Inc
Post by mj
Hi,
* Install psexec from
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
* open a cmd.cmd as administrator
psexec -i -s cmd.exe
echo %username%
Now check if you can access the gpo folders.
Perhaps this way you can check / verify if machine accounts actually
access the required files.
MJ
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...