[Samba] Unable to create GPO with rc3 and a few authentication problems
Andrew Bartlett
abartlet at samba.org
Tue Oct 30 17:36:17 MDT 2012
On Wed, 2012-10-31 at 03:33 +0400, Dmitry Khromov wrote:
> > I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related.
> >
> > 1. Unable to create or delete GPOs.
> > # bin/samba-tool gpo create somegpo
> > ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
> > return self.run(*args, **kwargs)
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 952, in run
> > self.samdb.add(m)
> >
> > I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated?
>
> It looks like in default Windows schema only members of Domain Admins can modify cn=Policies. If one will allow "Domain controllers" group to have rw access too, the LDAP-related error disappears. However, sysvol FS access error will raise (due to the fact machine accounts do not have write permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset).
> So, should samba-tool really use machine account for GPO operations?
Probably not for write operations.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list