[Samba] Permission denied on GPT.ini (Event ID 1058)
L.P.H. van Belle
belle at bazuin.nl
Mon Apr 18 09:57:31 UTC 2016
Hai,
Yeah, you have probely one of these 2 problems. ( or both )
1)
This is probely because your "computer" *(user) does not have any acces.
Recheck you permissions on the share and and folders for that specific policie.
2)
Connections specific suffic and/or network suffic is wrong.
Check if you pc is setup correct with dhcp.
Ipconfig /all ( check these, and make sure you have "hybrib" (H-node)
This is not a samba problem but a configuration problem,
or a corruption in you ip stack, (netsh int ip reset) can help also.
I've posted a link before this one, go throug it, here are multiple good options to check out.
http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray
> Verzonden: maandag 18 april 2016 11:22
> Aan: Jonathan Hunter; samba
> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>
> Hi list
>
> I have another box hitting the problem
>
> It's rather strange since manual run of gpupdate terminates smoothly,
> the only failure seem to be on boot time (sadly this seem to prevent the
> boot scripts to be run, which is of course what we need?)
>
> My guess was that the issue was raising when boot up GPO fetching wasn't
> performed on the DC on which machine authentication was done (as I said
> before, this is due to the fact that sysvol is supposed to be a DFS
> share so it is accessed through \\domain.fqdn\ which, when using samba,
> is a dumb round robin). So what I did was to remove all DNS entry for
> domain.fqdn except for the site DC IP, thus ensuring that GPO was
> fetched from the same machine? Without success
>
> I ran wireshark during machine boot up sequence is basically
> dig -t SRV _ldap._tcp.dc._msdcs.domain.fqdn
> <= all domain controllers
> => pick one to get my site
> <= your site is XXX
> dig -t SRV _ldap._tcp.XXX._sites.dc._msdcs.domain.fqdn
> <= site DC
> All subsequent communication is made with the DC the box fetched? Still
> no success
> I can see SMB2 negociate procotol request/response, DNS updates, but
> GPT.ini reading still fails
>
> Regards
>
> Le 14/04/2016 18:03, Jonathan Hunter a écrit :
> > I hate 'me too' replies - but I have also been struggling with this for
> > some years in my multi-DC environment. (yes, replicated sysvol via
> lsyncd +
> > rsync; permissions looked identical via getfacl last time I checked).
> > Sometimes a client machine will run gpupdate just fine; other times it
> will
> > fail, seemingly randomly.
> >
> > My next step was going to be to run wireshark on a client machine to see
> if
> > the problem follows a particular DC or pattern - as someone has already
> > said elsewhere in this thread, the LOGONSERVER isn't necessarily the DC
> > that GPOs are fetched from.
> >
> > I don't have UIDs/GIDs for my machine accounts but maybe I should try to
> > add them.. Unfortunately every time I sit down to troubleshoot this, the
> > client machine runs gpupdate with no errors at all; and of course every
> > time I make a GPO update that needs to be pushed out, it chooses that
> time
> > to not work.. :)
> >
> > I will try and do some wireshark work and let you know what I find..
> It's
> > definitely "not just you", though - and I'm glad it's not just me, as
> well!
> > :-)
> >
> > On 14 April 2016 at 15:42, Ryan Ashley <ryana at reachtechfp.com> wrote:
> >
> >> Sorry for my delayed response, my job has had me out of state for a
> >> while. I wanted to add that I am not getting the Kerberos error in my
> >> event logs. It just flat out claims that it cannot read gpt.ini for
> some
> >> reason. This happens randomly, whether dc01 or dc02 is the logon
> server,
> >> and the strange part is that most PCs can work fine, but one or two
> >> randomly won't.
> >>
> >> In other words, if pc1 and pc3 are using dc01, and pc2 is using dc02,
> >> pc1 and pc2 work fine, but pc3 says it can't read the gpt.ini on dc01.
> >> This may persist for weeks, then it suddenly works.
> >>
> >> Lead IT/IS Specialist
> >> Reach Technology FP, Inc
> >>
> >> On 03/30/2016 06:01 AM, L.P.H. van Belle wrote:
> >>> I found this one.
> >>> Check which one works for you.
> >>>
> >>>
> >> http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-
> 8508-phase-1.htm
> >>> Im sure this is not a samba configuration problem.
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> >> Belle
> >>>> Verzonden: dinsdag 29 maart 2016 16:18
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> >>>>
> >>>> I dont read any france but translators work ok. ;-) pfew..
> >>>>
> >>>> Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
> >>>> Or try short without firewalls on, on the DC's.
> >>>>
> >>>> Other options to try is recude the MaxPacketSize in windows.
> >>>>
> >>>> Looks like a to big package which is rejected.
> >>>>
> >>>> Ow and above is also needed on the DNS port 53.
> >>>> Open tcp and udp.
> >>>>
> >>>> If the upd packages are to big, tcp is tried.
> >>>>
> >>>>
> >>>> And let us know the result.
> >>>>
> >>>> Greetz,
> >>>>
> >>>> Louis
> >>>>
> >>>>
> >>>>
> >>>>> -----Oorspronkelijk bericht-----
> >>>>> Van: Sébastien Le Ray [mailto:sebastien at orniz.org]
> >>>>> Verzonden: dinsdag 29 maart 2016 16:10
> >>>>> Aan: L.P.H. van Belle; samba at lists.samba.org
> >>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> >>>>>
> >>>>> Hi
> >>>>>
> >>>>> French windows version
> >>>>>
> >>>>> LSA Error
> >>>>>
> >>>>> Nom du journal :System
> >>>>> Source : LsaSrv
> >>>>> Date : 29/03/2016 15:49:56
> >>>>> ID de l?événement :40960
> >>>>> Catégorie de la tâche :Aucun
> >>>>> Niveau : Avertissement
> >>>>> Mots clés :
> >>>>> Utilisateur : Système
> >>>>> Ordinateur : computer.domain
> >>>>> Description :
> >>>>> Le système de sécurité a détecté une erreur d?authentification pour
> le
> >>>>> serveur cifs/domain. Le code de la panne à partir du protocole
> >>>>> d?authentification Kerberos était "Le nombre maximal de tickets de
> >>>>> référence a été dépassé.
> >>>>> (0xc00002f4)".
> >>>>> XML de l?événement :
> >>>>> <Event
> xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> >>>>> <System>
> >>>>> <Provider Name="LsaSrv"
> >>>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
> >>>>> <EventID>40960</EventID>
> >>>>> <Version>0</Version>
> >>>>> <Level>3</Level>
> >>>>> <Task>0</Task>
> >>>>> <Opcode>0</Opcode>
> >>>>> <Keywords>0x8000000000000000</Keywords>
> >>>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
> >>>>> <EventRecordID>8737</EventRecordID>
> >>>>> <Correlation />
> >>>>> <Execution ProcessID="840" ThreadID="900" />
> >>>>> <Channel>System</Channel>
> >>>>> <Computer>computer.domain</Computer>
> >>>>> <Security UserID="S-1-5-18" />
> >>>>> </System>
> >>>>> <EventData>
> >>>>> <Data Name="Target">cifs/computer.domain</Data>
> >>>>> <Data Name="Protocol">Kerberos</Data>
> >>>>> <Data Name="Error">"Le nombre maximal de tickets de référence
> a
> >> été
> >>>>> dépassé.
> >>>>> (0xc00002f4)"</Data>
> >>>>> </EventData>
> >>>>> </Event>
> >>>>>
> >>>>>
> >>>>> GPT.ini error
> >>>>>
> >>>>> Nom du journal :System
> >>>>> Source : LsaSrv
> >>>>> Date : 29/03/2016 15:49:56
> >>>>> ID de l?événement :40960
> >>>>> Catégorie de la tâche :Aucun
> >>>>> Niveau : Avertissement
> >>>>> Mots clés :
> >>>>> Utilisateur : Système
> >>>>> Ordinateur : computer.domain
> >>>>> Description :
> >>>>> Le système de sécurité a détecté une erreur d?authentification pour
> le
> >>>>> serveur cifs/domain. Le code de la panne à partir du protocole
> >>>>> d?authentification Kerberos était "Le nombre maximal de tickets de
> >>>>> référence a été dépassé.
> >>>>> (0xc00002f4)".
> >>>>> XML de l?événement :
> >>>>> <Event
> xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> >>>>> <System>
> >>>>> <Provider Name="LsaSrv"
> >>>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
> >>>>> <EventID>40960</EventID>
> >>>>> <Version>0</Version>
> >>>>> <Level>3</Level>
> >>>>> <Task>0</Task>
> >>>>> <Opcode>0</Opcode>
> >>>>> <Keywords>0x8000000000000000</Keywords>
> >>>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
> >>>>> <EventRecordID>8737</EventRecordID>
> >>>>> <Correlation />
> >>>>> <Execution ProcessID="840" ThreadID="900" />
> >>>>> <Channel>System</Channel>
> >>>>> <Computer>computer.domain</Computer>
> >>>>> <Security UserID="S-1-5-18" />
> >>>>> </System>
> >>>>> <EventData>
> >>>>> <Data Name="Target">cifs/domain</Data>
> >>>>> <Data Name="Protocol">Kerberos</Data>
> >>>>> <Data Name="Error">"Le nombre maximal de tickets de référence
> a
> >> été
> >>>>> dépassé.
> >>>>> (0xc00002f4)"</Data>
> >>>>> </EventData>
> >>>>> </Event>
> >>>>>
> >>>>> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl
> >>>>> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
> >>>>> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
> >>>>> # owner: root
> >>>>> # group: 10000
> >>>>> user::rwx
> >>>>> user:root:rwx
> >>>>> user:3000002:rwx
> >>>>> user:3000003:r-x
> >>>>> user:3000007:rwx
> >>>>> user:3000008:r-x
> >>>>> group::rwx
> >>>>> group:10000:rwx
> >>>>> group:3000002:rwx
> >>>>> group:3000003:r-x
> >>>>> group:3000007:rwx
> >>>>> group:3000008:r-x
> >>>>> mask::rwx
> >>>>> other::---
> >>>>> default:user::rwx
> >>>>> default:user:root:rwx
> >>>>> default:user:3000002:rwx
> >>>>> default:user:3000003:r-x
> >>>>> default:user:3000007:rwx
> >>>>> default:user:3000008:r-x
> >>>>> default:group::---
> >>>>> default:group:10000:rwx
> >>>>> default:group:3000002:rwx
> >>>>> default:group:3000003:r-x
> >>>>> default:group:3000007:rwx
> >>>>> default:group:3000008:r-x
> >>>>> default:mask::rwx
> >>>>> default:other::---
> >>>>>
> >>>>>
> >>>>> DHCP IP
> >>>>>
> >>>>> Regards
> >>>>>
> >>>>>
> >>>>> Le 29/03/2016 15:46, L.P.H. van Belle a écrit :
> >>>>>> Complete event id of :
> >>>>>>> But still, events log show a warning about kerberos ticket from
> >>>> LsaSrv
> >>>>>>> source and right after a permission denied on GPT.ini
> >>>>>> And a getfacl of the problem GPO SID please, i'll check.
> >>>>>>
> >>>>>> And a output of ipconfig /all on the problem pc.
> >>>>>>
> >>>>>> And question, dedicated IP or dhcp IP?
> >>>>>>
> >>>>>>
> >>>>>> Greetz,
> >>>>>>
> >>>>>> Louis
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> -----Oorspronkelijk bericht-----
> >>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien
> >> Le
> >>>>> Ray
> >>>>>>> Verzonden: dinsdag 29 maart 2016 15:41
> >>>>>>> CC: samba
> >>>>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID
> 1058)
> >>>>>>>
> >>>>>>> LOGONSERVER is the server used to authenticate currently logged in
> >>>>> user,
> >>>>>>> this does not mean that it is the one on which machine GPO was
> >>>> fetched
> >>>>>>> (which seem to be round-robinized, but maybe not)
> >>>>>>>
> >>>>>>> Got no more sysvolcheck error, manually fixed those (what a pain)
> >>>>>>>
> >>>>>>> But still, events log show a warning about kerberos ticket from
> >>>> LsaSrv
> >>>>>>> source and right after a permission denied on GPT.ini
> >>>>>>>
> >>>>>>> Regards
> >>>>>>>
> >>>>>>> Le 29/03/2016 15:16, mathias dufresne a écrit :
> >>>>>>>> About sysvolreset errors: send them to us. There is (at least)
> one
> >>>>> error
> >>>>>>>> from sysvolcheck which is not too much important (if I have well
> >>>>>>> understood
> >>>>>>>> it): ACL is set on FS to Local Admins when it should be Domain
> >>>> admins
> >>>>>>> (or
> >>>>>>>> the contrary). That one should be a simple warning, or it is and
> it
> >>>>> can
> >>>>>>> be
> >>>>>>>> ignored (once more: according to my memory).
> >>>>>>>>
> >>>>>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne
> <infractory at gmail.com>:
> >>>>>>>>
> >>>>>>>>> To see which DC is used by Windows client: open a MSDOS console,
> >>>> type
> >>>>>>>>> "set", look for LOGONSERVER=\\<your_dc>
> >>>>>>>>>
> >>>>>>>>> <your_dc> is the DC used to connect on.
> >>>>>>>>>
> >>>>>>>>> If issue comes from one DC I would have on sysvol
> synchronisation
> >>>>>>> between
> >>>>>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a
> DNS
> >>>>>>> issue if
> >>>>>>>>> you have only GPO issue).
> >>>>>>>>>
> >>>>>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
> >>>>>>> samba at orniz.org>:
> >>>>>>>>>> Hi
> >>>>>>>>>>
> >>>>>>>>>> Same here, GPO work without UID/GID on machine account (since
> >>>> issue
> >>>>>>>>>> "resolves" itself sometime)
> >>>>>>>>>>
> >>>>>>>>>> It really seems to depend on which DC is chosen at start.
> >>>>>>>>>>
> >>>>>>>>>> One of the affected machine just recovered without any change
> >>>> except
> >>>>> a
> >>>>>>>>>> reboot
> >>>>>>>>>>
> >>>>>>>>>> So I guess root issue is the kerberos one "max reference
> tickets
> >>>>>>>>>> exceeded" but cannot see why it happens and on which DC
> >>>>>>>>>>
> >>>>>>>>>> I noticed this morning that sysvolcheck returns errors that
> won't
> >>>> be
> >>>>>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does
> not
> >>>>>>> seem to
> >>>>>>>>>> have fixed anything
> >>>>>>>>>>
> >>>>>>>>>> Regards
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit :
> >>>>>>>>>>
> >>>>>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought
> >>>> idmap
> >>>>>>> stuffs
> >>>>>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP
> >>>> objects.
> >>>>>>>>>>> In others words, if you configure correctly idmap into
> smb.conf I
> >>>>>>> expect
> >>>>>>>>>>> you don't need any more declaring UID/GID for machine
> accounts.
> >>>>>>>>>>>
> >>>>>>>>>>> Anyway here my machines get access to their GPO: I tested one
> >>>>>>> computer's
> >>>>>>>>>>> GPO this morning, the one giving the possibility to use
> >>>>>>> userPrincipalName
> >>>>>>>>>>> without @samba.domain.tld when logging into a computer. That
> >>>> worked
> >>>>>>> so
> >>>>>>>>>>> the
> >>>>>>>>>>> GPO was applied and my machines have no UID/GID nor my
> smb.conf
> >>>>>>> contains
> >>>>>>>>>>> anything about idmap:
> >>>>>>>>>>> ----------------------------------------
> >>>>>>>>>>> [global]
> >>>>>>>>>>> workgroup = SAMBA
> >>>>>>>>>>> realm = SAMBA.DOMAIN.TLD
> >>>>>>>>>>> netbios name = DC200
> >>>>>>>>>>> server role = active directory domain controller
> >>>>>>>>>>>
> >>>>>>>>>>> server services = -dns
> >>>>>>>>>>> idmap_ldb:use rfc2307 = yes
> >>>>>>>>>>>
> >>>>>>>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend
> >>>>>>>>>>> #dns forwarder = 10.156.32.99
> >>>>>>>>>>>
> >>>>>>>>>>> #kccsrv:samba_kcc=true
> >>>>>>>>>>>
> >>>>>>>>>>> [netlogon]
> >>>>>>>>>>> path =
> /var/lib/samba/sysvol/samba.domain.tld/scripts
> >>>>>>>>>>> read only = No
> >>>>>>>>>>>
> >>>>>>>>>>> [sysvol]
> >>>>>>>>>>> path = /var/lib/samba/sysvol
> >>>>>>>>>>> read only = No
> >>>>>>>>>>> ----------------------------------------
> >>>>>>>>>>>
> >>>>>>>>>>> But my nsswitch.conf is configured to use winbind:
> >>>>>>>>>>> grep win /etc/nsswitch.conf
> >>>>>>>>>>> passwd: files winbind
> >>>>>>>>>>> shadow: files winbind
> >>>>>>>>>>> group: files winbind
> >>>>>>>>>>>
> >>>>>>>>>>> And that works:
> >>>>>>>>>>> For users:
> >>>>>>>>>>> id administrator
> >>>>>>>>>>> uid=0(root) gid=0(root) groupes=0(root)
> >>>>>>>>>>> For computers:
> >>>>>>>>>>> id dc200$
> >>>>>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
> >>>>> controllers)
> >>>>>>>>>>> groupes=3000011(AD.DGFIP\domain
> >>>>>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
> >>>> rodc
> >>>>>>>>>>> password
> >>>>>>>>>>> replication group)
> >>>>>>>>>>>
> >>>>>>>>>>> So idmapping seems to be enabled by default as there are no
> >>>> UID/GID
> >>>>>>>>>>> declared on DC200 computer:
> >>>>>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
> >>>>>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
> >>>>>>>>>>>
> >>>>>>>>>>> So I still expect an issue about mapping computer accounts to
> >>>>>>> UNIX/Linux
> >>>>>>>>>>> local user.
> >>>>>>>>>>>
> >>>>>>>>>>> Hoping this helps, cheers,
> >>>>>>>>>>>
> >>>>>>>>>>> mathias
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley
> <ryana at reachtechfp.com>:
> >>>>>>>>>>>
> >>>>>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select
> an
> >>>>>>>>>>>> additional option when installing the tools. I believe it is
> >>>>>>> "something
> >>>>>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and
> allows
> >>>>> you
> >>>>>>> to
> >>>>>>>>>>>> set the uid/gid as well as group memberships for UNIX
> systems. I
> >>>>>>> have
> >>>>>>>>>>>> done this on my networks, but I may have forgotten it on this
> >>>> one.
> >>>>> I
> >>>>>>>>>>>> will check. I still have the issue, it is not a "node type"
> >>>> issue.
> >>>>>>>>>>>> Lead IT/IS Specialist
> >>>>>>>>>>>> Reach Technology FP, Inc
> >>>>>>>>>>>>
> >>>>>>>>>>>> On 03/23/2016 12:01 PM, mj wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> And did you add those IDs to the sysvol share permissions?
> >>>>>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid
> >>>>> fields
> >>>>>>> in
> >>>>>>>>>>>>>> RSAT
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>> I added them using LAM, because yes: using RSAT i also could
> >>>> not.
> >>>>>>>>>>>>> (lam: www.ldap-account-manager.org/)
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> --
> >>>>>>>>>>>> To unsubscribe from this list go to the following URL and
> read
> >>>> the
> >>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> To unsubscribe from this list go to the following URL and read
> the
> >>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>>>>>
> >>>>>>> --
> >>>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>
> >>>>
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list