[Samba] Permission denied on GPT.ini (Event ID 1058)
Sébastien Le Ray
sebastien-samba at orniz.org
Tue Mar 29 14:11:21 UTC 2016
Hi
French windows version
LSA Error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l’événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Mots clés :
Utilisateur : Système
Ordinateur : computer.domain
Description :
Le système de sécurité a détecté une erreur d’authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d’authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
XML de l’événement :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/computer.domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a été
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
GPT.ini error
Nom du journal :System
Source : LsaSrv
Date : 29/03/2016 15:49:56
ID de l’événement :40960
Catégorie de la tâche :Aucun
Niveau : Avertissement
Mots clés :
Utilisateur : Système
Ordinateur : computer.domain
Description :
Le système de sécurité a détecté une erreur d’authentification pour le
serveur cifs/domain. Le code de la panne à partir du protocole
d’authentification Kerberos était "Le nombre maximal de tickets de
référence a été dépassé.
(0xc00002f4)".
XML de l’événement :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LsaSrv"
Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
<EventID>40960</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
<EventRecordID>8737</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="900" />
<Channel>System</Channel>
<Computer>computer.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Target">cifs/domain</Data>
<Data Name="Protocol">Kerberos</Data>
<Data Name="Error">"Le nombre maximal de tickets de référence a été
dépassé.
(0xc00002f4)"</Data>
</EventData>
</Event>
root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl
\{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
# file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
# owner: root
# group: 10000
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000008:r-x
group::rwx
group:10000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000007:rwx
group:3000008:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000008:r-x
default:group::---
default:group:10000:rwx
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000007:rwx
default:group:3000008:r-x
default:mask::rwx
default:other::---
DHCP IP
Regards
Le 29/03/2016 15:46, L.P.H. van Belle a écrit :
> Complete event id of :
>> But still, events log show a warning about kerberos ticket from LsaSrv
>> source and right after a permission denied on GPT.ini
> And a getfacl of the problem GPO SID please, i'll check.
>
> And a output of ipconfig /all on the problem pc.
>
> And question, dedicated IP or dhcp IP?
>
>
> Greetz,
>
> Louis
>
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray
>> Verzonden: dinsdag 29 maart 2016 15:41
>> CC: samba
>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>>
>> LOGONSERVER is the server used to authenticate currently logged in user,
>> this does not mean that it is the one on which machine GPO was fetched
>> (which seem to be round-robinized, but maybe not)
>>
>> Got no more sysvolcheck error, manually fixed those (what a pain)
>>
>> But still, events log show a warning about kerberos ticket from LsaSrv
>> source and right after a permission denied on GPT.ini
>>
>> Regards
>>
>> Le 29/03/2016 15:16, mathias dufresne a écrit :
>>> About sysvolreset errors: send them to us. There is (at least) one error
>>> from sysvolcheck which is not too much important (if I have well
>> understood
>>> it): ACL is set on FS to Local Admins when it should be Domain admins
>> (or
>>> the contrary). That one should be a simple warning, or it is and it can
>> be
>>> ignored (once more: according to my memory).
>>>
>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>:
>>>
>>>> To see which DC is used by Windows client: open a MSDOS console, type
>>>> "set", look for LOGONSERVER=\\<your_dc>
>>>>
>>>> <your_dc> is the DC used to connect on.
>>>>
>>>> If issue comes from one DC I would have on sysvol synchronisation
>> between
>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
>> issue if
>>>> you have only GPO issue).
>>>>
>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
>> samba at orniz.org>:
>>>>> Hi
>>>>>
>>>>> Same here, GPO work without UID/GID on machine account (since issue
>>>>> "resolves" itself sometime)
>>>>>
>>>>> It really seems to depend on which DC is chosen at start.
>>>>>
>>>>> One of the affected machine just recovered without any change except a
>>>>> reboot
>>>>>
>>>>> So I guess root issue is the kerberos one "max reference tickets
>>>>> exceeded" but cannot see why it happens and on which DC
>>>>>
>>>>> I noticed this morning that sysvolcheck returns errors that won't be
>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does not
>> seem to
>>>>> have fixed anything
>>>>>
>>>>> Regards
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit :
>>>>>
>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought idmap
>> stuffs
>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
>>>>>> In others words, if you configure correctly idmap into smb.conf I
>> expect
>>>>>> you don't need any more declaring UID/GID for machine accounts.
>>>>>>
>>>>>> Anyway here my machines get access to their GPO: I tested one
>> computer's
>>>>>> GPO this morning, the one giving the possibility to use
>> userPrincipalName
>>>>>> without @samba.domain.tld when logging into a computer. That worked
>> so
>>>>>> the
>>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf
>> contains
>>>>>> anything about idmap:
>>>>>> ----------------------------------------
>>>>>> [global]
>>>>>> workgroup = SAMBA
>>>>>> realm = SAMBA.DOMAIN.TLD
>>>>>> netbios name = DC200
>>>>>> server role = active directory domain controller
>>>>>>
>>>>>> server services = -dns
>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>
>>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend
>>>>>> #dns forwarder = 10.156.32.99
>>>>>>
>>>>>> #kccsrv:samba_kcc=true
>>>>>>
>>>>>> [netlogon]
>>>>>> path = /var/lib/samba/sysvol/samba.domain.tld/scripts
>>>>>> read only = No
>>>>>>
>>>>>> [sysvol]
>>>>>> path = /var/lib/samba/sysvol
>>>>>> read only = No
>>>>>> ----------------------------------------
>>>>>>
>>>>>> But my nsswitch.conf is configured to use winbind:
>>>>>> grep win /etc/nsswitch.conf
>>>>>> passwd: files winbind
>>>>>> shadow: files winbind
>>>>>> group: files winbind
>>>>>>
>>>>>> And that works:
>>>>>> For users:
>>>>>> id administrator
>>>>>> uid=0(root) gid=0(root) groupes=0(root)
>>>>>> For computers:
>>>>>> id dc200$
>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
>>>>>> groupes=3000011(AD.DGFIP\domain
>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc
>>>>>> password
>>>>>> replication group)
>>>>>>
>>>>>> So idmapping seems to be enabled by default as there are no UID/GID
>>>>>> declared on DC200 computer:
>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
>>>>>>
>>>>>> So I still expect an issue about mapping computer accounts to
>> UNIX/Linux
>>>>>> local user.
>>>>>>
>>>>>> Hoping this helps, cheers,
>>>>>>
>>>>>> mathias
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>
>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an
>>>>>>> additional option when installing the tools. I believe it is
>> "something
>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows you
>> to
>>>>>>> set the uid/gid as well as group memberships for UNIX systems. I
>> have
>>>>>>> done this on my networks, but I may have forgotten it on this one. I
>>>>>>> will check. I still have the issue, it is not a "node type" issue.
>>>>>>>
>>>>>>> Lead IT/IS Specialist
>>>>>>> Reach Technology FP, Inc
>>>>>>>
>>>>>>> On 03/23/2016 12:01 PM, mj wrote:
>>>>>>>
>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
>>>>>>>>
>>>>>>>>> And did you add those IDs to the sysvol share permissions?
>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid fields
>> in
>>>>>>>>> RSAT
>>>>>>>>>
>>>>>>>> I added them using LAM, because yes: using RSAT i also could not.
>>>>>>>>
>>>>>>>> (lam: www.ldap-account-manager.org/)
>>>>>>>>
>>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list