Discussion:
Permission denied on GPT.ini (Event ID 1058)
l***@gmail.com
2016-03-18 17:29:32 UTC
Are you currently replicating the sysvol folder between DC's?
Hi list,
Having a multi-DC Samba 4.1.17 (Debian) setup, we use Computer GPOs.
Machines randomly encounter event 1058 (translation is roughly "GPO
processing failed. Windows failed to read file
\\domain\sysvol\domain\Policies\SomeGUID\gpt.ini from a domain
controller"). It seems to be an issue with computer account because
User's GPO applies nicely.
Replication (both drs show repl & ldap-cmp) shows no error nor
difference on the DC used for GPO fetching (according to tcpdump since
I found no way to get it through windows logs). Rising loglevel to 5
show that domain\COMPUTERNAME$is not found as an user but the same occurs for "working" stations. ntacl sysvolreset doesn't change anything. Can somebody point me in the right direction to troubleshoot this? Regards -- -James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba l***@gmail.com 2016-03-18 17:50:44 UTC Permalink Hi, Yes using rsync followed by a samba-tool ntacl sysvolreset Regards Post by l***@gmail.com Are you currently replicating the sysvol folder between DC's? Hi list, Having a multi-DC Samba 4.1.17 (Debian) setup, we use Computer GPOs. Machines randomly encounter event 1058 (translation is roughly "GPO processing failed. Windows failed to read file \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini from a domain controller"). It seems to be an issue with computer account because User's GPO applies nicely. Replication (both drs show repl & ldap-cmp) shows no error nor difference on the DC used for GPO fetching (according to tcpdump since I found no way to get it through windows logs). Rising loglevel to 5 show that domain\COMPUTERNAME$ is not found as an user
but the same occurs for "working" stations. ntacl sysvolreset
doesn't change anything.
Can somebody point me in the right direction to troubleshoot this?
Regards
Have you tried running 'gpresult /H GPReport.html' on the workstation
and see if it provides any details? You can also run 'Group Policy
Results' from within Microsoft Group Policy Management snap in.

Are you using Item level targeting in your GPO?
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
l***@gmail.com
2016-03-18 19:58:48 UTC
Post by l***@gmail.com
Have you tried running 'gpresult /H GPReport.html' on the workstation
and see if it provides any details? You can also run 'Group Policy
Results' from within Microsoft Group Policy Management snap in.
Yes, it show an error about maximum kerberos tickets exceeded but I
take that for a generic error message…
Post by l***@gmail.com
Are you using Item level targeting in your GPO?
No
When this error happens, can you confirm if you can manually navigate to
the file? Open file explorer and enter the UNC path.

ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini

On the workstation having the issue.
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Klaus Hartnegg
2016-03-20 16:03:32 UTC
Yes but in that case I'm not using the machine account anymore but the currently logged in user account. That's why I guess it is related to some machine account configuration issue but I can find no way to test machine account access…
psexec -i -s cmd.exe
will open a new window
try there:
looks like machine account

hope this helps,
Klaus
--
Message sent from a mobile device, please excuse brevity and typos
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-03-21 14:53:36 UTC
Hai,

Check the following.

1) Get the Policy id ( like ": {78732DBF-5381-497B-9B25-00A278270A1F} from
PATH_TO_SYSVOL_FOLDER/Policies/
2) run getfacl on the folder like :
getfacl \{78751DBF-5381-497B-9B25-00A278270A1F\}/

here in my case i noticed the following.
I had a user set on one specific policie, i changed that users to a newly created group.

After looking with getfacl i noticed, that the user was still on GPT.INI
and not the group.
Reculting in the Permission denied on GPT.ini.

For now i fixed it by getting setting the inheritance of the folder to the files again.

Resume what i think and others must test also.

When creating the policy for the first time it sets the correct U+G rights.
After changing this, not.

Other quick fix is, add the computer($) to the group. I hope people know what i mean, if not, ask me. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: maandag 21 maart 2016 10:45 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Post by Klaus Hartnegg Am 19.03.2016 um 08:16 schrieb Sébastien Le Ray <sebastien- Yes but in that case I'm not using the machine account anymore but the currently logged in user account. That's why I guess it is related to some machine account configuration issue but I can find no way to test machine account access? Post by Klaus Hartnegg psexec -i -s cmd.exe must be run as admin will open a new window echo %username% looks like machine account Hi, This gives me the machine account name which I already know. BUT I used pushd \\path\to\sysvol in the spawned cmd.exe and I successfully mounted the supposedly unreadable share (tries all 5 DCs) and type'd the GPT.ini If someone has any further investigation track, I'll take it Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Ryan Ashley 2016-03-22 14:11:18 UTC Permalink I just saw this thread while browsing my emails and I want to report that I get this frequently but randomly on every Samba4 domain I run. It is completely random in that it affects a PC today, but a week from now that same PC may work just fine. It may then affect a different PC which had no issues prior. Also, if I click the link to "gpt.ini" in the event log the file DOES open and I can view it all day long. It is almost as though the system lies to me in saying it cannot access the file, but it can. I have been dealing with this for two years now. Finally, this seems to occur MUCH more frequently on domains which have multiple DCs. A single DC domain may have this happen once in a year, and only for a moment, whereas a multiple DC domain may have this happen regularly. Lead IT/IS Specialist Reach Technology FP, Inc Post by l***@gmail.com Post by l***@gmail.com Have you tried running 'gpresult /H GPReport.html' on the workstation and see if it provides any details? You can also run 'Group Policy Results' from within Microsoft Group Policy Management snap in. Yes, it show an error about maximum kerberos tickets exceeded but I take that for a generic error message… Post by l***@gmail.com Are you using Item level targeting in your GPO? No When this error happens, can you confirm if you can manually navigate to the file? Open file explorer and enter the UNC path. ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini On the workstation having the issue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba L.P.H. van Belle 2016-03-22 15:37:15 UTC Permalink In addition,.. a handy to know. Windows resolves NetBIOS names by using one of the following four methods. 1 = B-Node (broadcast) 2 = P-Node (point-to-point) 4 = M-Node (mixed) 8 = H-Node (hybrid) In the registry look for NodeType and/or DhcpNodeType When you cannot view other workgroup computers, remove these keys and reboot. If you still see a wrong node-type after reboot, check you dhcp option 46. Still not working, try manualy creating the NodeType registry key. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 22 maart 2016 16:17 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Hai In the end, i found the problem today. The pc win7-64b with this problem had a wrongy network settting and 2 nics. I removed 1 nic. Ipconfig /all gaves what whas wrong. The nodetype was wrong. The "problem" pc had mixed set. And not hybrid (0x8) (H Node) After changing this back to H-node and removeing the 2e nic. Rebooted the pc and it works again now. Hope this helps someone. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 22 maart 2016 15:11 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) I just saw this thread while browsing my emails and I want to report that I get this frequently but randomly on every Samba4 domain I run. It is completely random in that it affects a PC today, but a week from now that same PC may work just fine. It may then affect a different PC which had no issues prior. Also, if I click the link to "gpt.ini" in the event log the file DOES open and I can view it all day long. It is almost as though the system lies to me in saying it cannot access the file, but it can. I have been dealing with this for two years now. Finally, this seems to occur MUCH more frequently on domains which have multiple DCs. A single DC domain may have this happen once in a year, and only for a moment, whereas a multiple DC domain may have this happen regularly. Lead IT/IS Specialist Reach Technology FP, Inc Post by l***@gmail.com Post by l***@gmail.com Have you tried running 'gpresult /H GPReport.html' on the workstation Post by l***@gmail.com Post by l***@gmail.com and see if it provides any details? You can also run 'Group Policy Results' from within Microsoft Group Policy Management snap in. Yes, it show an error about maximum kerberos tickets exceeded but I take that for a generic error message? Post by l***@gmail.com Are you using Item level targeting in your GPO? No When this error happens, can you confirm if you can manually navigate to Post by l***@gmail.com the file? Open file explorer and enter the UNC path. ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini On the workstation having the issue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba mj 2016-03-23 13:08:25 UTC Permalink Hi Sébastien, Clicking on the link in the events viewer (which *never* fails) opens it as the logged in user, that's why I'm convinced the issue is tied to machine accounts handling I have had problems with machine accounts accessing sysvol folders on smba DCs. I solved this by adding a gid & uid to the machine accounts. Perhaps try that? MJ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba mj 2016-03-23 16:01:08 UTC Permalink And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields in RSAT I added them using LAM, because yes: using RSAT i also could not. (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Ryan Ashley 2016-03-26 21:04:14 UTC Permalink I add UNIX attributes (gid/uid) using RSAT. You need to select an additional option when installing the tools. I believe it is "something for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to set the uid/gid as well as group memberships for UNIX systems. I have done this on my networks, but I may have forgotten it on this one. I will check. I still have the issue, it is not a "node type" issue. Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields in RSAT I added them using LAM, because yes: using RSAT i also could not. (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba mathias dufresne 2016-03-29 09:57:41 UTC Permalink I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs were here to replace RFC2307 UID/GID declared into AD/LDAP objects. In others words, if you configure correctly idmap into smb.conf I expect you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's GPO this morning, the one giving the possibility to use userPrincipalName without @samba.domain.tld when logging into a computer. That worked so the GPO was applied and my machines have no UID/GID nor my smb.conf contains anything about idmap: ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- But my nsswitch.conf is configured to use winbind: grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind And that works: For users: id administrator uid=0(root) gid=0(root) groupes=0(root) For computers: id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)

So idmapping seems to be enabled by default as there are no UID/GID
declared on DC200 computer:
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux local user. Hoping this helps, cheers, mathias Post by Ryan Ashley I add UNIX attributes (gid/uid) using RSAT. You need to select an additional option when installing the tools. I believe it is "something for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to set the uid/gid as well as group memberships for UNIX systems. I have done this on my networks, but I may have forgotten it on this one. I will check. I still have the issue, it is not a "node type" issue. Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields in RSAT I added them using LAM, because yes: using RSAT i also could not. (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba mathias dufresne 2016-03-29 13:14:05 UTC Permalink To see which DC is used by Windows client: open a MSDOS console, type "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation between DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if you have only GPO issue). Hi Same here, GPO work without UID/GID on machine account (since issue "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except a reboot So I guess root issue is the kerberos one "max reference tickets exceeded" but cannot see why it happens and on which DC I noticed this morning that sysvolcheck returns errors that won't be fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to have fixed anything Regards Post by mathias dufresne I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs were here to replace RFC2307 UID/GID declared into AD/LDAP objects. In others words, if you configure correctly idmap into smb.conf I expect you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's GPO this morning, the one giving the possibility to use userPrincipalName GPO was applied and my machines have no UID/GID nor my smb.conf contains ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind id administrator uid=0(root) gid=0(root) groupes=0(root) id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)
So idmapping seems to be enabled by default as there are no UID/GID
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux local user. Hoping this helps, cheers, mathias I add UNIX attributes (gid/uid) using RSAT. You need to select an Post by Ryan Ashley additional option when installing the tools. I believe it is "something for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to set the uid/gid as well as group memberships for UNIX systems. I have done this on my networks, but I may have forgotten it on this one. I will check. I still have the issue, it is not a "node type" issue. Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields in RSAT I added them using LAM, because yes: using RSAT i also could not. (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba mathias dufresne 2016-03-29 13:16:38 UTC Permalink About sysvolreset errors: send them to us. There is (at least) one error from sysvolcheck which is not too much important (if I have well understood it): ACL is set on FS to Local Admins when it should be Domain admins (or the contrary). That one should be a simple warning, or it is and it can be ignored (once more: according to my memory). Post by mathias dufresne To see which DC is used by Windows client: open a MSDOS console, type "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation between DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if you have only GPO issue). Hi Same here, GPO work without UID/GID on machine account (since issue "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except a reboot So I guess root issue is the kerberos one "max reference tickets exceeded" but cannot see why it happens and on which DC I noticed this morning that sysvolcheck returns errors that won't be fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to have fixed anything Regards Post by mathias dufresne I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs were here to replace RFC2307 UID/GID declared into AD/LDAP objects. In others words, if you configure correctly idmap into smb.conf I expect you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's GPO this morning, the one giving the possibility to use userPrincipalName GPO was applied and my machines have no UID/GID nor my smb.conf contains ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind id administrator uid=0(root) gid=0(root) groupes=0(root) id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)
So idmapping seems to be enabled by default as there are no UID/GID
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux local user. Hoping this helps, cheers, mathias I add UNIX attributes (gid/uid) using RSAT. You need to select an Post by Ryan Ashley additional option when installing the tools. I believe it is "something for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to set the uid/gid as well as group memberships for UNIX systems. I have done this on my networks, but I may have forgotten it on this one. I will check. I still have the issue, it is not a "node type" issue. Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields in RSAT I added them using LAM, because yes: using RSAT i also could not. (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba L.P.H. van Belle 2016-03-29 13:46:31 UTC Permalink But still, events log show a warning about kerberos ticket from LsaSrv source and right after a permission denied on GPT.ini And a getfacl of the problem GPO SID please, i'll check. And a output of ipconfig /all on the problem pc. And question, dedicated IP or dhcp IP? Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 15:41 CC: samba Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) LOGONSERVER is the server used to authenticate currently logged in user, this does not mean that it is the one on which machine GPO was fetched (which seem to be round-robinized, but maybe not) Got no more sysvolcheck error, manually fixed those (what a pain) But still, events log show a warning about kerberos ticket from LsaSrv source and right after a permission denied on GPT.ini Regards Post by mathias dufresne About sysvolreset errors: send them to us. There is (at least) one error from sysvolcheck which is not too much important (if I have well understood Post by mathias dufresne it): ACL is set on FS to Local Admins when it should be Domain admins (or Post by mathias dufresne the contrary). That one should be a simple warning, or it is and it can be Post by mathias dufresne ignored (once more: according to my memory). Post by mathias dufresne To see which DC is used by Windows client: open a MSDOS console, type "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation between Post by mathias dufresne Post by mathias dufresne DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if Post by mathias dufresne Post by mathias dufresne you have only GPO issue). 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- Hi Same here, GPO work without UID/GID on machine account (since issue "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except a reboot So I guess root issue is the kerberos one "max reference tickets exceeded" but cannot see why it happens and on which DC I noticed this morning that sysvolcheck returns errors that won't be fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to Post by mathias dufresne Post by mathias dufresne have fixed anything Regards Post by mathias dufresne I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne were here to replace RFC2307 UID/GID declared into AD/LDAP objects. In others words, if you configure correctly idmap into smb.conf I expect Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne GPO this morning, the one giving the possibility to use userPrincipalName so Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne the GPO was applied and my machines have no UID/GID nor my smb.conf contains Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind id administrator uid=0(root) gid=0(root) groupes=0(root) id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)
So idmapping seems to be enabled by default as there are no UID/GID
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne local user. Hoping this helps, cheers, mathias I add UNIX attributes (gid/uid) using RSAT. You need to select an Post by Ryan Ashley additional option when installing the tools. I believe it is "something Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley set the uid/gid as well as group memberships for UNIX systems. I have Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley done this on my networks, but I may have forgotten it on this one. I will check. I still have the issue, it is not a "node type" issue. Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields in Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj RSAT I added them using LAM, because yes: using RSAT i also could not. (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba L.P.H. van Belle 2016-03-29 14:18:17 UTC Permalink I dont read any france but translators work ok. ;-) pfew.. Ok any firewalling on the DC's? if so, open TCP and UDP port 88. Or try short without firewalls on, on the DC's. Other options to try is recude the MaxPacketSize in windows. Looks like a to big package which is rejected. Ow and above is also needed on the DNS port 53. Open tcp and udp. If the upd packages are to big, tcp is tried. And let us know the result. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:10 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Hi French windows version LSA Error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/computer.domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)"</Data> </EventData> </Event> GPT.ini error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)"</Data> </EventData> </Event> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ # owner: root # group: 10000 user::rwx user:root:rwx user:3000002:rwx user:3000003:r-x user:3000007:rwx user:3000008:r-x group::rwx group:10000:rwx group:3000002:rwx group:3000003:r-x group:3000007:rwx group:3000008:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000007:rwx default:user:3000008:r-x default:group::--- default:group:10000:rwx default:group:3000002:rwx default:group:3000003:r-x default:group:3000007:rwx default:group:3000008:r-x default:mask::rwx default:other::--- DHCP IP Regards Post by L.P.H. van Belle But still, events log show a warning about kerberos ticket from LsaSrv source and right after a permission denied on GPT.ini And a getfacl of the problem GPO SID please, i'll check. And a output of ipconfig /all on the problem pc. And question, dedicated IP or dhcp IP? Greetz, Louis -----Oorspronkelijk bericht----- Ray Post by L.P.H. van Belle Verzonden: dinsdag 29 maart 2016 15:41 CC: samba Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) LOGONSERVER is the server used to authenticate currently logged in user, Post by L.P.H. van Belle this does not mean that it is the one on which machine GPO was fetched (which seem to be round-robinized, but maybe not) Got no more sysvolcheck error, manually fixed those (what a pain) But still, events log show a warning about kerberos ticket from LsaSrv source and right after a permission denied on GPT.ini Regards Post by mathias dufresne About sysvolreset errors: send them to us. There is (at least) one error Post by L.P.H. van Belle Post by mathias dufresne from sysvolcheck which is not too much important (if I have well understood Post by mathias dufresne it): ACL is set on FS to Local Admins when it should be Domain admins (or Post by mathias dufresne the contrary). That one should be a simple warning, or it is and it can Post by L.P.H. van Belle be Post by mathias dufresne ignored (once more: according to my memory). Post by mathias dufresne To see which DC is used by Windows client: open a MSDOS console, type "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation between Post by mathias dufresne Post by mathias dufresne DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if Post by mathias dufresne Post by mathias dufresne you have only GPO issue). 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- Hi Same here, GPO work without UID/GID on machine account (since issue "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except a Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne reboot So I guess root issue is the kerberos one "max reference tickets exceeded" but cannot see why it happens and on which DC I noticed this morning that sysvolcheck returns errors that won't be fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to Post by mathias dufresne Post by mathias dufresne have fixed anything Regards Post by mathias dufresne I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne were here to replace RFC2307 UID/GID declared into AD/LDAP objects. In others words, if you configure correctly idmap into smb.conf I expect Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne GPO this morning, the one giving the possibility to use userPrincipalName so Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne the GPO was applied and my machines have no UID/GID nor my smb.conf contains Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind id administrator uid=0(root) gid=0(root) groupes=0(root) id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)
So idmapping seems to be enabled by default as there are no UID/GID
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne local user. Hoping this helps, cheers, mathias I add UNIX attributes (gid/uid) using RSAT. You need to select an Post by Ryan Ashley additional option when installing the tools. I believe it is "something Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley for NIS attributes". This adds the "UNIX" tab to ADUC and allows you Post by L.P.H. van Belle to Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley set the uid/gid as well as group memberships for UNIX systems. I have Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley done this on my networks, but I may have forgotten it on this one. I Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley will check. I still have the issue, it is not a "node type" issue. Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields Post by L.P.H. van Belle in Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj RSAT I added them using LAM, because yes: using RSAT i also could not. (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba L.P.H. van Belle 2016-03-29 14:52:45 UTC Permalink Ok, where your pc's get the DNS info from? Server : AD-DC + DNS Or Server : AD-DC + Some other server with DNS Can you give the output of dig NS your.domain.tld and tel us what what is. -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:31 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) No firewall configured on DCs telnet dc 88 & 53 works fine (so TCP at least is OK). 53 isn't mandatory since AD zone is a delegation so clients never talk to AD NS directly Regards Post by L.P.H. van Belle I dont read any france but translators work ok. ;-) pfew.. Ok any firewalling on the DC's? if so, open TCP and UDP port 88. Or try short without firewalls on, on the DC's. Other options to try is recude the MaxPacketSize in windows. Looks like a to big package which is rejected. Ow and above is also needed on the DNS port 53. Open tcp and udp. If the upd packages are to big, tcp is tried. And let us know the result. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:10 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Hi French windows version LSA Error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/computer.domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été Post by L.P.H. van Belle dépassé. (0xc00002f4)"</Data> </EventData> </Event> GPT.ini error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été Post by L.P.H. van Belle dépassé. (0xc00002f4)"</Data> </EventData> </Event> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ # owner: root # group: 10000 user::rwx user:root:rwx user:3000002:rwx user:3000003:r-x user:3000007:rwx user:3000008:r-x group::rwx group:10000:rwx group:3000002:rwx group:3000003:r-x group:3000007:rwx group:3000008:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000007:rwx default:user:3000008:r-x default:group::--- default:group:10000:rwx default:group:3000002:rwx default:group:3000003:r-x default:group:3000007:rwx default:group:3000008:r-x default:mask::rwx default:other::--- DHCP IP Regards Post by L.P.H. van Belle But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle Post by L.P.H. van Belle source and right after a permission denied on GPT.ini And a getfacl of the problem GPO SID please, i'll check. And a output of ipconfig /all on the problem pc. And question, dedicated IP or dhcp IP? Greetz, Louis -----Oorspronkelijk bericht----- Ray Post by L.P.H. van Belle Verzonden: dinsdag 29 maart 2016 15:41 CC: samba Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) LOGONSERVER is the server used to authenticate currently logged in user, Post by L.P.H. van Belle this does not mean that it is the one on which machine GPO was fetched Post by L.P.H. van Belle Post by L.P.H. van Belle (which seem to be round-robinized, but maybe not) Got no more sysvolcheck error, manually fixed those (what a pain) But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle Post by L.P.H. van Belle source and right after a permission denied on GPT.ini Regards Post by mathias dufresne About sysvolreset errors: send them to us. There is (at least) one error Post by L.P.H. van Belle Post by mathias dufresne from sysvolcheck which is not too much important (if I have well understood Post by mathias dufresne it): ACL is set on FS to Local Admins when it should be Domain admins Post by L.P.H. van Belle Post by L.P.H. van Belle (or Post by mathias dufresne the contrary). That one should be a simple warning, or it is and it can Post by L.P.H. van Belle be Post by mathias dufresne ignored (once more: according to my memory). Post by mathias dufresne To see which DC is used by Windows client: open a MSDOS console, type Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation between Post by mathias dufresne Post by mathias dufresne DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if Post by mathias dufresne Post by mathias dufresne you have only GPO issue). 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- Hi Same here, GPO work without UID/GID on machine account (since issue Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except Post by L.P.H. van Belle a Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne reboot So I guess root issue is the kerberos one "max reference tickets exceeded" but cannot see why it happens and on which DC I noticed this morning that sysvolcheck returns errors that won't be Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to Post by mathias dufresne Post by mathias dufresne have fixed anything Regards Post by mathias dufresne I'm not an expert in idmap (at all in fact :p) but I thought idmap Post by L.P.H. van Belle Post by L.P.H. van Belle stuffs Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne were here to replace RFC2307 UID/GID declared into AD/LDAP objects. Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne In others words, if you configure correctly idmap into smb.conf I expect Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne GPO this morning, the one giving the possibility to use userPrincipalName worked Post by L.P.H. van Belle Post by L.P.H. van Belle so Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne the GPO was applied and my machines have no UID/GID nor my smb.conf contains Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind id administrator uid=0(root) gid=0(root) groupes=0(root) id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne local user. Hoping this helps, cheers, mathias I add UNIX attributes (gid/uid) using RSAT. You need to select an Post by Ryan Ashley additional option when installing the tools. I believe it is "something Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley for NIS attributes". This adds the "UNIX" tab to ADUC and allows you Post by L.P.H. van Belle to Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley set the uid/gid as well as group memberships for UNIX systems. I have Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley done this on my networks, but I may have forgotten it on this one. Post by L.P.H. van Belle I Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley will check. I still have the issue, it is not a "node type" issue. Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields Post by L.P.H. van Belle in Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj RSAT I added them using LAM, because yes: using RSAT i also could not. Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba L.P.H. van Belle 2016-03-29 15:03:58 UTC Permalink Ok, same as im running. DC => (replicated zones) => Slave DNS << == Client pc's. Have you tried to reset the network id manualy from withing windows. ( where you change/add the computer to the network ) The button "change network-id." I have seen these things also with pc's which are wrongly syspreped. Which cases same SID's for the pc's. But please try also if you point the problem pc to the DCs as dns, please do try it. -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:58 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Company's dns which recurse on AD DC for my.ad.domain subdomain Regards Post by L.P.H. van Belle Ok, where your pc's get the DNS info from? Server : AD-DC + DNS Or Server : AD-DC + Some other server with DNS Can you give the output of dig NS your.domain.tld and tel us what what is. -----Oorspronkelijk bericht----- Ray Post by L.P.H. van Belle Verzonden: dinsdag 29 maart 2016 16:31 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) No firewall configured on DCs telnet dc 88 & 53 works fine (so TCP at least is OK). 53 isn't mandatory since AD zone is a delegation so clients never talk to AD NS directly Regards Post by L.P.H. van Belle I dont read any france but translators work ok. ;-) pfew.. Ok any firewalling on the DC's? if so, open TCP and UDP port 88. Or try short without firewalls on, on the DC's. Other options to try is recude the MaxPacketSize in windows. Looks like a to big package which is rejected. Ow and above is also needed on the DNS port 53. Open tcp and udp. If the upd packages are to big, tcp is tried. And let us know the result. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:10 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Hi French windows version LSA Error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le Post by L.P.H. van Belle Post by L.P.H. van Belle serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/computer.domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a Post by L.P.H. van Belle été Post by L.P.H. van Belle dépassé. (0xc00002f4)"</Data> </EventData> </Event> GPT.ini error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le Post by L.P.H. van Belle Post by L.P.H. van Belle serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a Post by L.P.H. van Belle été Post by L.P.H. van Belle dépassé. (0xc00002f4)"</Data> </EventData> </Event> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ # owner: root # group: 10000 user::rwx user:root:rwx user:3000002:rwx user:3000003:r-x user:3000007:rwx user:3000008:r-x group::rwx group:10000:rwx group:3000002:rwx group:3000003:r-x group:3000007:rwx group:3000008:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000007:rwx default:user:3000008:r-x default:group::--- default:group:10000:rwx default:group:3000002:rwx default:group:3000003:r-x default:group:3000007:rwx default:group:3000008:r-x default:mask::rwx default:other::--- DHCP IP Regards Post by L.P.H. van Belle But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle Post by L.P.H. van Belle source and right after a permission denied on GPT.ini And a getfacl of the problem GPO SID please, i'll check. And a output of ipconfig /all on the problem pc. And question, dedicated IP or dhcp IP? Greetz, Louis -----Oorspronkelijk bericht----- Le Post by L.P.H. van Belle Post by L.P.H. van Belle Ray Post by L.P.H. van Belle Verzonden: dinsdag 29 maart 2016 15:41 CC: samba Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) LOGONSERVER is the server used to authenticate currently logged in user, Post by L.P.H. van Belle this does not mean that it is the one on which machine GPO was fetched Post by L.P.H. van Belle Post by L.P.H. van Belle (which seem to be round-robinized, but maybe not) Got no more sysvolcheck error, manually fixed those (what a pain) But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle Post by L.P.H. van Belle source and right after a permission denied on GPT.ini Regards Post by mathias dufresne About sysvolreset errors: send them to us. There is (at least) one error Post by L.P.H. van Belle Post by mathias dufresne from sysvolcheck which is not too much important (if I have well understood Post by mathias dufresne it): ACL is set on FS to Local Admins when it should be Domain admins Post by L.P.H. van Belle Post by L.P.H. van Belle (or Post by mathias dufresne the contrary). That one should be a simple warning, or it is and it Post by L.P.H. van Belle Post by L.P.H. van Belle can Post by L.P.H. van Belle be Post by mathias dufresne ignored (once more: according to my memory). 2016-03-29 15:14 GMT+02:00 mathias dufresne Post by mathias dufresne To see which DC is used by Windows client: open a MSDOS console, type Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation between Post by mathias dufresne Post by mathias dufresne DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS Post by L.P.H. van Belle Post by L.P.H. van Belle Post by L.P.H. van Belle issue if Post by mathias dufresne Post by mathias dufresne you have only GPO issue). 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- Hi Same here, GPO work without UID/GID on machine account (since issue Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except Post by L.P.H. van Belle a Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne reboot So I guess root issue is the kerberos one "max reference tickets exceeded" but cannot see why it happens and on which DC I noticed this morning that sysvolcheck returns errors that won't Post by L.P.H. van Belle be Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne fixed by sysvolreset (!), I manually fixed ntacl but this does not Post by L.P.H. van Belle Post by L.P.H. van Belle Post by L.P.H. van Belle seem to Post by mathias dufresne Post by mathias dufresne have fixed anything Regards Post by mathias dufresne I'm not an expert in idmap (at all in fact :p) but I thought idmap Post by L.P.H. van Belle Post by L.P.H. van Belle stuffs Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne were here to replace RFC2307 UID/GID declared into AD/LDAP objects. Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne In others words, if you configure correctly idmap into smb.conf I Post by L.P.H. van Belle Post by L.P.H. van Belle Post by L.P.H. van Belle expect Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne GPO this morning, the one giving the possibility to use userPrincipalName worked Post by L.P.H. van Belle Post by L.P.H. van Belle so Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne the GPO was applied and my machines have no UID/GID nor my smb.conf contains Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts Post by L.P.H. van Belle Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind id administrator uid=0(root) gid=0(root) groupes=0(root) id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne local user. Hoping this helps, cheers, mathias I add UNIX attributes (gid/uid) using RSAT. You need to select an Post by L.P.H. van Belle Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley additional option when installing the tools. I believe it is "something Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley for NIS attributes". This adds the "UNIX" tab to ADUC and allows Post by L.P.H. van Belle Post by L.P.H. van Belle you Post by L.P.H. van Belle to Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley set the uid/gid as well as group memberships for UNIX systems. I Post by L.P.H. van Belle Post by L.P.H. van Belle Post by L.P.H. van Belle have Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley done this on my networks, but I may have forgotten it on this one. Post by L.P.H. van Belle I Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley will check. I still have the issue, it is not a "node type" issue. Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields Post by L.P.H. van Belle in Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj RSAT I added them using LAM, because yes: using RSAT i also could not. Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the Post by L.P.H. van Belle Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba L.P.H. van Belle 2016-03-29 14:55:43 UTC Permalink And i found this link. http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm also good to read. -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:31 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) No firewall configured on DCs telnet dc 88 & 53 works fine (so TCP at least is OK). 53 isn't mandatory since AD zone is a delegation so clients never talk to AD NS directly Regards Post by L.P.H. van Belle I dont read any france but translators work ok. ;-) pfew.. Ok any firewalling on the DC's? if so, open TCP and UDP port 88. Or try short without firewalls on, on the DC's. Other options to try is recude the MaxPacketSize in windows. Looks like a to big package which is rejected. Ow and above is also needed on the DNS port 53. Open tcp and udp. If the upd packages are to big, tcp is tried. And let us know the result. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:10 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Hi French windows version LSA Error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/computer.domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été Post by L.P.H. van Belle dépassé. (0xc00002f4)"</Data> </EventData> </Event> GPT.ini error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été Post by L.P.H. van Belle dépassé. (0xc00002f4)"</Data> </EventData> </Event> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ # owner: root # group: 10000 user::rwx user:root:rwx user:3000002:rwx user:3000003:r-x user:3000007:rwx user:3000008:r-x group::rwx group:10000:rwx group:3000002:rwx group:3000003:r-x group:3000007:rwx group:3000008:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000007:rwx default:user:3000008:r-x default:group::--- default:group:10000:rwx default:group:3000002:rwx default:group:3000003:r-x default:group:3000007:rwx default:group:3000008:r-x default:mask::rwx default:other::--- DHCP IP Regards Post by L.P.H. van Belle But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle Post by L.P.H. van Belle source and right after a permission denied on GPT.ini And a getfacl of the problem GPO SID please, i'll check. And a output of ipconfig /all on the problem pc. And question, dedicated IP or dhcp IP? Greetz, Louis -----Oorspronkelijk bericht----- Ray Post by L.P.H. van Belle Verzonden: dinsdag 29 maart 2016 15:41 CC: samba Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) LOGONSERVER is the server used to authenticate currently logged in user, Post by L.P.H. van Belle this does not mean that it is the one on which machine GPO was fetched Post by L.P.H. van Belle Post by L.P.H. van Belle (which seem to be round-robinized, but maybe not) Got no more sysvolcheck error, manually fixed those (what a pain) But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle Post by L.P.H. van Belle source and right after a permission denied on GPT.ini Regards Post by mathias dufresne About sysvolreset errors: send them to us. There is (at least) one error Post by L.P.H. van Belle Post by mathias dufresne from sysvolcheck which is not too much important (if I have well understood Post by mathias dufresne it): ACL is set on FS to Local Admins when it should be Domain admins Post by L.P.H. van Belle Post by L.P.H. van Belle (or Post by mathias dufresne the contrary). That one should be a simple warning, or it is and it can Post by L.P.H. van Belle be Post by mathias dufresne ignored (once more: according to my memory). Post by mathias dufresne To see which DC is used by Windows client: open a MSDOS console, type Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation between Post by mathias dufresne Post by mathias dufresne DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if Post by mathias dufresne Post by mathias dufresne you have only GPO issue). 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- Hi Same here, GPO work without UID/GID on machine account (since issue Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except Post by L.P.H. van Belle a Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne reboot So I guess root issue is the kerberos one "max reference tickets exceeded" but cannot see why it happens and on which DC I noticed this morning that sysvolcheck returns errors that won't be Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to Post by mathias dufresne Post by mathias dufresne have fixed anything Regards Post by mathias dufresne I'm not an expert in idmap (at all in fact :p) but I thought idmap Post by L.P.H. van Belle Post by L.P.H. van Belle stuffs Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne were here to replace RFC2307 UID/GID declared into AD/LDAP objects. Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne In others words, if you configure correctly idmap into smb.conf I expect Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne GPO this morning, the one giving the possibility to use userPrincipalName worked Post by L.P.H. van Belle Post by L.P.H. van Belle so Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne the GPO was applied and my machines have no UID/GID nor my smb.conf contains Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind id administrator uid=0(root) gid=0(root) groupes=0(root) id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne local user. Hoping this helps, cheers, mathias I add UNIX attributes (gid/uid) using RSAT. You need to select an Post by Ryan Ashley additional option when installing the tools. I believe it is "something Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley for NIS attributes". This adds the "UNIX" tab to ADUC and allows you Post by L.P.H. van Belle to Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley set the uid/gid as well as group memberships for UNIX systems. I have Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley done this on my networks, but I may have forgotten it on this one. Post by L.P.H. van Belle I Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley will check. I still have the issue, it is not a "node type" issue. Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields Post by L.P.H. van Belle in Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj RSAT I added them using LAM, because yes: using RSAT i also could not. Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba L.P.H. van Belle 2016-03-22 15:16:59 UTC Permalink Hai In the end, i found the problem today. The pc win7-64b with this problem had a wrongy network settting and 2 nics. I removed 1 nic. Ipconfig /all gaves what whas wrong. The nodetype was wrong. The "problem" pc had mixed set. And not hybrid (0x8) (H Node) After changing this back to H-node and removeing the 2e nic. Rebooted the pc and it works again now. Hope this helps someone. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 22 maart 2016 15:11 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) I just saw this thread while browsing my emails and I want to report that I get this frequently but randomly on every Samba4 domain I run. It is completely random in that it affects a PC today, but a week from now that same PC may work just fine. It may then affect a different PC which had no issues prior. Also, if I click the link to "gpt.ini" in the event log the file DOES open and I can view it all day long. It is almost as though the system lies to me in saying it cannot access the file, but it can. I have been dealing with this for two years now. Finally, this seems to occur MUCH more frequently on domains which have multiple DCs. A single DC domain may have this happen once in a year, and only for a moment, whereas a multiple DC domain may have this happen regularly. Lead IT/IS Specialist Reach Technology FP, Inc Post by l***@gmail.com Post by l***@gmail.com Have you tried running 'gpresult /H GPReport.html' on the workstation and see if it provides any details? You can also run 'Group Policy Results' from within Microsoft Group Policy Management snap in. Yes, it show an error about maximum kerberos tickets exceeded but I take that for a generic error message? Post by l***@gmail.com Are you using Item level targeting in your GPO? No When this error happens, can you confirm if you can manually navigate to the file? Open file explorer and enter the UNC path. ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini On the workstation having the issue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba L.P.H. van Belle 2016-03-30 10:01:21 UTC Permalink I found this one. Check which one works for you. http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm Im sure this is not a samba configuration problem. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:18 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) I dont read any france but translators work ok. ;-) pfew.. Ok any firewalling on the DC's? if so, open TCP and UDP port 88. Or try short without firewalls on, on the DC's. Other options to try is recude the MaxPacketSize in windows. Looks like a to big package which is rejected. Ow and above is also needed on the DNS port 53. Open tcp and udp. If the upd packages are to big, tcp is tried. And let us know the result. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:10 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Hi French windows version LSA Error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/computer.domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)"</Data> </EventData> </Event> GPT.ini error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)"</Data> </EventData> </Event> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ # owner: root # group: 10000 user::rwx user:root:rwx user:3000002:rwx user:3000003:r-x user:3000007:rwx user:3000008:r-x group::rwx group:10000:rwx group:3000002:rwx group:3000003:r-x group:3000007:rwx group:3000008:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000007:rwx default:user:3000008:r-x default:group::--- default:group:10000:rwx default:group:3000002:rwx default:group:3000003:r-x default:group:3000007:rwx default:group:3000008:r-x default:mask::rwx default:other::--- DHCP IP Regards Post by L.P.H. van Belle But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle source and right after a permission denied on GPT.ini And a getfacl of the problem GPO SID please, i'll check. And a output of ipconfig /all on the problem pc. And question, dedicated IP or dhcp IP? Greetz, Louis -----Oorspronkelijk bericht----- Ray Post by L.P.H. van Belle Verzonden: dinsdag 29 maart 2016 15:41 CC: samba Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) LOGONSERVER is the server used to authenticate currently logged in user, Post by L.P.H. van Belle this does not mean that it is the one on which machine GPO was fetched Post by L.P.H. van Belle (which seem to be round-robinized, but maybe not) Got no more sysvolcheck error, manually fixed those (what a pain) But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle source and right after a permission denied on GPT.ini Regards Post by mathias dufresne About sysvolreset errors: send them to us. There is (at least) one error Post by L.P.H. van Belle Post by mathias dufresne from sysvolcheck which is not too much important (if I have well understood Post by mathias dufresne it): ACL is set on FS to Local Admins when it should be Domain admins Post by L.P.H. van Belle (or Post by mathias dufresne the contrary). That one should be a simple warning, or it is and it can Post by L.P.H. van Belle be Post by mathias dufresne ignored (once more: according to my memory). Post by mathias dufresne To see which DC is used by Windows client: open a MSDOS console, type Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation between Post by mathias dufresne Post by mathias dufresne DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if Post by mathias dufresne Post by mathias dufresne you have only GPO issue). 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- Hi Same here, GPO work without UID/GID on machine account (since issue Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except a Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne reboot So I guess root issue is the kerberos one "max reference tickets exceeded" but cannot see why it happens and on which DC I noticed this morning that sysvolcheck returns errors that won't be Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to Post by mathias dufresne Post by mathias dufresne have fixed anything Regards Post by mathias dufresne I'm not an expert in idmap (at all in fact :p) but I thought idmap Post by L.P.H. van Belle stuffs Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne were here to replace RFC2307 UID/GID declared into AD/LDAP objects. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne In others words, if you configure correctly idmap into smb.conf I expect Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne GPO this morning, the one giving the possibility to use userPrincipalName worked Post by L.P.H. van Belle so Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne the GPO was applied and my machines have no UID/GID nor my smb.conf contains Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind id administrator uid=0(root) gid=0(root) groupes=0(root) id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne local user. Hoping this helps, cheers, mathias I add UNIX attributes (gid/uid) using RSAT. You need to select an Post by Ryan Ashley additional option when installing the tools. I believe it is "something Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley for NIS attributes". This adds the "UNIX" tab to ADUC and allows you Post by L.P.H. van Belle to Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley set the uid/gid as well as group memberships for UNIX systems. I have Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley done this on my networks, but I may have forgotten it on this one. I Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley will check. I still have the issue, it is not a "node type" issue. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields Post by L.P.H. van Belle in Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj RSAT I added them using LAM, because yes: using RSAT i also could not. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Ryan Ashley 2016-04-14 14:42:25 UTC Permalink Sorry for my delayed response, my job has had me out of state for a while. I wanted to add that I am not getting the Kerberos error in my event logs. It just flat out claims that it cannot read gpt.ini for some reason. This happens randomly, whether dc01 or dc02 is the logon server, and the strange part is that most PCs can work fine, but one or two randomly won't. In other words, if pc1 and pc3 are using dc01, and pc2 is using dc02, pc1 and pc2 work fine, but pc3 says it can't read the gpt.ini on dc01. This may persist for weeks, then it suddenly works. Lead IT/IS Specialist Reach Technology FP, Inc Post by L.P.H. van Belle I found this one. Check which one works for you. http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm Im sure this is not a samba configuration problem. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:18 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) I dont read any france but translators work ok. ;-) pfew.. Ok any firewalling on the DC's? if so, open TCP and UDP port 88. Or try short without firewalls on, on the DC's. Other options to try is recude the MaxPacketSize in windows. Looks like a to big package which is rejected. Ow and above is also needed on the DNS port 53. Open tcp and udp. If the upd packages are to big, tcp is tried. And let us know the result. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:10 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Hi French windows version LSA Error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/computer.domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)"</Data> </EventData> </Event> GPT.ini error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)"</Data> </EventData> </Event> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ # owner: root # group: 10000 user::rwx user:root:rwx user:3000002:rwx user:3000003:r-x user:3000007:rwx user:3000008:r-x group::rwx group:10000:rwx group:3000002:rwx group:3000003:r-x group:3000007:rwx group:3000008:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000007:rwx default:user:3000008:r-x default:group::--- default:group:10000:rwx default:group:3000002:rwx default:group:3000003:r-x default:group:3000007:rwx default:group:3000008:r-x default:mask::rwx default:other::--- DHCP IP Regards Post by L.P.H. van Belle But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle source and right after a permission denied on GPT.ini And a getfacl of the problem GPO SID please, i'll check. And a output of ipconfig /all on the problem pc. And question, dedicated IP or dhcp IP? Greetz, Louis -----Oorspronkelijk bericht----- Ray Post by L.P.H. van Belle Verzonden: dinsdag 29 maart 2016 15:41 CC: samba Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) LOGONSERVER is the server used to authenticate currently logged in user, Post by L.P.H. van Belle this does not mean that it is the one on which machine GPO was fetched Post by L.P.H. van Belle (which seem to be round-robinized, but maybe not) Got no more sysvolcheck error, manually fixed those (what a pain) But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle source and right after a permission denied on GPT.ini Regards Post by mathias dufresne About sysvolreset errors: send them to us. There is (at least) one error Post by L.P.H. van Belle Post by mathias dufresne from sysvolcheck which is not too much important (if I have well understood Post by mathias dufresne it): ACL is set on FS to Local Admins when it should be Domain admins Post by L.P.H. van Belle (or Post by mathias dufresne the contrary). That one should be a simple warning, or it is and it can Post by L.P.H. van Belle be Post by mathias dufresne ignored (once more: according to my memory). Post by mathias dufresne To see which DC is used by Windows client: open a MSDOS console, type Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation between Post by mathias dufresne Post by mathias dufresne DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if Post by mathias dufresne Post by mathias dufresne you have only GPO issue). 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- Hi Same here, GPO work without UID/GID on machine account (since issue Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except a Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne reboot So I guess root issue is the kerberos one "max reference tickets exceeded" but cannot see why it happens and on which DC I noticed this morning that sysvolcheck returns errors that won't be Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to Post by mathias dufresne Post by mathias dufresne have fixed anything Regards Post by mathias dufresne I'm not an expert in idmap (at all in fact :p) but I thought idmap Post by L.P.H. van Belle stuffs Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne were here to replace RFC2307 UID/GID declared into AD/LDAP objects. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne In others words, if you configure correctly idmap into smb.conf I expect Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne GPO this morning, the one giving the possibility to use userPrincipalName worked Post by L.P.H. van Belle so Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne the GPO was applied and my machines have no UID/GID nor my smb.conf contains Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind id administrator uid=0(root) gid=0(root) groupes=0(root) id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne local user. Hoping this helps, cheers, mathias I add UNIX attributes (gid/uid) using RSAT. You need to select an Post by Ryan Ashley additional option when installing the tools. I believe it is "something Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley for NIS attributes". This adds the "UNIX" tab to ADUC and allows you Post by L.P.H. van Belle to Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley set the uid/gid as well as group memberships for UNIX systems. I have Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley done this on my networks, but I may have forgotten it on this one. I Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley will check. I still have the issue, it is not a "node type" issue. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields Post by L.P.H. van Belle in Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj RSAT I added them using LAM, because yes: using RSAT i also could not. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Jonathan Hunter 2016-04-14 16:03:57 UTC Permalink I hate 'me too' replies - but I have also been struggling with this for some years in my multi-DC environment. (yes, replicated sysvol via lsyncd + rsync; permissions looked identical via getfacl last time I checked). Sometimes a client machine will run gpupdate just fine; other times it will fail, seemingly randomly. My next step was going to be to run wireshark on a client machine to see if the problem follows a particular DC or pattern - as someone has already said elsewhere in this thread, the LOGONSERVER isn't necessarily the DC that GPOs are fetched from. I don't have UIDs/GIDs for my machine accounts but maybe I should try to add them.. Unfortunately every time I sit down to troubleshoot this, the client machine runs gpupdate with no errors at all; and of course every time I make a GPO update that needs to be pushed out, it chooses that time to not work.. :) I will try and do some wireshark work and let you know what I find.. It's definitely "not just you", though - and I'm glad it's not just me, as well! :-) Post by Ryan Ashley Sorry for my delayed response, my job has had me out of state for a while. I wanted to add that I am not getting the Kerberos error in my event logs. It just flat out claims that it cannot read gpt.ini for some reason. This happens randomly, whether dc01 or dc02 is the logon server, and the strange part is that most PCs can work fine, but one or two randomly won't. In other words, if pc1 and pc3 are using dc01, and pc2 is using dc02, pc1 and pc2 work fine, but pc3 says it can't read the gpt.ini on dc01. This may persist for weeks, then it suddenly works. Lead IT/IS Specialist Reach Technology FP, Inc Post by L.P.H. van Belle I found this one. Check which one works for you. http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm Post by L.P.H. van Belle Im sure this is not a samba configuration problem. Greetz, Louis -----Oorspronkelijk bericht----- Belle Post by L.P.H. van Belle Verzonden: dinsdag 29 maart 2016 16:18 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) I dont read any france but translators work ok. ;-) pfew.. Ok any firewalling on the DC's? if so, open TCP and UDP port 88. Or try short without firewalls on, on the DC's. Other options to try is recude the MaxPacketSize in windows. Looks like a to big package which is rejected. Ow and above is also needed on the DNS port 53. Open tcp and udp. If the upd packages are to big, tcp is tried. And let us know the result. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:10 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Hi French windows version LSA Error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/computer.domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été Post by L.P.H. van Belle dépassé. (0xc00002f4)"</Data> </EventData> </Event> GPT.ini error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a été Post by L.P.H. van Belle dépassé. (0xc00002f4)"</Data> </EventData> </Event> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ # owner: root # group: 10000 user::rwx user:root:rwx user:3000002:rwx user:3000003:r-x user:3000007:rwx user:3000008:r-x group::rwx group:10000:rwx group:3000002:rwx group:3000003:r-x group:3000007:rwx group:3000008:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000007:rwx default:user:3000008:r-x default:group::--- default:group:10000:rwx default:group:3000002:rwx default:group:3000003:r-x default:group:3000007:rwx default:group:3000008:r-x default:mask::rwx default:other::--- DHCP IP Regards Post by L.P.H. van Belle But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle source and right after a permission denied on GPT.ini And a getfacl of the problem GPO SID please, i'll check. And a output of ipconfig /all on the problem pc. And question, dedicated IP or dhcp IP? Greetz, Louis -----Oorspronkelijk bericht----- Le Post by L.P.H. van Belle Ray Post by L.P.H. van Belle Verzonden: dinsdag 29 maart 2016 15:41 CC: samba Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) LOGONSERVER is the server used to authenticate currently logged in user, Post by L.P.H. van Belle this does not mean that it is the one on which machine GPO was fetched Post by L.P.H. van Belle (which seem to be round-robinized, but maybe not) Got no more sysvolcheck error, manually fixed those (what a pain) But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle source and right after a permission denied on GPT.ini Regards Post by mathias dufresne About sysvolreset errors: send them to us. There is (at least) one error Post by L.P.H. van Belle Post by mathias dufresne from sysvolcheck which is not too much important (if I have well understood Post by mathias dufresne it): ACL is set on FS to Local Admins when it should be Domain admins Post by L.P.H. van Belle (or Post by mathias dufresne the contrary). That one should be a simple warning, or it is and it can Post by L.P.H. van Belle be Post by mathias dufresne ignored (once more: according to my memory). Post by mathias dufresne To see which DC is used by Windows client: open a MSDOS console, type Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation between Post by mathias dufresne Post by mathias dufresne DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if Post by mathias dufresne Post by mathias dufresne you have only GPO issue). 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- Hi Same here, GPO work without UID/GID on machine account (since issue Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except a Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne reboot So I guess root issue is the kerberos one "max reference tickets exceeded" but cannot see why it happens and on which DC I noticed this morning that sysvolcheck returns errors that won't be Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to Post by mathias dufresne Post by mathias dufresne have fixed anything Regards Post by mathias dufresne I'm not an expert in idmap (at all in fact :p) but I thought idmap Post by L.P.H. van Belle stuffs Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne were here to replace RFC2307 UID/GID declared into AD/LDAP objects. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne In others words, if you configure correctly idmap into smb.conf I expect Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne you don't need any more declaring UID/GID for machine accounts. Anyway here my machines get access to their GPO: I tested one computer's Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne GPO this morning, the one giving the possibility to use userPrincipalName worked Post by L.P.H. van Belle so Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne the GPO was applied and my machines have no UID/GID nor my smb.conf contains Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind id administrator uid=0(root) gid=0(root) groupes=0(root) id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne local user. Hoping this helps, cheers, mathias I add UNIX attributes (gid/uid) using RSAT. You need to select an Post by Ryan Ashley additional option when installing the tools. I believe it is "something Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley for NIS attributes". This adds the "UNIX" tab to ADUC and allows you Post by L.P.H. van Belle to Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley set the uid/gid as well as group memberships for UNIX systems. I have Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley done this on my networks, but I may have forgotten it on this one. I Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley will check. I still have the issue, it is not a "node type" issue. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields Post by L.P.H. van Belle in Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj RSAT I added them using LAM, because yes: using RSAT i also could not. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read the Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba L.P.H. van Belle 2016-04-18 09:57:31 UTC Permalink Hai, Yeah, you have probely one of these 2 problems. ( or both ) 1) This is probely because your "computer" *(user) does not have any acces. Recheck you permissions on the share and and folders for that specific policie. 2) Connections specific suffic and/or network suffic is wrong. Check if you pc is setup correct with dhcp. Ipconfig /all ( check these, and make sure you have "hybrib" (H-node) This is not a samba problem but a configuration problem, or a corruption in you ip stack, (netsh int ip reset) can help also. I've posted a link before this one, go throug it, here are multiple good options to check out. http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: maandag 18 april 2016 11:22 Aan: Jonathan Hunter; samba Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Hi list I have another box hitting the problem It's rather strange since manual run of gpupdate terminates smoothly, the only failure seem to be on boot time (sadly this seem to prevent the boot scripts to be run, which is of course what we need?) My guess was that the issue was raising when boot up GPO fetching wasn't performed on the DC on which machine authentication was done (as I said before, this is due to the fact that sysvol is supposed to be a DFS share so it is accessed through \\domain.fqdn\ which, when using samba, is a dumb round robin). So what I did was to remove all DNS entry for domain.fqdn except for the site DC IP, thus ensuring that GPO was fetched from the same machine? Without success I ran wireshark during machine boot up sequence is basically dig -t SRV _ldap._tcp.dc._msdcs.domain.fqdn <= all domain controllers => pick one to get my site <= your site is XXX dig -t SRV _ldap._tcp.XXX._sites.dc._msdcs.domain.fqdn <= site DC All subsequent communication is made with the DC the box fetched? Still no success I can see SMB2 negociate procotol request/response, DNS updates, but GPT.ini reading still fails Regards Post by Jonathan Hunter I hate 'me too' replies - but I have also been struggling with this for some years in my multi-DC environment. (yes, replicated sysvol via lsyncd + Post by Jonathan Hunter rsync; permissions looked identical via getfacl last time I checked). Sometimes a client machine will run gpupdate just fine; other times it will Post by Jonathan Hunter fail, seemingly randomly. My next step was going to be to run wireshark on a client machine to see if Post by Jonathan Hunter the problem follows a particular DC or pattern - as someone has already said elsewhere in this thread, the LOGONSERVER isn't necessarily the DC that GPOs are fetched from. I don't have UIDs/GIDs for my machine accounts but maybe I should try to add them.. Unfortunately every time I sit down to troubleshoot this, the client machine runs gpupdate with no errors at all; and of course every time I make a GPO update that needs to be pushed out, it chooses that time Post by Jonathan Hunter to not work.. :) I will try and do some wireshark work and let you know what I find.. It's Post by Jonathan Hunter definitely "not just you", though - and I'm glad it's not just me, as well! Post by Jonathan Hunter :-) Post by Ryan Ashley Sorry for my delayed response, my job has had me out of state for a while. I wanted to add that I am not getting the Kerberos error in my event logs. It just flat out claims that it cannot read gpt.ini for some Post by Jonathan Hunter Post by Ryan Ashley reason. This happens randomly, whether dc01 or dc02 is the logon server, Post by Jonathan Hunter Post by Ryan Ashley and the strange part is that most PCs can work fine, but one or two randomly won't. In other words, if pc1 and pc3 are using dc01, and pc2 is using dc02, pc1 and pc2 work fine, but pc3 says it can't read the gpt.ini on dc01. This may persist for weeks, then it suddenly works. Lead IT/IS Specialist Reach Technology FP, Inc Post by L.P.H. van Belle I found this one. Check which one works for you. http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno- 8508-phase-1.htm Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Im sure this is not a samba configuration problem. Greetz, Louis -----Oorspronkelijk bericht----- Belle Post by L.P.H. van Belle Verzonden: dinsdag 29 maart 2016 16:18 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) I dont read any france but translators work ok. ;-) pfew.. Ok any firewalling on the DC's? if so, open TCP and UDP port 88. Or try short without firewalls on, on the DC's. Other options to try is recude the MaxPacketSize in windows. Looks like a to big package which is rejected. Ow and above is also needed on the DNS port 53. Open tcp and udp. If the upd packages are to big, tcp is tried. And let us know the result. Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: dinsdag 29 maart 2016 16:10 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Hi French windows version LSA Error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/computer.domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a Post by Jonathan Hunter Post by Ryan Ashley été Post by L.P.H. van Belle dépassé. (0xc00002f4)"</Data> </EventData> </Event> GPT.ini error Nom du journal :System Source : LsaSrv Date : 29/03/2016 15:49:56 ID de l?événement :40960 Catégorie de la tâche :Aucun Niveau : Avertissement Utilisateur : Système Ordinateur : computer.domain Le système de sécurité a détecté une erreur d?authentification pour le Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle serveur cifs/domain. Le code de la panne à partir du protocole d?authentification Kerberos était "Le nombre maximal de tickets de référence a été dépassé. (0xc00002f4)". <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40960</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> <EventRecordID>8737</EventRecordID> <Correlation /> <Execution ProcessID="840" ThreadID="900" /> <Channel>System</Channel> <Computer>computer.domain</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">cifs/domain</Data> <Data Name="Protocol">Kerberos</Data> <Data Name="Error">"Le nombre maximal de tickets de référence a Post by Jonathan Hunter Post by Ryan Ashley été Post by L.P.H. van Belle dépassé. (0xc00002f4)"</Data> </EventData> </Event> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ # owner: root # group: 10000 user::rwx user:root:rwx user:3000002:rwx user:3000003:r-x user:3000007:rwx user:3000008:r-x group::rwx group:10000:rwx group:3000002:rwx group:3000003:r-x group:3000007:rwx group:3000008:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000007:rwx default:user:3000008:r-x default:group::--- default:group:10000:rwx default:group:3000002:rwx default:group:3000003:r-x default:group:3000007:rwx default:group:3000008:r-x default:mask::rwx default:other::--- DHCP IP Regards Post by L.P.H. van Belle But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle source and right after a permission denied on GPT.ini And a getfacl of the problem GPO SID please, i'll check. And a output of ipconfig /all on the problem pc. And question, dedicated IP or dhcp IP? Greetz, Louis -----Oorspronkelijk bericht----- Le Post by L.P.H. van Belle Ray Post by L.P.H. van Belle Verzonden: dinsdag 29 maart 2016 15:41 CC: samba Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle LOGONSERVER is the server used to authenticate currently logged in user, Post by L.P.H. van Belle this does not mean that it is the one on which machine GPO was fetched Post by L.P.H. van Belle (which seem to be round-robinized, but maybe not) Got no more sysvolcheck error, manually fixed those (what a pain) But still, events log show a warning about kerberos ticket from LsaSrv Post by L.P.H. van Belle source and right after a permission denied on GPT.ini Regards Post by mathias dufresne About sysvolreset errors: send them to us. There is (at least) one Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle error Post by L.P.H. van Belle Post by mathias dufresne from sysvolcheck which is not too much important (if I have well understood Post by mathias dufresne it): ACL is set on FS to Local Admins when it should be Domain admins Post by L.P.H. van Belle (or Post by mathias dufresne the contrary). That one should be a simple warning, or it is and it Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle can Post by L.P.H. van Belle be Post by mathias dufresne ignored (once more: according to my memory). 2016-03-29 15:14 GMT+02:00 mathias dufresne Post by mathias dufresne To see which DC is used by Windows client: open a MSDOS console, type Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "set", look for LOGONSERVER=\\<your_dc> <your_dc> is the DC used to connect on. If issue comes from one DC I would have on sysvol synchronisation Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle between Post by mathias dufresne Post by mathias dufresne DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle issue if Post by mathias dufresne Post by mathias dufresne you have only GPO issue). 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- Hi Same here, GPO work without UID/GID on machine account (since issue Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne "resolves" itself sometime) It really seems to depend on which DC is chosen at start. One of the affected machine just recovered without any change except a Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne reboot So I guess root issue is the kerberos one "max reference tickets Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne exceeded" but cannot see why it happens and on which DC I noticed this morning that sysvolcheck returns errors that won't Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle be Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne fixed by sysvolreset (!), I manually fixed ntacl but this does not Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle seem to Post by mathias dufresne Post by mathias dufresne have fixed anything Regards Post by mathias dufresne I'm not an expert in idmap (at all in fact :p) but I thought idmap Post by L.P.H. van Belle stuffs Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne were here to replace RFC2307 UID/GID declared into AD/LDAP objects. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne In others words, if you configure correctly idmap into smb.conf I Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle expect Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne you don't need any more declaring UID/GID for machine accounts. Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Anyway here my machines get access to their GPO: I tested one computer's Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne GPO this morning, the one giving the possibility to use userPrincipalName worked Post by L.P.H. van Belle so Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne the GPO was applied and my machines have no UID/GID nor my smb.conf Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle contains Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne ---------------------------------------- [global] workgroup = SAMBA realm = SAMBA.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes # NOTE: removed as we now use BIND-DLZ DNS backend #dns forwarder = 10.156.32.99 #kccsrv:samba_kcc=true [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ---------------------------------------- grep win /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind id administrator uid=0(root) gid=0(root) groupes=0(root) id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers) Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne groupes=3000011(AD.DGFIP\domain controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
rodc
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
replication group)
So idmapping seems to be enabled by default as there are no
UID/GID
Post by L.P.H. van Belle
Post by mathias dufresne
Post by mathias dufresne
Post by mathias dufresne
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 So I still expect an issue about mapping computer accounts to UNIX/Linux Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne local user. Hoping this helps, cheers, mathias 2016-03-26 22:04 GMT+01:00 Ryan Ashley I add UNIX attributes (gid/uid) using RSAT. You need to select an Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley additional option when installing the tools. I believe it is "something Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley for NIS attributes". This adds the "UNIX" tab to ADUC and allows Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle you Post by L.P.H. van Belle to Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley set the uid/gid as well as group memberships for UNIX systems. I Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle have Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley done this on my networks, but I may have forgotten it on this one. I Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley will check. I still have the issue, it is not a "node type" issue. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Lead IT/IS Specialist Reach Technology FP, Inc Post by mj And did you add those IDs to the sysvol share permissions? I guess you used samba-tool since I cannot find any gid/uid fields Post by L.P.H. van Belle in Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj RSAT I added them using LAM, because yes: using RSAT i also could not. Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley Post by mj (lam: www.ldap-account-manager.org/) -- To unsubscribe from this list go to the following URL and read Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle the Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne Post by mathias dufresne Post by Ryan Ashley instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the Post by Jonathan Hunter Post by Ryan Ashley Post by L.P.H. van Belle Post by L.P.H. van Belle Post by mathias dufresne Post by mathias dufresne instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba L.P.H. van Belle 2016-04-18 10:58:29 UTC Permalink Ok, try this. Gif the pc a uid and check again. If it works then, its a share or security right. Gpupdate /force works because at that point you "user"/user has a uid and gid. The error occurs at start up because the COMPUTERNAME$ doent have access to that gpt.ini.

Resetting sysvol in that case doent help because the right on the gpt.ini is set by the group you assigned to the policy.
( so can be an inherrentance problem also )

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: maandag 18 april 2016 12:46
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hi
Post by L.P.H. van Belle
Hai,
Yeah, you have probely one of these 2 problems. ( or both )
1)
This is probely because your "computer" *(user) does not have any
acces.
Post by L.P.H. van Belle
Recheck you permissions on the share and and folders for that specific
policie.
Performed sysvolreset, checked access in Windows, all DC the same
(authenticated users & enterprise DC can read, system, domain/enterprise
How do you explain that manual gpupdate /force works with no issue
Tried to leave/rejoin domain (with machine account deletion after leave)
??? no change
Post by L.P.H. van Belle
2)
Connections specific suffic and/or network suffic is wrong.
Check if you pc is setup correct with dhcp.
Ipconfig /all ( check these, and make sure you have "hybrib" (H-node)
Node type is hybrid. Wireshark show that DNS queries are performed
against right suffices and does not show any DNS error
Post by L.P.H. van Belle
This is not a samba problem but a configuration problem,
or a corruption in you ip stack, (n ) can help also.
Done without success
Post by L.P.H. van Belle
I've posted a link before this one, go throug it, here are multiple good
options to check out.
Post by L.P.H. van Belle
http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-
phase-1.htm
Yeah checked a good part of them with no success. This seems more like
some random voodoo. And a good part of them involves configuration on
windows DC?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-04-18 13:35:22 UTC
Ok,

I don't think so, I launch gpupdate using local admin account, so as I
understand it, only computer account is used (since local admin as no
existence on the domain)

Test as follow.

Open de security tab of the GPT.INI.

Advanced settings, last tab, effective settings,

At objecttype, deselect all, select computer.

Search for : COMPUTERNAME$It should resolve to your computer. Klik ok, now check the security settings again here. Must have at least : Traverse Folder / Execute file. List folder/ Read Data Read Attributes. Read Exended Attributes. Read permissions. wbinfo -i COMPUTERNAME$ & wbinfo -r COMPUTERNAME$correctly returns him as member of domain computers (with proper gid) and a custom group to which it was added When thats ok, keep it as is now, looks good. After checking you rights, You can try this also if we speak of windows 7, try this. ( just found this ) Open CMD Box as Administrator. Run : DEL /S /F /Q "%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History\*.*" gpupdate /force ( or reboot ) Greetz, Louis -----Oorspronkelijk bericht----- Verzonden: maandag 18 april 2016 15:03 Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) Post by L.P.H. van Belle Ok, try this. Gif the pc a uid and check again. If it works then, its a share or security right. Gpupdate /force works because at that point you "user"/user has a uid and gid. I don't think so, I launch gpupdate using local admin account, so as I understand it, only computer account is used (since local admin as no existence on the domain) Post by L.P.H. van Belle The error occurs at start up because the COMPUTERNAME$ doent have access
to that gpt.ini.
wbinfo -i COMPUTERNAME$& wbinfo -r COMPUTERNAME$ correctly returns him
as member of domain computers (with proper gid) and a custom group to
I added an uidNumber to the machine, should I explicitely add it to the
GPO access rights?
Regards

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-04-18 14:45:12 UTC
Ok based on the MS link.

Have you enabled under Computer Configuration in the navigation tree on the left side, navigate to Administrative Templates\System\Logon

Enable "Always wait for the network at computer startup and logon"

If not done yet.

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: maandag 18 april 2016 16:38
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Post by L.P.H. van Belle
Ok,
I don't think so, I launch gpupdate using local admin account, so as I
understand it, only computer account is used (since local admin as no
existence on the domain)
No incidence (since in fact interactive update always work :) )
Post by L.P.H. van Belle
Test as follow.
Open de security tab of the GPT.INI.
Advanced settings, last tab, effective settings,
At objecttype, deselect all, select computer.
Search for : COMPUTERNAME\$
It should resolve to your computer.
Klik ok, now check the security settings again here.
Traverse Folder / Execute file.
DEL /S /F /Q "%ALLUSERSPROFILE%\Application Data\Microsoft\Group
Policy\History\*.*"
Post by L.P.H. van Belle
gpupdate /force
This works (as usual)
Post by L.P.H. van Belle
( or reboot )
This fails
Analyzing the complete boot sequence, I see several errors
DHCP starting
DHCPv6 starting
NETLOGON error no domain controller found
LSASrv issue (max reference tickets exceeded)
GPO error (failure to read GPT.INI)
It looks like this: https://support.microsoft.com/en-us/kb/2421599 but
suggested fix doesn't make any difference.
It may be related to SSD enabled machines which boot too fast, but
cannot remember if non-SSD ones hit the bug too
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
lists
2016-04-18 15:10:23 UTC
Hi Sébastien,

This link once helped me, when some drive mappings didn't work for a
particular user:

https://support.microsoft.com/en-us/kb/979731

I removed the xml file under:
\users\All Users\Microsoft\Group Policy\History\<GUID>\Preferences
(find the appropriate GUID in the event viewer)

Reboot, and our drive mappings were back.

Another thing that we needed to do in the past, to get some policies to
apply, was to assign a uid/gid to workstation accounts.

I don't think these 'solutions'apply to your case, but then again... who
knows...

MJ
Post by L.P.H. van Belle
Ok based on the MS link.
Have you enabled under Computer Configuration in the navigation tree
on the left side, navigate to Administrative Templates\System\Logon
Enable "Always wait for the network at computer startup and logon"
If not done yet.
Greetz,
Louis
Yes it is. The GpNetworkStartTimeoutPolicyValue key has been manually
set to 120 (but this does not make any difference, moreover the
corresponding GPO is also set)
What I cannot get is that GPO processing shouldn't start until network
is available, so something seems to "trick" windows in believing that
network is available (I disabled all but ethernet adapter in BIOS…)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jonathan Hunter
2016-04-19 10:37:33 UTC
Good explanation, makes sense - thank you!

I am having a different issue, then, I think - on occasion gpupdate fails
(after the machine has been running; not just booted up) but then on
occasion it works again (nothing changed as far as I can tell). I'll
continue to debug this one as well :)
I think I finally solved it…
This is indeed not related to Samba (I guess), and I have to say that I
don't know if there is a proper fix
Some machines fails to apply GPO at startup. Manual launches of gpupdate
are successful, only boot up ones fail (that is, everything related to
software installation or startup scripts).
Events log shows error about accessing GPT.ini (without telling what the
error exactly is).
Manual access to said GPT.ini (either through user account or using the
computer account), is successful
I guess this is some kind of race condition related to network
initialisation which isn't totally finished when GPO processing starts. The
faster the boot, the higher the risk to trigger the condition (thus
SSD-enabled machines are good candidates). As I said in a previous mail,
something seems to trick windows into believing that the network is
available while it's not. And this something turns out to be… IPv6
Disabling IPv6 on the network interface solves the problem, enabling it
triggers it.
I guess this is because IPv6 autoconfiguration is immediate (no need to
get DHCP ack) while IPv4 needs to wait for DHCP process to finish, below is
Standard PC
[Some boot stuff involving slow disk I/O]
[Some boot stuff involving slow disk I/O]
IPv4 DHCP ACK => IPv4 available
[Some boot stuff involving slow disk I/O]
GPO processing
SSD PC
[some bot stuff invol… finished]
GPO processing waits for network
GPO says "cannot read the file"
Note: configuring system to prefer IPv4 over IPv6 does not change anything
(seems consistent since IPv4 is not available so cannot be preferred when
GPO processing starts).
Thank you for your help, I hope this will help someone (if people
encountering the same problem can test this "fix" and report back I would
appreciate).
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
"If we knew what it was we were doing, it would not be called research,
would it?"
- Albert Einstein
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2016-04-21 14:56:15 UTC
IPv6 is disabled on all systems where I am having the issue, so it is
not a fix here. All systems have a GID, all users have a UID. It fails
on startup and when running gpupdate, with or without the force
parameter. That is why I am lost. DNS works correctly and I can ping the
domain name and it will ping one server or the other. I have reset and
checked the sysvol permissions to no avail. It really is like it just
chooses not to read the file. Normally I would blame Windows, but the
fact that this does NOT happen on domains with actual Windows Server
systems in place of Samba systems combined with the many reports in this

1) Network connectivity to servers? Yes
2) DNS and DHCP correct? Yes
3) Can run gpupdate manually? No
4) Can update policy at boot? No
5) Computers/Users have UID/GID? Yes
6) Sysvol permissions correct? Yes
7) IPv6 disabled? Yes

Reach Technology FP, Inc
Post by Jonathan Hunter
Good explanation, makes sense - thank you!
I am having a different issue, then, I think - on occasion gpupdate fails
(after the machine has been running; not just booted up) but then on
occasion it works again (nothing changed as far as I can tell). I'll
continue to debug this one as well :)
I think I finally solved it…
This is indeed not related to Samba (I guess), and I have to say that I
don't know if there is a proper fix
Some machines fails to apply GPO at startup. Manual launches of gpupdate
are successful, only boot up ones fail (that is, everything related to
software installation or startup scripts).
Events log shows error about accessing GPT.ini (without telling what the
error exactly is).
Manual access to said GPT.ini (either through user account or using the
computer account), is successful
I guess this is some kind of race condition related to network
initialisation which isn't totally finished when GPO processing starts. The
faster the boot, the higher the risk to trigger the condition (thus
SSD-enabled machines are good candidates). As I said in a previous mail,
something seems to trick windows into believing that the network is
available while it's not. And this something turns out to be… IPv6
Disabling IPv6 on the network interface solves the problem, enabling it
triggers it.
I guess this is because IPv6 autoconfiguration is immediate (no need to
get DHCP ack) while IPv4 needs to wait for DHCP process to finish, below is
Standard PC
[Some boot stuff involving slow disk I/O]
[Some boot stuff involving slow disk I/O]
IPv4 DHCP ACK => IPv4 available
[Some boot stuff involving slow disk I/O]
GPO processing
SSD PC
[some bot stuff invol… finished]
GPO processing waits for network
GPO says "cannot read the file"
Note: configuring system to prefer IPv4 over IPv6 does not change anything
(seems consistent since IPv4 is not available so cannot be preferred when
GPO processing starts).
Thank you for your help, I hope this will help someone (if people
encountering the same problem can test this "fix" and report back I would
appreciate).
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-04-21 15:13:22 UTC
Because of "3) Can run gpupdate manually? No" I would go back to other
threads speaking about GPO issue. This one seemed to me very dedicated to
issue with GPO during boot up.

Sorry to not help more :/
Post by Ryan Ashley
IPv6 is disabled on all systems where I am having the issue, so it is
not a fix here. All systems have a GID, all users have a UID. It fails
on startup and when running gpupdate, with or without the force
parameter. That is why I am lost. DNS works correctly and I can ping the
domain name and it will ping one server or the other. I have reset and
checked the sysvol permissions to no avail. It really is like it just
chooses not to read the file. Normally I would blame Windows, but the
fact that this does NOT happen on domains with actual Windows Server
systems in place of Samba systems combined with the many reports in this
1) Network connectivity to servers? Yes
2) DNS and DHCP correct? Yes
3) Can run gpupdate manually? No
4) Can update policy at boot? No
5) Computers/Users have UID/GID? Yes
6) Sysvol permissions correct? Yes
7) IPv6 disabled? Yes
Reach Technology FP, Inc
Post by Jonathan Hunter
Good explanation, makes sense - thank you!
I am having a different issue, then, I think - on occasion gpupdate fails
(after the machine has been running; not just booted up) but then on
occasion it works again (nothing changed as far as I can tell). I'll
continue to debug this one as well :)
I think I finally solved it…
This is indeed not related to Samba (I guess), and I have to say that I
don't know if there is a proper fix
Some machines fails to apply GPO at startup. Manual launches of gpupdate
are successful, only boot up ones fail (that is, everything related to
software installation or startup scripts).
Events log shows error about accessing GPT.ini (without telling what the
error exactly is).
Manual access to said GPT.ini (either through user account or using the
computer account), is successful
I guess this is some kind of race condition related to network
initialisation which isn't totally finished when GPO processing starts.
The
Post by Jonathan Hunter
faster the boot, the higher the risk to trigger the condition (thus
SSD-enabled machines are good candidates). As I said in a previous mail,
something seems to trick windows into believing that the network is
available while it's not. And this something turns out to be… IPv6
Disabling IPv6 on the network interface solves the problem, enabling it
triggers it.
I guess this is because IPv6 autoconfiguration is immediate (no need to
get DHCP ack) while IPv4 needs to wait for DHCP process to finish,
below is
Post by Jonathan Hunter
Standard PC
[Some boot stuff involving slow disk I/O]
[Some boot stuff involving slow disk I/O]
IPv4 DHCP ACK => IPv4 available
[Some boot stuff involving slow disk I/O]
GPO processing
SSD PC
[some bot stuff invol… finished]
GPO processing waits for network
GPO says "cannot read the file"
Note: configuring system to prefer IPv4 over IPv6 does not change
anything
Post by Jonathan Hunter
(seems consistent since IPv4 is not available so cannot be preferred
when
Post by Jonathan Hunter
GPO processing starts).
Thank you for your help, I hope this will help someone (if people
encountering the same problem can test this "fix" and report back I
would
Post by Jonathan Hunter
appreciate).
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mj
2016-04-21 15:13:28 UTC
Hi,

How to test access with a machine account:

* Install psexec from
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
* open a cmd.cmd as administrator
* type:
psexec -i -s cmd.exe
* In the new cmd (running as the computer account) type:

Now check if you can access the gpo folders.

Perhaps this way you can check / verify if machine accounts actually
access the required files.

MJ
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ryan Ashley
2016-06-16 18:18:15 UTC
Sorry it has been a while, but error 87I was not near the client in
question for an extended period. I have now been by and spent a day, and
somewhat fixed the issue. How? I turned off the second DC. After
gpupdate couldn't talk to DC02, it tried DC01 and updated. It fixed
every little issue on the entire domain.

Now for the nitty-gritty. I tried using psexec as described in the
previous post and it succeeded, so both machine accounts AND user
accounts can open and read the gpt.ini file, despite the error being
logged. This is with both DCs on, before I shut the second one down.

I have a script on a cron job which runs once every 15min. It copies
over the sysvol from the primary DC and then does a sysvolreset to reset
the permissions per the second controller's IDs. I only edit group
policy on the main DC for this reason. Perhaps this is where my issue
lies? Maybe we just need DFS support or NTFRS between DCs. Either way my
suspicion is that despite the sysvolreset, something isn't right. What
are your thoughts? I am currently running on only the primary DC.

Reach Technology FP, Inc
Post by mj
Hi,
* Install psexec from
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
* open a cmd.cmd as administrator
psexec -i -s cmd.exe
Now check if you can access the gpo folders.
Perhaps this way you can check / verify if machine accounts actually
access the required files.
MJ
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba