[Samba] Unable to create GPO with rc3 and a few authentication problems

Dmitry Khromov icechrome at gmail.com
Mon Oct 29 17:08:34 MDT 2012


I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related.

1. Unable to create or delete GPOs.
# bin/samba-tool gpo create somegpo
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 952, in run

I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated?

2. Some hosts fail to update records via Samba internal DNS (Andrew, sorry for duplicating, but this is updated).
It looks like this on debug level = 5:
[2012/10/30 02:23:38,  1] ../source4/dns_server/dns_server.c:150(dns_process_send)
  Failed to verify TSIG!
Hosts are Windows XP, Windows 7, Samba 3 on Linux. Some do update succesfully, some can succeed some time (say, 5 hours) later, or may still fail. This is weird.
I should mention that we had some problem with Windows 2k3 demotion - during the process it had rewritten the SOA on (the only at that moment) Samba DC and put it's own hostname in SOA's "primary NS" field. We had to fix that manually by replacing the SOA record in corresponding LDB.
Maybe we had just missed something? Any ideas on what's wrong?

3. Some hosts may suddenly reject valid tickets for RPC calls.
Somewhat like the previous one. For example, on some non-DC host I do:
$ kinit
$ #Got a ticket for some admin user, btw MIT is used here
$ net rpc shutdown -S somehost -f -k # Samba 3's "net" command
It may succeed for some hosts, but fail with NT_LOGON_FAILURE few hours later, before the ticket expires (and DCs still accept this ticket for e.g. samba-tool drs showrepl). Or it may later suceed for a host it was failing for. Renewing the ticket doesn't change anything.
So, something strange for me, too. I had tried to reset some machine accounts and to rejoin some hosts. No luck.

4. Unrelated to the previous ones. Well, I'm sorry, I hadn't read the source to see if this is supposed to happen. But I'd better say that before I forget, just in case.
Try to rename some host using Windows GUI (My Computer -> Properties) and check if CN, sAMAccountName and member for corresponding groups are changed correctly. In my experience, only sAMAccountName is changed.
Once again, sorry if this is OK.

Thanks in advance.

Best regards,
Dmitry Khromov

More information about the samba mailing list