[Samba 4] Access to GPO failed
Son Nguyen
sonnh at saigontech.edu.vn
Mon Dec 22 08:18:58 GMT 2008
Hi all,
After testing for some days, I have some notes:
* Testing with Samba4 running in CentOS-5.2 x86-64
* Windows XP + Server 2003 running on some machines
* The GPOs does not work well with all computers
o With Computers can access and edit GPOs (using dsa.msc), the
policy have effect for this computer. For example: if I
configure GPO *do not* allow users access control panel, *no
user can *access control panel
o With Computers cannot access and edit GPOs, the policy will
not effect. For example: if I configure GPO do not allow
users access control panel, user *can *access control panel
Do you have any ideas about this problem?
Andrew Bartlett wrote:
> On Fri, 2008-12-12 at 14:39 +1100, Andrew Bartlett wrote:
>
>> On Fri, 2008-12-12 at 09:53 +0700, Son Nguyen wrote:
>>
>>> Son Nguyen wrote:
>>>
>>>> Volker Lendecke wrote:
>>>>
>>>>> On Wed, Dec 10, 2008 at 10:11:31AM -0500, Wes Deviers wrote:
>>>>>
>>>>>
>>>>>> I haven't said anything or really tracked down much on the behavior;
>>>>>> I've assumed lots of people are using recent SVN pulls with
>>>>>> everything working
>>>>>>
>>>>> You really mean SVN? We switched to git months ago. See
>>>>> http://us6.samba.org/samba/devel/ and
>>>>> http://wiki.samba.org/index.php/Samba4/HOWTO for info how to
>>>>> get the latest code.
>>>>>
>>>>> Volker
>>>>>
>>>>>
>>>> I've duplicated this error today with the new version from GIT.
>>>> #define SAMBA_VERSION_GIT_COMMIT_DATE "Wed Dec 10 17:03:53 2008 -0800"
>>>> #define SAMBA_VERSION_OFFICIAL_STRING "4.0.0alpha6-GIT-d7d525b"
>>>>
>>>> Are there some body have experience in working with Samba4 GPOs?
>>>> Please give me your ideas about this error.
>>>> I also favorite in deploy samba4 with ldap backend (OpenLDAP, or
>>>> CentDS). I try to follow document from Samba Wiki but there are some
>>>> error when I provision Samba4. Please let me know if you have other
>>>> document.
>>>>
>>>> Thank a lot,
>>>> Son Nguyen
>>>>
>>>>
>>> Hi all,
>>> After reading samba log file and network capture file, I think that
>>> this error is related with KRB5.
>>>
>>> * Log file: Kerberos: Failed building TGS-REP to 192.168.9.131
>>> * Capture file: KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOW (packet
>>> number 46)
>>>
>> I think this is a very reasonable conclusion. The cases where this has
>> worked are probably those where the CIFS connection is already up, so
>> re-authentication is not required.
>>
>> The challenge is: Which host should this principal (cifs/my.realm)
>> point to? Or do all the hosts share a 'realm password' (perhaps the
>> krbtgt password?) to decrypt such a ticket?
>>
>
> As a test, could you please edit the servicePrincipalNames attribute of
> your DC entry in LDB (or simply setup/provision_self_join) to include
>
> host/my.realm
>
> This should allow the client to connect and apply policies, while I
> figure out the proper way to handle this.
>
>
>> I'll ask for clarification from Microsoft (unless someone here already
>> knows)
>>
>
> I've got an issue open with Microsoft for exactly this question. Follow
> the fun on the cifs-protocol list if you like :-)
>
> Andrew Bartlett
>
More information about the samba-technical
mailing list