[Samba] Permission denied on GPT.ini (Event ID 1058)
mathias dufresne
infractory at gmail.com
Tue Mar 29 09:57:41 UTC 2016
I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs
were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
In others words, if you configure correctly idmap into smb.conf I expect
you don't need any more declaring UID/GID for machine accounts.
Anyway here my machines get access to their GPO: I tested one computer's
GPO this morning, the one giving the possibility to use userPrincipalName
without @samba.domain.tld when logging into a computer. That worked so the
GPO was applied and my machines have no UID/GID nor my smb.conf contains
anything about idmap:
----------------------------------------
[global]
workgroup = SAMBA
realm = SAMBA.DOMAIN.TLD
netbios name = DC200
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
# NOTE: removed as we now use BIND-DLZ DNS backend
#dns forwarder = 10.156.32.99
#kccsrv:samba_kcc=true
[netlogon]
path = /var/lib/samba/sysvol/samba.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----------------------------------------
But my nsswitch.conf is configured to use winbind:
grep win /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
And that works:
For users:
id administrator
uid=0(root) gid=0(root) groupes=0(root)
For computers:
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)
So idmapping seems to be enabled by default as there are no UID/GID
declared on DC200 computer:
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
So I still expect an issue about mapping computer accounts to UNIX/Linux
local user.
Hoping this helps, cheers,
mathias
2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
> I add UNIX attributes (gid/uid) using RSAT. You need to select an
> additional option when installing the tools. I believe it is "something
> for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to
> set the uid/gid as well as group memberships for UNIX systems. I have
> done this on my networks, but I may have forgotten it on this one. I
> will check. I still have the issue, it is not a "node type" issue.
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 03/23/2016 12:01 PM, mj wrote:
> >
> >
> > On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
> >> And did you add those IDs to the sysvol share permissions?
> >> I guess you used samba-tool since I cannot find any gid/uid fields in
> >> RSAT
> >
> > I added them using LAM, because yes: using RSAT i also could not.
> >
> > (lam: www.ldap-account-manager.org/)
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list