[Samba] Unable to create GPO with rc3 and a few authentication problems
felix at epepm.cupet.cu
felix at epepm.cupet.cu
Tue Oct 30 07:14:03 MDT 2012
> Hello.
>
> I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain
> migrated from Windows 2003 R2. I post them altogether, since they look
> related.
>
> 1. Unable to create or delete GPOs.
> # bin/samba-tool gpo create somegpo
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on
> CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
> File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
> line 952, in run
> self.samdb.add(m)
>
> I'm not sure if this is a schema or authentication problem. Could someone
> suggest how should that be investigated?
>
> 2. Some hosts fail to update records via Samba internal DNS (Andrew, sorry
> for duplicating, but this is updated).
> It looks like this on debug level = 5:
> [2012/10/30 02:23:38, 1]
> ../source4/dns_server/dns_server.c:150(dns_process_send)
> Failed to verify TSIG!
> Hosts are Windows XP, Windows 7, Samba 3 on Linux. Some do update
> succesfully, some can succeed some time (say, 5 hours) later, or may still
> fail. This is weird.
> I should mention that we had some problem with Windows 2k3 demotion -
> during the process it had rewritten the SOA on (the only at that moment)
> Samba DC and put it's own hostname in SOA's "primary NS" field. We had to
> fix that manually by replacing the SOA record in corresponding LDB.
> Maybe we had just missed something? Any ideas on what's wrong?
>
> 3. Some hosts may suddenly reject valid tickets for RPC calls.
> Somewhat like the previous one. For example, on some non-DC host I do:
> $ kinit
> $ #Got a ticket for some admin user, btw MIT is used here
> $ net rpc shutdown -S somehost -f -k # Samba 3's "net" command
> It may succeed for some hosts, but fail with NT_LOGON_FAILURE few hours
> later, before the ticket expires (and DCs still accept this ticket for
> e.g. samba-tool drs showrepl). Or it may later suceed for a host it was
> failing for. Renewing the ticket doesn't change anything.
> So, something strange for me, too. I had tried to reset some machine
> accounts and to rejoin some hosts. No luck.
>
> 4. Unrelated to the previous ones. Well, I'm sorry, I hadn't read the
> source to see if this is supposed to happen. But I'd better say that
> before I forget, just in case.
> Try to rename some host using Windows GUI (My Computer -> Properties) and
> check if CN, sAMAccountName and member for corresponding groups are
> changed correctly. In my experience, only sAMAccountName is changed.
> Once again, sorry if this is OK.
>
>
Something similar happens to me. But I noticed that I can create a new GPO
only with the first user the system had: administrator. None of the new
admin users I created worked, only administrator.
Best regards,
Felix.
More information about the samba
mailing list