[Samba] Permission denied on GPT.ini (Event ID 1058)
Sébastien Le Ray
sebastien-samba at orniz.org
Tue Mar 29 14:31:00 UTC 2016
No firewall configured on DCs
telnet dc 88 & 53 works fine (so TCP at least is OK).
53 isn't mandatory since AD zone is a delegation so clients never talk
to AD NS directly
Regards
Le 29/03/2016 16:18, L.P.H. van Belle a écrit :
> I dont read any france but translators work ok. ;-) pfew..
>
> Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
> Or try short without firewalls on, on the DC's.
>
> Other options to try is recude the MaxPacketSize in windows.
>
> Looks like a to big package which is rejected.
>
> Ow and above is also needed on the DNS port 53.
> Open tcp and udp.
>
> If the upd packages are to big, tcp is tried.
>
>
> And let us know the result.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Sébastien Le Ray [mailto:sebastien at orniz.org]
>> Verzonden: dinsdag 29 maart 2016 16:10
>> Aan: L.P.H. van Belle; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>>
>> Hi
>>
>> French windows version
>>
>> LSA Error
>>
>> Nom du journal :System
>> Source : LsaSrv
>> Date : 29/03/2016 15:49:56
>> ID de l?événement :40960
>> Catégorie de la tâche :Aucun
>> Niveau : Avertissement
>> Mots clés :
>> Utilisateur : Système
>> Ordinateur : computer.domain
>> Description :
>> Le système de sécurité a détecté une erreur d?authentification pour le
>> serveur cifs/domain. Le code de la panne à partir du protocole
>> d?authentification Kerberos était "Le nombre maximal de tickets de
>> référence a été dépassé.
>> (0xc00002f4)".
>> XML de l?événement :
>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
>> <System>
>> <Provider Name="LsaSrv"
>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
>> <EventID>40960</EventID>
>> <Version>0</Version>
>> <Level>3</Level>
>> <Task>0</Task>
>> <Opcode>0</Opcode>
>> <Keywords>0x8000000000000000</Keywords>
>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
>> <EventRecordID>8737</EventRecordID>
>> <Correlation />
>> <Execution ProcessID="840" ThreadID="900" />
>> <Channel>System</Channel>
>> <Computer>computer.domain</Computer>
>> <Security UserID="S-1-5-18" />
>> </System>
>> <EventData>
>> <Data Name="Target">cifs/computer.domain</Data>
>> <Data Name="Protocol">Kerberos</Data>
>> <Data Name="Error">"Le nombre maximal de tickets de référence a été
>> dépassé.
>> (0xc00002f4)"</Data>
>> </EventData>
>> </Event>
>>
>>
>> GPT.ini error
>>
>> Nom du journal :System
>> Source : LsaSrv
>> Date : 29/03/2016 15:49:56
>> ID de l?événement :40960
>> Catégorie de la tâche :Aucun
>> Niveau : Avertissement
>> Mots clés :
>> Utilisateur : Système
>> Ordinateur : computer.domain
>> Description :
>> Le système de sécurité a détecté une erreur d?authentification pour le
>> serveur cifs/domain. Le code de la panne à partir du protocole
>> d?authentification Kerberos était "Le nombre maximal de tickets de
>> référence a été dépassé.
>> (0xc00002f4)".
>> XML de l?événement :
>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
>> <System>
>> <Provider Name="LsaSrv"
>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
>> <EventID>40960</EventID>
>> <Version>0</Version>
>> <Level>3</Level>
>> <Task>0</Task>
>> <Opcode>0</Opcode>
>> <Keywords>0x8000000000000000</Keywords>
>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
>> <EventRecordID>8737</EventRecordID>
>> <Correlation />
>> <Execution ProcessID="840" ThreadID="900" />
>> <Channel>System</Channel>
>> <Computer>computer.domain</Computer>
>> <Security UserID="S-1-5-18" />
>> </System>
>> <EventData>
>> <Data Name="Target">cifs/domain</Data>
>> <Data Name="Protocol">Kerberos</Data>
>> <Data Name="Error">"Le nombre maximal de tickets de référence a été
>> dépassé.
>> (0xc00002f4)"</Data>
>> </EventData>
>> </Event>
>>
>> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl
>> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
>> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
>> # owner: root
>> # group: 10000
>> user::rwx
>> user:root:rwx
>> user:3000002:rwx
>> user:3000003:r-x
>> user:3000007:rwx
>> user:3000008:r-x
>> group::rwx
>> group:10000:rwx
>> group:3000002:rwx
>> group:3000003:r-x
>> group:3000007:rwx
>> group:3000008:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:user:3000007:rwx
>> default:user:3000008:r-x
>> default:group::---
>> default:group:10000:rwx
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:group:3000007:rwx
>> default:group:3000008:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>> DHCP IP
>>
>> Regards
>>
>>
>> Le 29/03/2016 15:46, L.P.H. van Belle a écrit :
>>> Complete event id of :
>>>> But still, events log show a warning about kerberos ticket from LsaSrv
>>>> source and right after a permission denied on GPT.ini
>>> And a getfacl of the problem GPO SID please, i'll check.
>>>
>>> And a output of ipconfig /all on the problem pc.
>>>
>>> And question, dedicated IP or dhcp IP?
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le
>> Ray
>>>> Verzonden: dinsdag 29 maart 2016 15:41
>>>> CC: samba
>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>>>>
>>>> LOGONSERVER is the server used to authenticate currently logged in
>> user,
>>>> this does not mean that it is the one on which machine GPO was fetched
>>>> (which seem to be round-robinized, but maybe not)
>>>>
>>>> Got no more sysvolcheck error, manually fixed those (what a pain)
>>>>
>>>> But still, events log show a warning about kerberos ticket from LsaSrv
>>>> source and right after a permission denied on GPT.ini
>>>>
>>>> Regards
>>>>
>>>> Le 29/03/2016 15:16, mathias dufresne a écrit :
>>>>> About sysvolreset errors: send them to us. There is (at least) one
>> error
>>>>> from sysvolcheck which is not too much important (if I have well
>>>> understood
>>>>> it): ACL is set on FS to Local Admins when it should be Domain admins
>>>> (or
>>>>> the contrary). That one should be a simple warning, or it is and it
>> can
>>>> be
>>>>> ignored (once more: according to my memory).
>>>>>
>>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>:
>>>>>
>>>>>> To see which DC is used by Windows client: open a MSDOS console, type
>>>>>> "set", look for LOGONSERVER=\\<your_dc>
>>>>>>
>>>>>> <your_dc> is the DC used to connect on.
>>>>>>
>>>>>> If issue comes from one DC I would have on sysvol synchronisation
>>>> between
>>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
>>>> issue if
>>>>>> you have only GPO issue).
>>>>>>
>>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
>>>> samba at orniz.org>:
>>>>>>> Hi
>>>>>>>
>>>>>>> Same here, GPO work without UID/GID on machine account (since issue
>>>>>>> "resolves" itself sometime)
>>>>>>>
>>>>>>> It really seems to depend on which DC is chosen at start.
>>>>>>>
>>>>>>> One of the affected machine just recovered without any change except
>> a
>>>>>>> reboot
>>>>>>>
>>>>>>> So I guess root issue is the kerberos one "max reference tickets
>>>>>>> exceeded" but cannot see why it happens and on which DC
>>>>>>>
>>>>>>> I noticed this morning that sysvolcheck returns errors that won't be
>>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does not
>>>> seem to
>>>>>>> have fixed anything
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit :
>>>>>>>
>>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought idmap
>>>> stuffs
>>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
>>>>>>>> In others words, if you configure correctly idmap into smb.conf I
>>>> expect
>>>>>>>> you don't need any more declaring UID/GID for machine accounts.
>>>>>>>>
>>>>>>>> Anyway here my machines get access to their GPO: I tested one
>>>> computer's
>>>>>>>> GPO this morning, the one giving the possibility to use
>>>> userPrincipalName
>>>>>>>> without @samba.domain.tld when logging into a computer. That worked
>>>> so
>>>>>>>> the
>>>>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf
>>>> contains
>>>>>>>> anything about idmap:
>>>>>>>> ----------------------------------------
>>>>>>>> [global]
>>>>>>>> workgroup = SAMBA
>>>>>>>> realm = SAMBA.DOMAIN.TLD
>>>>>>>> netbios name = DC200
>>>>>>>> server role = active directory domain controller
>>>>>>>>
>>>>>>>> server services = -dns
>>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>>>
>>>>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend
>>>>>>>> #dns forwarder = 10.156.32.99
>>>>>>>>
>>>>>>>> #kccsrv:samba_kcc=true
>>>>>>>>
>>>>>>>> [netlogon]
>>>>>>>> path = /var/lib/samba/sysvol/samba.domain.tld/scripts
>>>>>>>> read only = No
>>>>>>>>
>>>>>>>> [sysvol]
>>>>>>>> path = /var/lib/samba/sysvol
>>>>>>>> read only = No
>>>>>>>> ----------------------------------------
>>>>>>>>
>>>>>>>> But my nsswitch.conf is configured to use winbind:
>>>>>>>> grep win /etc/nsswitch.conf
>>>>>>>> passwd: files winbind
>>>>>>>> shadow: files winbind
>>>>>>>> group: files winbind
>>>>>>>>
>>>>>>>> And that works:
>>>>>>>> For users:
>>>>>>>> id administrator
>>>>>>>> uid=0(root) gid=0(root) groupes=0(root)
>>>>>>>> For computers:
>>>>>>>> id dc200$
>>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
>> controllers)
>>>>>>>> groupes=3000011(AD.DGFIP\domain
>>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc
>>>>>>>> password
>>>>>>>> replication group)
>>>>>>>>
>>>>>>>> So idmapping seems to be enabled by default as there are no UID/GID
>>>>>>>> declared on DC200 computer:
>>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
>>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
>>>>>>>>
>>>>>>>> So I still expect an issue about mapping computer accounts to
>>>> UNIX/Linux
>>>>>>>> local user.
>>>>>>>>
>>>>>>>> Hoping this helps, cheers,
>>>>>>>>
>>>>>>>> mathias
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>>>
>>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an
>>>>>>>>> additional option when installing the tools. I believe it is
>>>> "something
>>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows
>> you
>>>> to
>>>>>>>>> set the uid/gid as well as group memberships for UNIX systems. I
>>>> have
>>>>>>>>> done this on my networks, but I may have forgotten it on this one.
>> I
>>>>>>>>> will check. I still have the issue, it is not a "node type" issue.
>>>>>>>>>
>>>>>>>>> Lead IT/IS Specialist
>>>>>>>>> Reach Technology FP, Inc
>>>>>>>>>
>>>>>>>>> On 03/23/2016 12:01 PM, mj wrote:
>>>>>>>>>
>>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
>>>>>>>>>>
>>>>>>>>>>> And did you add those IDs to the sysvol share permissions?
>>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid
>> fields
>>>> in
>>>>>>>>>>> RSAT
>>>>>>>>>>>
>>>>>>>>>> I added them using LAM, because yes: using RSAT i also could not.
>>>>>>>>>>
>>>>>>>>>> (lam: www.ldap-account-manager.org/)
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>
>
More information about the samba
mailing list