[Samba] Permission denied on GPT.ini (Event ID 1058)

Jonathan Hunter jmhunter1 at gmail.com
Thu Apr 14 16:03:57 UTC 2016


I hate 'me too' replies - but I have also been struggling with this for
some years in my multi-DC environment. (yes, replicated sysvol via lsyncd +
rsync; permissions looked identical via getfacl last time I checked).
Sometimes a client machine will run gpupdate just fine; other times it will
fail, seemingly randomly.

My next step was going to be to run wireshark on a client machine to see if
the problem follows a particular DC or pattern - as someone has already
said elsewhere in this thread, the LOGONSERVER isn't necessarily the DC
that GPOs are fetched from.

I don't have UIDs/GIDs for my machine accounts but maybe I should try to
add them.. Unfortunately every time I sit down to troubleshoot this, the
client machine runs gpupdate with no errors at all; and of course every
time I make a GPO update that needs to be pushed out, it chooses that time
to not work.. :)

I will try and do some wireshark work and let you know what I find.. It's
definitely "not just you", though - and I'm glad it's not just me, as well!
:-)

On 14 April 2016 at 15:42, Ryan Ashley <ryana at reachtechfp.com> wrote:

> Sorry for my delayed response, my job has had me out of state for a
> while. I wanted to add that I am not getting the Kerberos error in my
> event logs. It just flat out claims that it cannot read gpt.ini for some
> reason. This happens randomly, whether dc01 or dc02 is the logon server,
> and the strange part is that most PCs can work fine, but one or two
> randomly won't.
>
> In other words, if pc1 and pc3 are using dc01, and pc2 is using dc02,
> pc1 and pc2 work fine, but pc3 says it can't read the gpt.ini on dc01.
> This may persist for weeks, then it suddenly works.
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 03/30/2016 06:01 AM, L.P.H. van Belle wrote:
> >
> > I found this one.
> > Check which one works for you.
> >
> >
> http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm
> >
> > Im sure this is not a samba configuration problem.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> Belle
> >> Verzonden: dinsdag 29 maart 2016 16:18
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> >>
> >> I dont read any france but translators work ok. ;-) pfew..
> >>
> >> Ok any firewalling on the DC's?  if so, open TCP and UDP port 88.
> >> Or try short without firewalls on, on the DC's.
> >>
> >> Other options to try is recude the MaxPacketSize in windows.
> >>
> >> Looks like a to big package which is rejected.
> >>
> >> Ow and above is also needed on the DNS port 53.
> >> Open tcp and udp.
> >>
> >> If the upd packages are to big, tcp is tried.
> >>
> >>
> >> And let us know the result.
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: Sébastien Le Ray [mailto:sebastien at orniz.org]
> >>> Verzonden: dinsdag 29 maart 2016 16:10
> >>> Aan: L.P.H. van Belle; samba at lists.samba.org
> >>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> >>>
> >>> Hi
> >>>
> >>> French windows version
> >>>
> >>> LSA Error
> >>>
> >>> Nom du journal :System
> >>> Source :       LsaSrv
> >>> Date :         29/03/2016 15:49:56
> >>> ID de l?événement :40960
> >>> Catégorie de la tâche :Aucun
> >>> Niveau :       Avertissement
> >>> Mots clés :
> >>> Utilisateur :  Système
> >>> Ordinateur :   computer.domain
> >>> Description :
> >>> Le système de sécurité a détecté une erreur d?authentification pour le
> >>> serveur cifs/domain. Le code de la panne à partir du protocole
> >>> d?authentification Kerberos était "Le nombre maximal de tickets de
> >>> référence a été dépassé.
> >>>   (0xc00002f4)".
> >>> XML de l?événement :
> >>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> >>>    <System>
> >>>      <Provider Name="LsaSrv"
> >>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
> >>>      <EventID>40960</EventID>
> >>>      <Version>0</Version>
> >>>      <Level>3</Level>
> >>>      <Task>0</Task>
> >>>      <Opcode>0</Opcode>
> >>>      <Keywords>0x8000000000000000</Keywords>
> >>>      <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
> >>>      <EventRecordID>8737</EventRecordID>
> >>>      <Correlation />
> >>>      <Execution ProcessID="840" ThreadID="900" />
> >>>      <Channel>System</Channel>
> >>>      <Computer>computer.domain</Computer>
> >>>      <Security UserID="S-1-5-18" />
> >>>    </System>
> >>>    <EventData>
> >>>      <Data Name="Target">cifs/computer.domain</Data>
> >>>      <Data Name="Protocol">Kerberos</Data>
> >>>      <Data Name="Error">"Le nombre maximal de tickets de référence a
> été
> >>> dépassé.
> >>>   (0xc00002f4)"</Data>
> >>>    </EventData>
> >>> </Event>
> >>>
> >>>
> >>> GPT.ini error
> >>>
> >>> Nom du journal :System
> >>> Source :       LsaSrv
> >>> Date :         29/03/2016 15:49:56
> >>> ID de l?événement :40960
> >>> Catégorie de la tâche :Aucun
> >>> Niveau :       Avertissement
> >>> Mots clés :
> >>> Utilisateur :  Système
> >>> Ordinateur :   computer.domain
> >>> Description :
> >>> Le système de sécurité a détecté une erreur d?authentification pour le
> >>> serveur cifs/domain. Le code de la panne à partir du protocole
> >>> d?authentification Kerberos était "Le nombre maximal de tickets de
> >>> référence a été dépassé.
> >>>   (0xc00002f4)".
> >>> XML de l?événement :
> >>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> >>>    <System>
> >>>      <Provider Name="LsaSrv"
> >>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
> >>>      <EventID>40960</EventID>
> >>>      <Version>0</Version>
> >>>      <Level>3</Level>
> >>>      <Task>0</Task>
> >>>      <Opcode>0</Opcode>
> >>>      <Keywords>0x8000000000000000</Keywords>
> >>>      <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
> >>>      <EventRecordID>8737</EventRecordID>
> >>>      <Correlation />
> >>>      <Execution ProcessID="840" ThreadID="900" />
> >>>      <Channel>System</Channel>
> >>>      <Computer>computer.domain</Computer>
> >>>      <Security UserID="S-1-5-18" />
> >>>    </System>
> >>>    <EventData>
> >>>      <Data Name="Target">cifs/domain</Data>
> >>>      <Data Name="Protocol">Kerberos</Data>
> >>>      <Data Name="Error">"Le nombre maximal de tickets de référence a
> été
> >>> dépassé.
> >>>   (0xc00002f4)"</Data>
> >>>    </EventData>
> >>> </Event>
> >>>
> >>> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl
> >>> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
> >>> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
> >>> # owner: root
> >>> # group: 10000
> >>> user::rwx
> >>> user:root:rwx
> >>> user:3000002:rwx
> >>> user:3000003:r-x
> >>> user:3000007:rwx
> >>> user:3000008:r-x
> >>> group::rwx
> >>> group:10000:rwx
> >>> group:3000002:rwx
> >>> group:3000003:r-x
> >>> group:3000007:rwx
> >>> group:3000008:r-x
> >>> mask::rwx
> >>> other::---
> >>> default:user::rwx
> >>> default:user:root:rwx
> >>> default:user:3000002:rwx
> >>> default:user:3000003:r-x
> >>> default:user:3000007:rwx
> >>> default:user:3000008:r-x
> >>> default:group::---
> >>> default:group:10000:rwx
> >>> default:group:3000002:rwx
> >>> default:group:3000003:r-x
> >>> default:group:3000007:rwx
> >>> default:group:3000008:r-x
> >>> default:mask::rwx
> >>> default:other::---
> >>>
> >>>
> >>> DHCP IP
> >>>
> >>> Regards
> >>>
> >>>
> >>> Le 29/03/2016 15:46, L.P.H. van Belle a écrit :
> >>>> Complete event id of :
> >>>>> But still, events log show a warning about kerberos ticket from
> >> LsaSrv
> >>>>> source and right after a permission denied on GPT.ini
> >>>> And a getfacl of the problem GPO SID please, i'll check.
> >>>>
> >>>> And a output of ipconfig /all on the problem pc.
> >>>>
> >>>> And question, dedicated IP or dhcp IP?
> >>>>
> >>>>
> >>>> Greetz,
> >>>>
> >>>> Louis
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> -----Oorspronkelijk bericht-----
> >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien
> Le
> >>> Ray
> >>>>> Verzonden: dinsdag 29 maart 2016 15:41
> >>>>> CC: samba
> >>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> >>>>>
> >>>>> LOGONSERVER is the server used to authenticate currently logged in
> >>> user,
> >>>>> this does not mean that it is the one on which machine GPO was
> >> fetched
> >>>>> (which seem to be round-robinized, but maybe not)
> >>>>>
> >>>>> Got no more sysvolcheck error, manually fixed those (what a pain)
> >>>>>
> >>>>> But still, events log show a warning about kerberos ticket from
> >> LsaSrv
> >>>>> source and right after a permission denied on GPT.ini
> >>>>>
> >>>>> Regards
> >>>>>
> >>>>> Le 29/03/2016 15:16, mathias dufresne a écrit :
> >>>>>> About sysvolreset errors: send them to us. There is (at least) one
> >>> error
> >>>>>> from sysvolcheck which is not too much important (if I have well
> >>>>> understood
> >>>>>> it): ACL is set on FS to Local Admins when it should be Domain
> >> admins
> >>>>> (or
> >>>>>> the contrary). That one should be a simple warning, or it is and it
> >>> can
> >>>>> be
> >>>>>> ignored (once more: according to my memory).
> >>>>>>
> >>>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> >>>>>>
> >>>>>>> To see which DC is used by Windows client: open a MSDOS console,
> >> type
> >>>>>>> "set", look for LOGONSERVER=\\<your_dc>
> >>>>>>>
> >>>>>>> <your_dc> is the DC used to connect on.
> >>>>>>>
> >>>>>>> If issue comes from one DC I would have on sysvol synchronisation
> >>>>> between
> >>>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
> >>>>> issue if
> >>>>>>> you have only GPO issue).
> >>>>>>>
> >>>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
> >>>>> samba at orniz.org>:
> >>>>>>>> Hi
> >>>>>>>>
> >>>>>>>> Same here, GPO work without UID/GID on machine account (since
> >> issue
> >>>>>>>> "resolves" itself sometime)
> >>>>>>>>
> >>>>>>>> It really seems to depend on which DC is chosen at start.
> >>>>>>>>
> >>>>>>>> One of the affected machine just recovered without any change
> >> except
> >>> a
> >>>>>>>> reboot
> >>>>>>>>
> >>>>>>>> So I guess root issue is the kerberos one "max reference tickets
> >>>>>>>> exceeded" but cannot see why it happens and on which DC
> >>>>>>>>
> >>>>>>>> I noticed this morning that sysvolcheck returns errors that won't
> >> be
> >>>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does not
> >>>>> seem to
> >>>>>>>> have fixed anything
> >>>>>>>>
> >>>>>>>> Regards
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit :
> >>>>>>>>
> >>>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought
> >> idmap
> >>>>> stuffs
> >>>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP
> >> objects.
> >>>>>>>>> In others words, if you configure correctly idmap into smb.conf I
> >>>>> expect
> >>>>>>>>> you don't need any more declaring UID/GID for machine accounts.
> >>>>>>>>>
> >>>>>>>>> Anyway here my machines get access to their GPO: I tested one
> >>>>> computer's
> >>>>>>>>> GPO this morning, the one giving the possibility to use
> >>>>> userPrincipalName
> >>>>>>>>> without @samba.domain.tld when logging into a computer. That
> >> worked
> >>>>> so
> >>>>>>>>> the
> >>>>>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf
> >>>>> contains
> >>>>>>>>> anything about idmap:
> >>>>>>>>> ----------------------------------------
> >>>>>>>>> [global]
> >>>>>>>>>            workgroup = SAMBA
> >>>>>>>>>            realm = SAMBA.DOMAIN.TLD
> >>>>>>>>>            netbios name = DC200
> >>>>>>>>>            server role = active directory domain controller
> >>>>>>>>>
> >>>>>>>>>            server services = -dns
> >>>>>>>>>            idmap_ldb:use rfc2307 = yes
> >>>>>>>>>
> >>>>>>>>>            # NOTE: removed as we now use BIND-DLZ DNS backend
> >>>>>>>>>            #dns forwarder = 10.156.32.99
> >>>>>>>>>
> >>>>>>>>>            #kccsrv:samba_kcc=true
> >>>>>>>>>
> >>>>>>>>> [netlogon]
> >>>>>>>>>            path = /var/lib/samba/sysvol/samba.domain.tld/scripts
> >>>>>>>>>            read only = No
> >>>>>>>>>
> >>>>>>>>> [sysvol]
> >>>>>>>>>            path = /var/lib/samba/sysvol
> >>>>>>>>>            read only = No
> >>>>>>>>> ----------------------------------------
> >>>>>>>>>
> >>>>>>>>> But my nsswitch.conf is configured to use winbind:
> >>>>>>>>>     grep win /etc/nsswitch.conf
> >>>>>>>>> passwd:     files winbind
> >>>>>>>>> shadow:     files winbind
> >>>>>>>>> group:      files winbind
> >>>>>>>>>
> >>>>>>>>> And that works:
> >>>>>>>>> For users:
> >>>>>>>>> id administrator
> >>>>>>>>> uid=0(root) gid=0(root) groupes=0(root)
> >>>>>>>>> For computers:
> >>>>>>>>> id dc200$
> >>>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
> >>> controllers)
> >>>>>>>>> groupes=3000011(AD.DGFIP\domain
> >>>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
> >> rodc
> >>>>>>>>> password
> >>>>>>>>> replication group)
> >>>>>>>>>
> >>>>>>>>> So idmapping seems to be enabled by default as there are no
> >> UID/GID
> >>>>>>>>> declared on DC200 computer:
> >>>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
> >>>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
> >>>>>>>>>
> >>>>>>>>> So I still expect an issue about mapping computer accounts to
> >>>>> UNIX/Linux
> >>>>>>>>> local user.
> >>>>>>>>>
> >>>>>>>>> Hoping this helps, cheers,
> >>>>>>>>>
> >>>>>>>>> mathias
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
> >>>>>>>>>
> >>>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an
> >>>>>>>>>> additional option when installing the tools. I believe it is
> >>>>> "something
> >>>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows
> >>> you
> >>>>> to
> >>>>>>>>>> set the uid/gid as well as group memberships for UNIX systems. I
> >>>>> have
> >>>>>>>>>> done this on my networks, but I may have forgotten it on this
> >> one.
> >>> I
> >>>>>>>>>> will check. I still have the issue, it is not a "node type"
> >> issue.
> >>>>>>>>>>
> >>>>>>>>>> Lead IT/IS Specialist
> >>>>>>>>>> Reach Technology FP, Inc
> >>>>>>>>>>
> >>>>>>>>>> On 03/23/2016 12:01 PM, mj wrote:
> >>>>>>>>>>
> >>>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> And did you add those IDs to the sysvol share permissions?
> >>>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid
> >>> fields
> >>>>> in
> >>>>>>>>>>>> RSAT
> >>>>>>>>>>>>
> >>>>>>>>>>> I added them using LAM, because yes: using RSAT i also could
> >> not.
> >>>>>>>>>>>
> >>>>>>>>>>> (lam: www.ldap-account-manager.org/)
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>> To unsubscribe from this list go to the following URL and read
> >> the
> >>>>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>> --
> >>>>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>>>>
> >>>>>
> >>>>> --
> >>>>> To unsubscribe from this list go to the following URL and read the
> >>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein


More information about the samba mailing list