[Samba] Permission denied on GPT.ini (Event ID 1058)

Hi,
Yes using rsync followed by a samba-tool ntacl sysvolreset
Regards

Post by l***@gmail.com
Are you currently replicating the sysvol folder between DC's?

Hi list,
Having a multi-DC Samba 4.1.17 (Debian) setup, we use Computer GPOs.
Machines randomly encounter event 1058 (translation is roughly "GPO
processing failed. Windows failed to read file
\\domain\sysvol\domain\Policies\SomeGUID\gpt.ini from a domain
controller"). It seems to be an issue with computer account because
User's GPO applies nicely.
Replication (both drs show repl & ldap-cmp) shows no error nor
difference on the DC used for GPO fetching (according to tcpdump
since I found no way to get it through windows logs). Rising
loglevel to 5 show that domain\COMPUTERNAME$ is not found as an user
but the same occurs for "working" stations. ntacl sysvolreset
doesn't change anything.
Can somebody point me in the right direction to troubleshoot this?
Regards

Have you tried running 'gpresult /H GPReport.html' on the workstation
and see if it provides any details? You can also run 'Group Policy
Results' from within Microsoft Group Policy Management snap in.

Are you using Item level targeting in your GPO?

--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

l***@gmail.com

2016-03-18 19:58:48 UTC

Post by l***@gmail.com
Have you tried running 'gpresult /H GPReport.html' on the workstation
and see if it provides any details? You can also run 'Group Policy
Results' from within Microsoft Group Policy Management snap in.

Yes, it show an error about maximum kerberos tickets exceeded but I
take that for a generic error message…

Post by l***@gmail.com
Are you using Item level targeting in your GPO?

When this error happens, can you confirm if you can manually navigate to
the file? Open file explorer and enter the UNC path.

ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini

On the workstation having the issue.

--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Klaus Hartnegg

2016-03-20 16:03:32 UTC

Yes but in that case I'm not using the machine account anymore but the currently logged in user account. That's why I guess it is related to some machine account configuration issue but I can find no way to test machine account access…

psexec -i -s cmd.exe
must be run as admin
will open a new window
try there:
echo %username%
looks like machine account

hope this helps,
Klaus

--
Message sent from a mobile device, please excuse brevity and typos
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-03-21 14:53:36 UTC

Hai,

Today i had a "about" same problem.

Check the following.

1) Get the Policy id ( like ": {78732DBF-5381-497B-9B25-00A278270A1F} from
PATH_TO_SYSVOL_FOLDER/Policies/
2) run getfacl on the folder like :
getfacl \{78751DBF-5381-497B-9B25-00A278270A1F\}/

here in my case i noticed the following.
I had a user set on one specific policie, i changed that users to a newly created group.

After looking with getfacl i noticed, that the user was still on GPT.INI
and not the group.
Reculting in the Permission denied on GPT.ini.

For now i fixed it by getting setting the inheritance of the folder to the files again.

Resume what i think and others must test also.

When creating the policy for the first time it sets the correct U+G rights.
After changing this, not.

Other quick fix is, add the computer($) to the group.

I hope people know what i mean, if not, ask me.

Greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: maandag 21 maart 2016 10:45
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)

Post by Klaus Hartnegg

Am 19.03.2016 um 08:16 schrieb Sébastien Le Ray <sebastien-
Yes but in that case I'm not using the machine account anymore but the

currently logged in user account. That's why I guess it is related to some
machine account configuration issue but I can find no way to test machine
account access?

Post by Klaus Hartnegg
psexec -i -s cmd.exe
must be run as admin
will open a new window
echo %username%
looks like machine account

Hi,
This gives me the machine account name which I already know.
BUT I used pushd \\path\to\sysvol in the spawned cmd.exe and I
successfully mounted the supposedly unreadable share (tries all 5 DCs)
and type'd the GPT.ini
If someone has any further investigation track, I'll take it
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Ryan Ashley

2016-03-22 14:11:18 UTC

I just saw this thread while browsing my emails and I want to report
that I get this frequently but randomly on every Samba4 domain I run. It
is completely random in that it affects a PC today, but a week from now
that same PC may work just fine. It may then affect a different PC which
had no issues prior.

Also, if I click the link to "gpt.ini" in the event log the file DOES
open and I can view it all day long. It is almost as though the system
lies to me in saying it cannot access the file, but it can. I have been
dealing with this for two years now.

Finally, this seems to occur MUCH more frequently on domains which have
multiple DCs. A single DC domain may have this happen once in a year,
and only for a moment, whereas a multiple DC domain may have this happen
regularly.

Lead IT/IS Specialist
Reach Technology FP, Inc

Post by l***@gmail.com

Yes, it show an error about maximum kerberos tickets exceeded but I
take that for a generic error message…

Post by l***@gmail.com
Are you using Item level targeting in your GPO?

When this error happens, can you confirm if you can manually navigate to
the file? Open file explorer and enter the UNC path.
ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini
On the workstation having the issue.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-03-22 15:37:15 UTC

In addition,.. a handy to know.

Windows resolves NetBIOS names by using one of the following four methods.
1 = B-Node (broadcast)
2 = P-Node (point-to-point)
4 = M-Node (mixed)
8 = H-Node (hybrid)

In the registry look for NodeType and/or DhcpNodeType
When you cannot view other workgroup computers, remove these keys and reboot.

If you still see a wrong node-type after reboot, check you dhcp option 46.
Still not working, try manualy creating the NodeType registry key.

Greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: dinsdag 22 maart 2016 16:17
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
Hai
In the end, i found the problem today.
The pc win7-64b with this problem had a wrongy network settting and 2
nics.
I removed 1 nic.
Ipconfig /all gaves what whas wrong.
The nodetype was wrong.
The "problem" pc had mixed set.
And not hybrid (0x8) (H Node)
After changing this back to H-node and removeing the 2e nic.
Rebooted the pc and it works again now.
Hope this helps someone.
Greetz,
Louis

-----Oorspronkelijk bericht-----
Verzonden: dinsdag 22 maart 2016 15:11
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
I just saw this thread while browsing my emails and I want to report
that I get this frequently but randomly on every Samba4 domain I run. It
is completely random in that it affects a PC today, but a week from now
that same PC may work just fine. It may then affect a different PC which
had no issues prior.
Also, if I click the link to "gpt.ini" in the event log the file DOES
open and I can view it all day long. It is almost as though the system
lies to me in saying it cannot access the file, but it can. I have been
dealing with this for two years now.
Finally, this seems to occur MUCH more frequently on domains which have
multiple DCs. A single DC domain may have this happen once in a year,
and only for a moment, whereas a multiple DC domain may have this happen
regularly.
Lead IT/IS Specialist
Reach Technology FP, Inc

Post by l***@gmail.com

Post by l***@gmail.com
Have you tried running 'gpresult /H GPReport.html' on the

workstation

Post by l***@gmail.com

Post by l***@gmail.com
and see if it provides any details? You can also run 'Group Policy
Results' from within Microsoft Group Policy Management snap in.

Yes, it show an error about maximum kerberos tickets exceeded but I
take that for a generic error message?

Post by l***@gmail.com
Are you using Item level targeting in your GPO?

When this error happens, can you confirm if you can manually navigate

Post by l***@gmail.com
the file? Open file explorer and enter the UNC path.
ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini
On the workstation having the issue.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

2016-03-23 13:08:25 UTC

Hi Sébastien,

Clicking on the link in the events viewer (which *never* fails) opens it
as the logged in user, that's why I'm convinced the issue is tied to
machine accounts handling

I have had problems with machine accounts accessing sysvol folders on
smba DCs. I solved this by adding a gid & uid to the machine accounts.

Perhaps try that?

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

2016-03-23 16:01:08 UTC

And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields in RSAT

I added them using LAM, because yes: using RSAT i also could not.

(lam: www.ldap-account-manager.org/)

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Ryan Ashley

2016-03-26 21:04:14 UTC

I add UNIX attributes (gid/uid) using RSAT. You need to select an
additional option when installing the tools. I believe it is "something
for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to
set the uid/gid as well as group memberships for UNIX systems. I have
done this on my networks, but I may have forgotten it on this one. I
will check. I still have the issue, it is not a "node type" issue.

Lead IT/IS Specialist
Reach Technology FP, Inc

And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields in RSAT

I added them using LAM, because yes: using RSAT i also could not.
(lam: www.ldap-account-manager.org/)

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-03-29 09:57:41 UTC

I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs
were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
In others words, if you configure correctly idmap into smb.conf I expect
you don't need any more declaring UID/GID for machine accounts.

Anyway here my machines get access to their GPO: I tested one computer's
GPO this morning, the one giving the possibility to use userPrincipalName
without @samba.domain.tld when logging into a computer. That worked so the
GPO was applied and my machines have no UID/GID nor my smb.conf contains
anything about idmap:
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller

server services = -dns
idmap_ldb:use rfc2307 = yes

# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99

#kccsrv:samba_kcc=true

[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------

But my nsswitch.conf is configured to use winbind:
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind

And that works:
For users:
id administrator
uid=0(root) gid=0(root) groupes=0(root)
For computers:
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)

So idmapping seems to be enabled by default as there are no UID/GID
declared on DC200 computer:
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7

So I still expect an issue about mapping computer accounts to UNIX/Linux
local user.

Hoping this helps, cheers,

mathias

Post by Ryan Ashley
I add UNIX attributes (gid/uid) using RSAT. You need to select an
additional option when installing the tools. I believe it is "something
for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to
set the uid/gid as well as group memberships for UNIX systems. I have
done this on my networks, but I may have forgotten it on this one. I
will check. I still have the issue, it is not a "node type" issue.
Lead IT/IS Specialist
Reach Technology FP, Inc

And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields in RSAT

I added them using LAM, because yes: using RSAT i also could not.
(lam: www.ldap-account-manager.org/)

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-03-29 13:14:05 UTC

To see which DC is used by Windows client: open a MSDOS console, type
"set", look for LOGONSERVER=\\<your_dc>

<your_dc> is the DC used to connect on.

If issue comes from one DC I would have on sysvol synchronisation between
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if
you have only GPO issue).

Hi
Same here, GPO work without UID/GID on machine account (since issue
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change except a
reboot
So I guess root issue is the kerberos one "max reference tickets exceeded"
but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't be fixed
by sysvolreset (!), I manually fixed ntacl but this does not seem to have
fixed anything
Regards

Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs
were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
In others words, if you configure correctly idmap into smb.conf I expect
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one computer's
GPO this morning, the one giving the possibility to use userPrincipalName
GPO was applied and my machines have no UID/GID nor my smb.conf contains
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)
So idmapping seems to be enabled by default as there are no UID/GID
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to UNIX/Linux
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select an

Post by Ryan Ashley
additional option when installing the tools. I believe it is "something
for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to
set the uid/gid as well as group memberships for UNIX systems. I have
done this on my networks, but I may have forgotten it on this one. I
will check. I still have the issue, it is not a "node type" issue.
Lead IT/IS Specialist
Reach Technology FP, Inc

And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields in RSAT

I added them using LAM, because yes: using RSAT i also could not.
(lam: www.ldap-account-manager.org/)
--

To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-03-29 13:16:38 UTC

About sysvolreset errors: send them to us. There is (at least) one error
from sysvolcheck which is not too much important (if I have well understood
it): ACL is set on FS to Local Admins when it should be Domain admins (or
the contrary). That one should be a simple warning, or it is and it can be
ignored (once more: according to my memory).

Post by mathias dufresne
To see which DC is used by Windows client: open a MSDOS console, type
"set", look for LOGONSERVER=\\<your_dc>
<your_dc> is the DC used to connect on.
If issue comes from one DC I would have on sysvol synchronisation between
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if
you have only GPO issue).

Hi
Same here, GPO work without UID/GID on machine account (since issue
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change except a
reboot
So I guess root issue is the kerberos one "max reference tickets
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't be
fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to
have fixed anything
Regards

And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields in RSAT

I added them using LAM, because yes: using RSAT i also could not.
(lam: www.ldap-account-manager.org/)
--

To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-03-29 13:46:31 UTC

But still, events log show a warning about kerberos ticket from LsaSrv
source and right after a permission denied on GPT.ini

And a getfacl of the problem GPO SID please, i'll check.

And a output of ipconfig /all on the problem pc.

And question, dedicated IP or dhcp IP?

Greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: dinsdag 29 maart 2016 15:41
CC: samba
Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
LOGONSERVER is the server used to authenticate currently logged in user,
this does not mean that it is the one on which machine GPO was fetched
(which seem to be round-robinized, but maybe not)
Got no more sysvolcheck error, manually fixed those (what a pain)
But still, events log show a warning about kerberos ticket from LsaSrv
source and right after a permission denied on GPT.ini
Regards

Post by mathias dufresne
About sysvolreset errors: send them to us. There is (at least) one error
from sysvolcheck which is not too much important (if I have well

understood

Post by mathias dufresne
it): ACL is set on FS to Local Admins when it should be Domain admins

(or

Post by mathias dufresne
the contrary). That one should be a simple warning, or it is and it can

Post by mathias dufresne
ignored (once more: according to my memory).

between

Post by mathias dufresne
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS

issue if

Post by mathias dufresne
you have only GPO issue).
2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-

Hi
Same here, GPO work without UID/GID on machine account (since issue
"resolves" itself sometime)
It really seems to depend on which DC is chosen at start.
One of the affected machine just recovered without any change except a
reboot
So I guess root issue is the kerberos one "max reference tickets
exceeded" but cannot see why it happens and on which DC
I noticed this morning that sysvolcheck returns errors that won't be
fixed by sysvolreset (!), I manually fixed ntacl but this does not

seem to

have fixed anything
Regards

Post by mathias dufresne
I'm not an expert in idmap (at all in fact :p) but I thought idmap

stuffs

Post by mathias dufresne
were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
In others words, if you configure correctly idmap into smb.conf I

expect

Post by mathias dufresne
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one

computer's

Post by mathias dufresne
GPO this morning, the one giving the possibility to use

userPrincipalName
so

Post by mathias dufresne
the
GPO was applied and my machines have no UID/GID nor my smb.conf

contains

Post by mathias dufresne
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
id administrator
uid=0(root) gid=0(root) groupes=0(root)
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)
So idmapping seems to be enabled by default as there are no UID/GID
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to

UNIX/Linux

Post by mathias dufresne
local user.
Hoping this helps, cheers,
mathias
I add UNIX attributes (gid/uid) using RSAT. You need to select an

Post by Ryan Ashley
additional option when installing the tools. I believe it is

"something

Post by Ryan Ashley
for NIS attributes". This adds the "UNIX" tab to ADUC and allows you

Post by Ryan Ashley
set the uid/gid as well as group memberships for UNIX systems. I

have

Post by Ryan Ashley
done this on my networks, but I may have forgotten it on this one. I
will check. I still have the issue, it is not a "node type" issue.
Lead IT/IS Specialist
Reach Technology FP, Inc

And did you add those IDs to the sysvol share permissions?
I guess you used samba-tool since I cannot find any gid/uid fields

Post by Ryan Ashley

RSAT

I added them using LAM, because yes: using RSAT i also could not.
(lam: www.ldap-account-manager.org/)
--

To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-03-29 14:18:17 UTC