[Samba] Permission denied on GPT.ini (Event ID 1058)

L.P.H. van Belle belle at bazuin.nl
Tue Mar 29 13:46:31 UTC 2016 

Complete event id of : 
> But still, events log show a warning about kerberos ticket from LsaSrv
> source and right after a permission denied on GPT.ini

And a getfacl of the problem GPO SID please, i'll check. 

And a output of ipconfig /all on the problem pc. 

And question, dedicated IP or dhcp IP? 


Greetz, 

Louis





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray
> Verzonden: dinsdag 29 maart 2016 15:41
> CC: samba
> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> 
> LOGONSERVER is the server used to authenticate currently logged in user,
> this does not mean that it is the one on which machine GPO was fetched
> (which seem to be round-robinized, but maybe not)
> 
> Got no more sysvolcheck error, manually fixed those (what a pain)
> 
> But still, events log show a warning about kerberos ticket from LsaSrv
> source and right after a permission denied on GPT.ini
> 
> Regards
> 
> Le 29/03/2016 15:16, mathias dufresne a écrit :
> > About sysvolreset errors: send them to us. There is (at least) one error
> > from sysvolcheck which is not too much important (if I have well
> understood
> > it): ACL is set on FS to Local Admins when it should be Domain admins
> (or
> > the contrary). That one should be a simple warning, or it is and it can
> be
> > ignored (once more: according to my memory).
> >
> > 2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> >
> >> To see which DC is used by Windows client: open a MSDOS console, type
> >> "set", look for LOGONSERVER=\\<your_dc>
> >>
> >> <your_dc> is the DC used to connect on.
> >>
> >> If issue comes from one DC I would have on sysvol synchronisation
> between
> >> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
> issue if
> >> you have only GPO issue).
> >>
> >> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
> samba at orniz.org>:
> >>
> >>> Hi
> >>>
> >>> Same here, GPO work without UID/GID on machine account (since issue
> >>> "resolves" itself sometime)
> >>>
> >>> It really seems to depend on which DC is chosen at start.
> >>>
> >>> One of the affected machine just recovered without any change except a
> >>> reboot
> >>>
> >>> So I guess root issue is the kerberos one "max reference tickets
> >>> exceeded" but cannot see why it happens and on which DC
> >>>
> >>> I noticed this morning that sysvolcheck returns errors that won't be
> >>> fixed by sysvolreset (!), I manually fixed ntacl but this does not
> seem to
> >>> have fixed anything
> >>>
> >>> Regards
> >>>
> >>>
> >>>
> >>>
> >>> Le 29/03/2016 11:57, mathias dufresne a écrit :
> >>>
> >>>> I'm not an expert in idmap (at all in fact :p) but I thought idmap
> stuffs
> >>>> were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
> >>>> In others words, if you configure correctly idmap into smb.conf I
> expect
> >>>> you don't need any more declaring UID/GID for machine accounts.
> >>>>
> >>>> Anyway here my machines get access to their GPO: I tested one
> computer's
> >>>> GPO this morning, the one giving the possibility to use
> userPrincipalName
> >>>> without @samba.domain.tld when logging into a computer. That worked
> so
> >>>> the
> >>>> GPO was applied and my machines have no UID/GID nor my smb.conf
> contains
> >>>> anything about idmap:
> >>>> ----------------------------------------
> >>>> [global]
> >>>>           workgroup = SAMBA
> >>>>           realm = SAMBA.DOMAIN.TLD
> >>>>           netbios name = DC200
> >>>>           server role = active directory domain controller
> >>>>
> >>>>           server services = -dns
> >>>>           idmap_ldb:use rfc2307 = yes
> >>>>
> >>>>           # NOTE: removed as we now use BIND-DLZ DNS backend
> >>>>           #dns forwarder = 10.156.32.99
> >>>>
> >>>>           #kccsrv:samba_kcc=true
> >>>>
> >>>> [netlogon]
> >>>>           path = /var/lib/samba/sysvol/samba.domain.tld/scripts
> >>>>           read only = No
> >>>>
> >>>> [sysvol]
> >>>>           path = /var/lib/samba/sysvol
> >>>>           read only = No
> >>>> ----------------------------------------
> >>>>
> >>>> But my nsswitch.conf is configured to use winbind:
> >>>>    grep win /etc/nsswitch.conf
> >>>> passwd:     files winbind
> >>>> shadow:     files winbind
> >>>> group:      files winbind
> >>>>
> >>>> And that works:
> >>>> For users:
> >>>> id administrator
> >>>> uid=0(root) gid=0(root) groupes=0(root)
> >>>> For computers:
> >>>> id dc200$
> >>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
> >>>> groupes=3000011(AD.DGFIP\domain
> >>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc
> >>>> password
> >>>> replication group)
> >>>>
> >>>> So idmapping seems to be enabled by default as there are no UID/GID
> >>>> declared on DC200 computer:
> >>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
> >>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
> >>>>
> >>>> So I still expect an issue about mapping computer accounts to
> UNIX/Linux
> >>>> local user.
> >>>>
> >>>> Hoping this helps, cheers,
> >>>>
> >>>> mathias
> >>>>
> >>>>
> >>>>
> >>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
> >>>>
> >>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an
> >>>>> additional option when installing the tools. I believe it is
> "something
> >>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows you
> to
> >>>>> set the uid/gid as well as group memberships for UNIX systems. I
> have
> >>>>> done this on my networks, but I may have forgotten it on this one. I
> >>>>> will check. I still have the issue, it is not a "node type" issue.
> >>>>>
> >>>>> Lead IT/IS Specialist
> >>>>> Reach Technology FP, Inc
> >>>>>
> >>>>> On 03/23/2016 12:01 PM, mj wrote:
> >>>>>
> >>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
> >>>>>>
> >>>>>>> And did you add those IDs to the sysvol share permissions?
> >>>>>>> I guess you used samba-tool since I cannot find any gid/uid fields
> in
> >>>>>>> RSAT
> >>>>>>>
> >>>>>> I added them using LAM, because yes: using RSAT i also could not.
> >>>>>>
> >>>>>> (lam: www.ldap-account-manager.org/)
> >>>>>>
> >>>>>> --
> >>>>> To unsubscribe from this list go to the following URL and read the
> >>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>
> >>>>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list