[Samba] Permission denied on GPT.ini (Event ID 1058)

mathias dufresne infractory at gmail.com
Tue Mar 29 13:14:05 UTC 2016 

To see which DC is used by Windows client: open a MSDOS console, type
"set", look for LOGONSERVER=\\<your_dc>

<your_dc> is the DC used to connect on.

If issue comes from one DC I would have on sysvol synchronisation between
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if
you have only GPO issue).

2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-samba at orniz.org>:

> Hi
>
> Same here, GPO work without UID/GID on machine account (since issue
> "resolves" itself sometime)
>
> It really seems to depend on which DC is chosen at start.
>
> One of the affected machine just recovered without any change except a
> reboot
>
> So I guess root issue is the kerberos one "max reference tickets exceeded"
> but cannot see why it happens and on which DC
>
> I noticed this morning that sysvolcheck returns errors that won't be fixed
> by sysvolreset (!), I manually fixed ntacl but this does not seem to have
> fixed anything
>
> Regards
>
>
>
>
> Le 29/03/2016 11:57, mathias dufresne a écrit :
>
>> I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs
>> were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
>> In others words, if you configure correctly idmap into smb.conf I expect
>> you don't need any more declaring UID/GID for machine accounts.
>>
>> Anyway here my machines get access to their GPO: I tested one computer's
>> GPO this morning, the one giving the possibility to use userPrincipalName
>> without @samba.domain.tld when logging into a computer. That worked so the
>> GPO was applied and my machines have no UID/GID nor my smb.conf contains
>> anything about idmap:
>> ----------------------------------------
>> [global]
>>          workgroup = SAMBA
>>          realm = SAMBA.DOMAIN.TLD
>>          netbios name = DC200
>>          server role = active directory domain controller
>>
>>          server services = -dns
>>          idmap_ldb:use rfc2307 = yes
>>
>>          # NOTE: removed as we now use BIND-DLZ DNS backend
>>          #dns forwarder = 10.156.32.99
>>
>>          #kccsrv:samba_kcc=true
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/samba.domain.tld/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> ----------------------------------------
>>
>> But my nsswitch.conf is configured to use winbind:
>>   grep win /etc/nsswitch.conf
>> passwd:     files winbind
>> shadow:     files winbind
>> group:      files winbind
>>
>> And that works:
>> For users:
>> id administrator
>> uid=0(root) gid=0(root) groupes=0(root)
>> For computers:
>> id dc200$
>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
>> groupes=3000011(AD.DGFIP\domain
>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc
>> password
>> replication group)
>>
>> So idmapping seems to be enabled by default as there are no UID/GID
>> declared on DC200 computer:
>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
>>
>> So I still expect an issue about mapping computer accounts to UNIX/Linux
>> local user.
>>
>> Hoping this helps, cheers,
>>
>> mathias
>>
>>
>>
>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
>>
>> I add UNIX attributes (gid/uid) using RSAT. You need to select an
>>> additional option when installing the tools. I believe it is "something
>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to
>>> set the uid/gid as well as group memberships for UNIX systems. I have
>>> done this on my networks, but I may have forgotten it on this one. I
>>> will check. I still have the issue, it is not a "node type" issue.
>>>
>>> Lead IT/IS Specialist
>>> Reach Technology FP, Inc
>>>
>>> On 03/23/2016 12:01 PM, mj wrote:
>>>
>>>>
>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
>>>>
>>>>> And did you add those IDs to the sysvol share permissions?
>>>>> I guess you used samba-tool since I cannot find any gid/uid fields in
>>>>> RSAT
>>>>>
>>>> I added them using LAM, because yes: using RSAT i also could not.
>>>>
>>>> (lam: www.ldap-account-manager.org/)
>>>>
>>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list