[Samba] Permission denied on GPT.ini (Event ID 1058)

mathias dufresne infractory at gmail.com
Tue Mar 29 09:57:41 UTC 2016

I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs
were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
In others words, if you configure correctly idmap into smb.conf I expect
you don't need any more declaring UID/GID for machine accounts.

Anyway here my machines get access to their GPO: I tested one computer's
GPO this morning, the one giving the possibility to use userPrincipalName
without @samba.domain.tld when logging into a computer. That worked so the
GPO was applied and my machines have no UID/GID nor my smb.conf contains
anything about idmap:
        workgroup = SAMBA
        realm = SAMBA.DOMAIN.TLD
        netbios name = DC200
        server role = active directory domain controller

        server services = -dns
        idmap_ldb:use rfc2307 = yes

        # NOTE: removed as we now use BIND-DLZ DNS backend
        #dns forwarder =


        path = /var/lib/samba/sysvol/samba.domain.tld/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

But my nsswitch.conf is configured to use winbind:
 grep win /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind

And that works:
For users:
id administrator
uid=0(root) gid=0(root) groupes=0(root)
For computers:
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)

So idmapping seems to be enabled by default as there are no UID/GID
declared on DC200 computer:
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7

So I still expect an issue about mapping computer accounts to UNIX/Linux
local user.

Hoping this helps, cheers,


2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:

> I add UNIX attributes (gid/uid) using RSAT. You need to select an
> additional option when installing the tools. I believe it is "something
> for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to
> set the uid/gid as well as group memberships for UNIX systems. I have
> done this on my networks, but I may have forgotten it on this one. I
> will check. I still have the issue, it is not a "node type" issue.
> Lead IT/IS Specialist
> Reach Technology FP, Inc
> On 03/23/2016 12:01 PM, mj wrote:
> >
> >
> > On 03/23/2016 03:12 PM, S├ębastien Le Ray wrote:
> >> And did you add those IDs to the sysvol share permissions?
> >> I guess you used samba-tool since I cannot find any gid/uid fields in
> >> RSAT
> >
> > I added them using LAM, because yes: using RSAT i also could not.
> >
> > (lam: www.ldap-account-manager.org/)
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list