[Samba] Permission denied on GPT.ini (Event ID 1058)

mathias dufresne infractory at gmail.com
Tue Mar 29 13:16:38 UTC 2016 

About sysvolreset errors: send them to us. There is (at least) one error
from sysvolcheck which is not too much important (if I have well understood
it): ACL is set on FS to Local Admins when it should be Domain admins (or
the contrary). That one should be a simple warning, or it is and it can be
ignored (once more: according to my memory).

2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> To see which DC is used by Windows client: open a MSDOS console, type
> "set", look for LOGONSERVER=\\<your_dc>
>
> <your_dc> is the DC used to connect on.
>
> If issue comes from one DC I would have on sysvol synchronisation between
> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue if
> you have only GPO issue).
>
> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-samba at orniz.org>:
>
>> Hi
>>
>> Same here, GPO work without UID/GID on machine account (since issue
>> "resolves" itself sometime)
>>
>> It really seems to depend on which DC is chosen at start.
>>
>> One of the affected machine just recovered without any change except a
>> reboot
>>
>> So I guess root issue is the kerberos one "max reference tickets
>> exceeded" but cannot see why it happens and on which DC
>>
>> I noticed this morning that sysvolcheck returns errors that won't be
>> fixed by sysvolreset (!), I manually fixed ntacl but this does not seem to
>> have fixed anything
>>
>> Regards
>>
>>
>>
>>
>> Le 29/03/2016 11:57, mathias dufresne a écrit :
>>
>>> I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs
>>> were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
>>> In others words, if you configure correctly idmap into smb.conf I expect
>>> you don't need any more declaring UID/GID for machine accounts.
>>>
>>> Anyway here my machines get access to their GPO: I tested one computer's
>>> GPO this morning, the one giving the possibility to use userPrincipalName
>>> without @samba.domain.tld when logging into a computer. That worked so
>>> the
>>> GPO was applied and my machines have no UID/GID nor my smb.conf contains
>>> anything about idmap:
>>> ----------------------------------------
>>> [global]
>>>          workgroup = SAMBA
>>>          realm = SAMBA.DOMAIN.TLD
>>>          netbios name = DC200
>>>          server role = active directory domain controller
>>>
>>>          server services = -dns
>>>          idmap_ldb:use rfc2307 = yes
>>>
>>>          # NOTE: removed as we now use BIND-DLZ DNS backend
>>>          #dns forwarder = 10.156.32.99
>>>
>>>          #kccsrv:samba_kcc=true
>>>
>>> [netlogon]
>>>          path = /var/lib/samba/sysvol/samba.domain.tld/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /var/lib/samba/sysvol
>>>          read only = No
>>> ----------------------------------------
>>>
>>> But my nsswitch.conf is configured to use winbind:
>>>   grep win /etc/nsswitch.conf
>>> passwd:     files winbind
>>> shadow:     files winbind
>>> group:      files winbind
>>>
>>> And that works:
>>> For users:
>>> id administrator
>>> uid=0(root) gid=0(root) groupes=0(root)
>>> For computers:
>>> id dc200$
>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
>>> groupes=3000011(AD.DGFIP\domain
>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc
>>> password
>>> replication group)
>>>
>>> So idmapping seems to be enabled by default as there are no UID/GID
>>> declared on DC200 computer:
>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
>>>
>>> So I still expect an issue about mapping computer accounts to UNIX/Linux
>>> local user.
>>>
>>> Hoping this helps, cheers,
>>>
>>> mathias
>>>
>>>
>>>
>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>
>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an
>>>> additional option when installing the tools. I believe it is "something
>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows you to
>>>> set the uid/gid as well as group memberships for UNIX systems. I have
>>>> done this on my networks, but I may have forgotten it on this one. I
>>>> will check. I still have the issue, it is not a "node type" issue.
>>>>
>>>> Lead IT/IS Specialist
>>>> Reach Technology FP, Inc
>>>>
>>>> On 03/23/2016 12:01 PM, mj wrote:
>>>>
>>>>>
>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
>>>>>
>>>>>> And did you add those IDs to the sysvol share permissions?
>>>>>> I guess you used samba-tool since I cannot find any gid/uid fields in
>>>>>> RSAT
>>>>>>
>>>>> I added them using LAM, because yes: using RSAT i also could not.
>>>>>
>>>>> (lam: www.ldap-account-manager.org/)
>>>>>
>>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list