Discussion:
Group Policy failures related to machine password replication
(too old to reply)
Arthur Ramsey
2014-09-12 17:36:03 UTC
Permalink
We are using Samba-4.1.11.

I can run gpupdate /force without error on my machine.

H:\>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object

H:\>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object

H:\>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object

H:\>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object

On several other machines in the same OU the computer GPOs fail.

C:\Windows\system32>gpupdate /force
Updating Policy...

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Event details indicate the file is accessed from DC02 as I expected due
to AD Sites configuration. If I reset the machine account using netdom
against DC02 then I can access the file on DC02, but not the other
domain controllers.

C:\Windows\system32>netdom resetpwd /server:dc01.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]

C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object

C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>netdom resetpwd /server:dc02.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]

C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object

C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>netdom resetpwd /server:dc03.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]

C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object

C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>netdom resetpwd /server:dc04.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]

C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.

C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini

I use rsync to sync the sysvol folder across domain controllers. I've
also reset the access lists on all controllers using samba-tool ntacl
sysvolreset.

I don't observe any DRS errors or errors in the samba log.

samba-tool drs showrepl
Default\DC01
DSA Options: 0x00000001
DSA object GUID: da9bb168-47a0-4368-aff3-bf06d1b869d2
DSA invocationId: 58439028-5404-4b55-b267-671e626644b9

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:42 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:42 2014 CDT

DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:42 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:42 2014 CDT

DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:43 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:43 2014 CDT

DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:43 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:43 2014 CDT

DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:44 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:44 2014 CDT

DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:44 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:44 2014 CDT

DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:46 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:46 2014 CDT

DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:46 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:46 2014 CDT

DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:47 2014 CDT

CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:47 2014 CDT

CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:47 2014 CDT

CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:48 2014 CDT

CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:48 2014 CDT

CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:48 2014 CDT

CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:49 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:49 2014 CDT

==== OUTBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
Connection name: 6eba921b-0b6c-4cdb-8094-d4a15728d7bd
Enabled : TRUE
Server DNS name : DC02.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC02,CN=Servers,CN=EP,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 9b7312d1-a46a-435f-b867-0ca8128da202
Enabled : TRUE
Server DNS name : DC03.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC03,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: d84eed77-ab18-40ce-9023-60586596fb51
Enabled : TRUE
Server DNS name : DC04.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC04,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!

I also have a possibly releated issue deleting LDAP objects. I can't
delete an object I just created and the ACL seems correct for the LDAP
object.

ldbdel -H ldap://localhost --realm=mediture.dom -UAdministrator OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom
Password for [MEDITURE\Administrator]:
delete of 'OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom' failed - (insufficient access rights) LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <>

I am totally stumped. Any help would be greatly apperciated!
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.
Arthur Ramsey
2014-09-12 19:05:08 UTC
Permalink
It appears I didn't troubleshoot correctly.

The failed access attempts with the type command were attempts to login
with guest. Once I reset the machine account it tries to login with my
account just for the domain controller used with netdom, which
succeeds. I captured debugging on DC02 while I ran gpupdate /force.

[2014/09/12 13:50:39.999633, 2] ../source3/smbd/service.c:856(make_connection_snum)
192.168.222.194 (ipv4:192.168.222.194:50493) connect to service sysvol initially as user MEDITURE\M3074$ (uid=3000054, gid=3000013) (pid 18300)
[2014/09/12 13:50:40.001854, 3] ../source3/smbd/service.c:197(set_current_service)
chdir (/usr/local/samba/var/locks/sysvol) failed, reason: Permission denied

I still don't know why these machine accounts are denied.

getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/mediture.dom/Policies/{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}/GPT.INI
# owner: 3000000
# group: MEDITURE\134Domain\040Admins
user::rwx
user:3000009:r-x
user:3000040:rwx
user:3000070:rwx
user:3000071:r-x
group::rwx
group:MEDITURE\134Domain\040Admins:rwx
group:3000009:r-x
group:MEDITURE\134Enterprise\040Admins:rwx
group:3000070:rwx
group:3000071:r-x
mask::rwx
other::---
Post by Arthur Ramsey
We are using Samba-4.1.11.
I can run gpupdate /force without error on my machine.
H:\>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
On several other machines in the same OU the computer GPOs fail.
C:\Windows\system32>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Event details indicate the file is accessed from DC02 as I expected
due to AD Sites configuration. If I reset the machine account using
netdom against DC02 then I can access the file on DC02, but not the
other domain controllers.
C:\Windows\system32>netdom resetpwd /server:dc01.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc02.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc03.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc04.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
I use rsync to sync the sysvol folder across domain controllers. I've
also reset the access lists on all controllers using samba-tool ntacl
sysvolreset.
I don't observe any DRS errors or errors in the samba log.
samba-tool drs showrepl
Default\DC01
DSA Options: 0x00000001
DSA object GUID: da9bb168-47a0-4368-aff3-bf06d1b869d2
DSA invocationId: 58439028-5404-4b55-b267-671e626644b9
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 6eba921b-0b6c-4cdb-8094-d4a15728d7bd
Enabled : TRUE
Server DNS name : DC02.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC02,CN=Servers,CN=EP,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 9b7312d1-a46a-435f-b867-0ca8128da202
Enabled : TRUE
Server DNS name : DC03.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC03,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: d84eed77-ab18-40ce-9023-60586596fb51
Enabled : TRUE
Server DNS name : DC04.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC04,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
I also have a possibly releated issue deleting LDAP objects. I can't
delete an object I just created and the ACL seems correct for the LDAP
object.
ldbdel -Hldap://localhost --realm=mediture.dom -UAdministrator OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom
delete of 'OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom' failed - (insufficient access rights) LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <>
I am totally stumped. Any help would be greatly apperciated!
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.
Arthur Ramsey
2014-09-12 19:13:20 UTC
Permalink
Here is a compassion to working account. The group membership is the
same. It seems like it must be an authentication failure for
MEDITURE\M3074$? These machines don't experience any trust relationship
errors when users login though.

[2014/09/12 14:10:39.701192, 3] ../source3/smbd/service.c:856(make_connection_snum)
192.168.222.145 (ipv4:192.168.222.145:53319) connect to service IPC$ initially as user MEDITURE\M3101$ (uid=3000035, gid=3000013) (pid 19437)
Post by Arthur Ramsey
It appears I didn't troubleshoot correctly.
The failed access attempts with the type command were attempts to
login with guest. Once I reset the machine account it tries to login
with my account just for the domain controller used with netdom, which
succeeds. I captured debugging on DC02 while I ran gpupdate /force.
[2014/09/12 13:50:39.999633, 2] ../source3/smbd/service.c:856(make_connection_snum)
192.168.222.194 (ipv4:192.168.222.194:50493) connect to service sysvol initially as user MEDITURE\M3074$ (uid=3000054, gid=3000013) (pid 18300)
[2014/09/12 13:50:40.001854, 3] ../source3/smbd/service.c:197(set_current_service)
chdir (/usr/local/samba/var/locks/sysvol) failed, reason: Permission denied
I still don't know why these machine accounts are denied.
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/mediture.dom/Policies/{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}/GPT.INI
# owner: 3000000
# group: MEDITURE\134Domain\040Admins
user::rwx
user:3000009:r-x
user:3000040:rwx
user:3000070:rwx
user:3000071:r-x
group::rwx
group:MEDITURE\134Domain\040Admins:rwx
group:3000009:r-x
group:MEDITURE\134Enterprise\040Admins:rwx
group:3000070:rwx
group:3000071:r-x
mask::rwx
other::---
Post by Arthur Ramsey
We are using Samba-4.1.11.
I can run gpupdate /force without error on my machine.
H:\>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
On several other machines in the same OU the computer GPOs fail.
C:\Windows\system32>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Event details indicate the file is accessed from DC02 as I expected
due to AD Sites configuration. If I reset the machine account using
netdom against DC02 then I can access the file on DC02, but not the
other domain controllers.
C:\Windows\system32>netdom resetpwd /server:dc01.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc02.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc03.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc04.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
I use rsync to sync the sysvol folder across domain controllers.
I've also reset the access lists on all controllers using samba-tool
ntacl sysvolreset.
I don't observe any DRS errors or errors in the samba log.
samba-tool drs showrepl
Default\DC01
DSA Options: 0x00000001
DSA object GUID: da9bb168-47a0-4368-aff3-bf06d1b869d2
DSA invocationId: 58439028-5404-4b55-b267-671e626644b9
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 6eba921b-0b6c-4cdb-8094-d4a15728d7bd
Enabled : TRUE
Server DNS name : DC02.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC02,CN=Servers,CN=EP,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 9b7312d1-a46a-435f-b867-0ca8128da202
Enabled : TRUE
Server DNS name : DC03.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC03,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: d84eed77-ab18-40ce-9023-60586596fb51
Enabled : TRUE
Server DNS name : DC04.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC04,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
I also have a possibly releated issue deleting LDAP objects. I can't
delete an object I just created and the ACL seems correct for the
LDAP object.
ldbdel -Hldap://localhost --realm=mediture.dom -UAdministrator OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom
delete of 'OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom' failed - (insufficient access rights) LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <>
I am totally stumped. Any help would be greatly apperciated!
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.
Arthur Ramsey
2014-09-16 18:48:32 UTC
Permalink
I noticed on my last example it was accessing a different share, but the
output seems the same as M3074$ except the chdir line is omitted.
Anyone have ideas how to troubleshoot this. I can understand why this
computer accounts can't access the computer GPOs. I don't see
indication of authentication failure, so access should be granted by the
ACL for AUTHENTICATED USERS.
Post by Arthur Ramsey
Here is a compassion to working account. The group membership is the
same. It seems like it must be an authentication failure for
MEDITURE\M3074$? These machines don't experience any trust
relationship errors when users login though.
[2014/09/12 14:10:39.701192, 3] ../source3/smbd/service.c:856(make_connection_snum)
192.168.222.145 (ipv4:192.168.222.145:53319) connect to service IPC$ initially as user MEDITURE\M3101$ (uid=3000035, gid=3000013) (pid 19437)
Post by Arthur Ramsey
It appears I didn't troubleshoot correctly.
The failed access attempts with the type command were attempts to
login with guest. Once I reset the machine account it tries to login
with my account just for the domain controller used with netdom,
which succeeds. I captured debugging on DC02 while I ran gpupdate
/force.
[2014/09/12 13:50:39.999633, 2] ../source3/smbd/service.c:856(make_connection_snum)
192.168.222.194 (ipv4:192.168.222.194:50493) connect to service sysvol initially as user MEDITURE\M3074$ (uid=3000054, gid=3000013) (pid 18300)
[2014/09/12 13:50:40.001854, 3] ../source3/smbd/service.c:197(set_current_service)
chdir (/usr/local/samba/var/locks/sysvol) failed, reason: Permission denied
I still don't know why these machine accounts are denied.
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/mediture.dom/Policies/{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}/GPT.INI
# owner: 3000000
# group: MEDITURE\134Domain\040Admins
user::rwx
user:3000009:r-x
user:3000040:rwx
user:3000070:rwx
user:3000071:r-x
group::rwx
group:MEDITURE\134Domain\040Admins:rwx
group:3000009:r-x
group:MEDITURE\134Enterprise\040Admins:rwx
group:3000070:rwx
group:3000071:r-x
mask::rwx
other::---
Post by Arthur Ramsey
We are using Samba-4.1.11.
I can run gpupdate /force without error on my machine.
H:\>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
On several other machines in the same OU the computer GPOs fail.
C:\Windows\system32>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Event details indicate the file is accessed from DC02 as I expected
due to AD Sites configuration. If I reset the machine account using
netdom against DC02 then I can access the file on DC02, but not the
other domain controllers.
C:\Windows\system32>netdom resetpwd /server:dc01.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc02.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc03.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc04.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
I use rsync to sync the sysvol folder across domain controllers.
I've also reset the access lists on all controllers using samba-tool
ntacl sysvolreset.
I don't observe any DRS errors or errors in the samba log.
samba-tool drs showrepl
Default\DC01
DSA Options: 0x00000001
DSA object GUID: da9bb168-47a0-4368-aff3-bf06d1b869d2
DSA invocationId: 58439028-5404-4b55-b267-671e626644b9
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 6eba921b-0b6c-4cdb-8094-d4a15728d7bd
Enabled : TRUE
Server DNS name : DC02.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC02,CN=Servers,CN=EP,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 9b7312d1-a46a-435f-b867-0ca8128da202
Enabled : TRUE
Server DNS name : DC03.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC03,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: d84eed77-ab18-40ce-9023-60586596fb51
Enabled : TRUE
Server DNS name : DC04.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC04,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
I also have a possibly releated issue deleting LDAP objects. I can't
delete an object I just created and the ACL seems correct for the
LDAP object.
ldbdel -Hldap://localhost --realm=mediture.dom -UAdministrator OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom
delete of 'OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom' failed - (insufficient access rights) LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <>
I am totally stumped. Any help would be greatly apperciated!
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.
Arthur Ramsey
2014-09-16 18:53:44 UTC
Permalink
I noticed on my last example it was accessing a different share, but the
output seems the same as M3074$ except the chdir line is omitted.
Anyone have ideas how to troubleshoot this. I *can't* understand why
this computer accounts can't access the computer GPOs. I don't see
indication of authentication failure, so access should be granted by the
ACL for AUTHENTICATED USERS.
Post by Arthur Ramsey
Here is a compassion to working account. The group membership is the
same. It seems like it must be an authentication failure for
MEDITURE\M3074$? These machines don't experience any trust
relationship errors when users login though.
[2014/09/12 14:10:39.701192, 3] ../source3/smbd/service.c:856(make_connection_snum)
192.168.222.145 (ipv4:192.168.222.145:53319) connect to service IPC$ initially as user MEDITURE\M3101$ (uid=3000035, gid=3000013) (pid 19437)
Post by Arthur Ramsey
It appears I didn't troubleshoot correctly.
The failed access attempts with the type command were attempts to
login with guest. Once I reset the machine account it tries to login
with my account just for the domain controller used with netdom,
which succeeds. I captured debugging on DC02 while I ran gpupdate
/force.
[2014/09/12 13:50:39.999633, 2] ../source3/smbd/service.c:856(make_connection_snum)
192.168.222.194 (ipv4:192.168.222.194:50493) connect to service sysvol initially as user MEDITURE\M3074$ (uid=3000054, gid=3000013) (pid 18300)
[2014/09/12 13:50:40.001854, 3] ../source3/smbd/service.c:197(set_current_service)
chdir (/usr/local/samba/var/locks/sysvol) failed, reason: Permission denied
I still don't know why these machine accounts are denied.
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/mediture.dom/Policies/{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}/GPT.INI
# owner: 3000000
# group: MEDITURE\134Domain\040Admins
user::rwx
user:3000009:r-x
user:3000040:rwx
user:3000070:rwx
user:3000071:r-x
group::rwx
group:MEDITURE\134Domain\040Admins:rwx
group:3000009:r-x
group:MEDITURE\134Enterprise\040Admins:rwx
group:3000070:rwx
group:3000071:r-x
mask::rwx
other::---
Post by Arthur Ramsey
We are using Samba-4.1.11.
I can run gpupdate /force without error on my machine.
H:\>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
On several other machines in the same OU the computer GPOs fail.
C:\Windows\system32>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Event details indicate the file is accessed from DC02 as I expected
due to AD Sites configuration. If I reset the machine account using
netdom against DC02 then I can access the file on DC02, but not the
other domain controllers.
C:\Windows\system32>netdom resetpwd /server:dc01.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc02.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc03.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc04.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
I use rsync to sync the sysvol folder across domain controllers.
I've also reset the access lists on all controllers using samba-tool
ntacl sysvolreset.
I don't observe any DRS errors or errors in the samba log.
samba-tool drs showrepl
Default\DC01
DSA Options: 0x00000001
DSA object GUID: da9bb168-47a0-4368-aff3-bf06d1b869d2
DSA invocationId: 58439028-5404-4b55-b267-671e626644b9
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 6eba921b-0b6c-4cdb-8094-d4a15728d7bd
Enabled : TRUE
Server DNS name : DC02.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC02,CN=Servers,CN=EP,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 9b7312d1-a46a-435f-b867-0ca8128da202
Enabled : TRUE
Server DNS name : DC03.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC03,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: d84eed77-ab18-40ce-9023-60586596fb51
Enabled : TRUE
Server DNS name : DC04.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC04,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
I also have a possibly releated issue deleting LDAP objects. I can't
delete an object I just created and the ACL seems correct for the
LDAP object.
ldbdel -Hldap://localhost --realm=mediture.dom -UAdministrator OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom
delete of 'OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom' failed - (insufficient access rights) LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <>
I am totally stumped. Any help would be greatly apperciated!
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
Arthur Ramsey
2014-10-01 22:27:02 UTC
Permalink
So wonderfully simple after returning from vacation.

chmod -R 755 /usr/local/samba/var/locks
samba-tool ntacl sysvolreset
Post by Arthur Ramsey
I noticed on my last example it was accessing a different share, but
the output seems the same as M3074$ except the chdir line is omitted.
Anyone have ideas how to troubleshoot this. I *can't* understand why
this computer accounts can't access the computer GPOs. I don't see
indication of authentication failure, so access should be granted by
the ACL for AUTHENTICATED USERS.
Post by Arthur Ramsey
Here is a compassion to working account. The group membership is the
same. It seems like it must be an authentication failure for
MEDITURE\M3074$? These machines don't experience any trust
relationship errors when users login though.
[2014/09/12 14:10:39.701192, 3] ../source3/smbd/service.c:856(make_connection_snum)
192.168.222.145 (ipv4:192.168.222.145:53319) connect to service IPC$ initially as user MEDITURE\M3101$ (uid=3000035, gid=3000013) (pid 19437)
Post by Arthur Ramsey
It appears I didn't troubleshoot correctly.
The failed access attempts with the type command were attempts to
login with guest. Once I reset the machine account it tries to
login with my account just for the domain controller used with
netdom, which succeeds. I captured debugging on DC02 while I ran
gpupdate /force.
[2014/09/12 13:50:39.999633, 2] ../source3/smbd/service.c:856(make_connection_snum)
192.168.222.194 (ipv4:192.168.222.194:50493) connect to service sysvol initially as user MEDITURE\M3074$ (uid=3000054, gid=3000013) (pid 18300)
[2014/09/12 13:50:40.001854, 3] ../source3/smbd/service.c:197(set_current_service)
chdir (/usr/local/samba/var/locks/sysvol) failed, reason: Permission denied
I still don't know why these machine accounts are denied.
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/mediture.dom/Policies/{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}/GPT.INI
# owner: 3000000
# group: MEDITURE\134Domain\040Admins
user::rwx
user:3000009:r-x
user:3000040:rwx
user:3000070:rwx
user:3000071:r-x
group::rwx
group:MEDITURE\134Domain\040Admins:rwx
group:3000009:r-x
group:MEDITURE\134Enterprise\040Admins:rwx
group:3000070:rwx
group:3000071:r-x
mask::rwx
other::---
Post by Arthur Ramsey
We are using Samba-4.1.11.
I can run gpupdate /force without error on my machine.
H:\>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
On several other machines in the same OU the computer GPOs fail.
C:\Windows\system32>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Event details indicate the file is accessed from DC02 as I expected
due to AD Sites configuration. If I reset the machine account
using netdom against DC02 then I can access the file on DC02, but
not the other domain controllers.
C:\Windows\system32>netdom resetpwd /server:dc01.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc02.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc03.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc04.mediture.dom /ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type \\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
I use rsync to sync the sysvol folder across domain controllers.
I've also reset the access lists on all controllers using
samba-tool ntacl sysvolreset.
I don't observe any DRS errors or errors in the samba log.
samba-tool drs showrepl
Default\DC01
DSA Options: 0x00000001
DSA object GUID: da9bb168-47a0-4368-aff3-bf06d1b869d2
DSA invocationId: 58439028-5404-4b55-b267-671e626644b9
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
0 consecutive failure(s).
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
0 consecutive failure(s).
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 6eba921b-0b6c-4cdb-8094-d4a15728d7bd
Enabled : TRUE
Server DNS name : DC02.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC02,CN=Servers,CN=EP,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 9b7312d1-a46a-435f-b867-0ca8128da202
Enabled : TRUE
Server DNS name : DC03.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC03,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: d84eed77-ab18-40ce-9023-60586596fb51
Enabled : TRUE
Server DNS name : DC04.mediture.dom
Server DN name : CN=NTDS Settings,CN=DC04,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
I also have a possibly releated issue deleting LDAP objects. I
can't delete an object I just created and the ACL seems correct for
the LDAP object.
ldbdel -Hldap://localhost --realm=mediture.dom -UAdministrator OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom
delete of 'OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom' failed - (insufficient access rights) LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <>
I am totally stumped. Any help would be greatly apperciated!
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer atprivacyofficer at mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.
Continue reading on narkive:
Loading...