[Samba] Permission denied on GPT.ini (Event ID 1058)
L.P.H. van Belle
belle at bazuin.nl
Tue Mar 29 14:52:45 UTC 2016
Ok, where your pc's get the DNS info from?
Server : AD-DC + DNS
Or
Server : AD-DC
+
Some other server with DNS
Can you give the output of
dig NS your.domain.tld
and tel us what what is.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray
> Verzonden: dinsdag 29 maart 2016 16:31
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>
> No firewall configured on DCs
>
> telnet dc 88 & 53 works fine (so TCP at least is OK).
>
> 53 isn't mandatory since AD zone is a delegation so clients never talk
> to AD NS directly
> Regards
>
> Le 29/03/2016 16:18, L.P.H. van Belle a écrit :
> > I dont read any france but translators work ok. ;-) pfew..
> >
> > Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
> > Or try short without firewalls on, on the DC's.
> >
> > Other options to try is recude the MaxPacketSize in windows.
> >
> > Looks like a to big package which is rejected.
> >
> > Ow and above is also needed on the DNS port 53.
> > Open tcp and udp.
> >
> > If the upd packages are to big, tcp is tried.
> >
> >
> > And let us know the result.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: Sébastien Le Ray [mailto:sebastien at orniz.org]
> >> Verzonden: dinsdag 29 maart 2016 16:10
> >> Aan: L.P.H. van Belle; samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> >>
> >> Hi
> >>
> >> French windows version
> >>
> >> LSA Error
> >>
> >> Nom du journal :System
> >> Source : LsaSrv
> >> Date : 29/03/2016 15:49:56
> >> ID de l?événement :40960
> >> Catégorie de la tâche :Aucun
> >> Niveau : Avertissement
> >> Mots clés :
> >> Utilisateur : Système
> >> Ordinateur : computer.domain
> >> Description :
> >> Le système de sécurité a détecté une erreur d?authentification pour le
> >> serveur cifs/domain. Le code de la panne à partir du protocole
> >> d?authentification Kerberos était "Le nombre maximal de tickets de
> >> référence a été dépassé.
> >> (0xc00002f4)".
> >> XML de l?événement :
> >> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> >> <System>
> >> <Provider Name="LsaSrv"
> >> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
> >> <EventID>40960</EventID>
> >> <Version>0</Version>
> >> <Level>3</Level>
> >> <Task>0</Task>
> >> <Opcode>0</Opcode>
> >> <Keywords>0x8000000000000000</Keywords>
> >> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
> >> <EventRecordID>8737</EventRecordID>
> >> <Correlation />
> >> <Execution ProcessID="840" ThreadID="900" />
> >> <Channel>System</Channel>
> >> <Computer>computer.domain</Computer>
> >> <Security UserID="S-1-5-18" />
> >> </System>
> >> <EventData>
> >> <Data Name="Target">cifs/computer.domain</Data>
> >> <Data Name="Protocol">Kerberos</Data>
> >> <Data Name="Error">"Le nombre maximal de tickets de référence a
> été
> >> dépassé.
> >> (0xc00002f4)"</Data>
> >> </EventData>
> >> </Event>
> >>
> >>
> >> GPT.ini error
> >>
> >> Nom du journal :System
> >> Source : LsaSrv
> >> Date : 29/03/2016 15:49:56
> >> ID de l?événement :40960
> >> Catégorie de la tâche :Aucun
> >> Niveau : Avertissement
> >> Mots clés :
> >> Utilisateur : Système
> >> Ordinateur : computer.domain
> >> Description :
> >> Le système de sécurité a détecté une erreur d?authentification pour le
> >> serveur cifs/domain. Le code de la panne à partir du protocole
> >> d?authentification Kerberos était "Le nombre maximal de tickets de
> >> référence a été dépassé.
> >> (0xc00002f4)".
> >> XML de l?événement :
> >> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> >> <System>
> >> <Provider Name="LsaSrv"
> >> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
> >> <EventID>40960</EventID>
> >> <Version>0</Version>
> >> <Level>3</Level>
> >> <Task>0</Task>
> >> <Opcode>0</Opcode>
> >> <Keywords>0x8000000000000000</Keywords>
> >> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
> >> <EventRecordID>8737</EventRecordID>
> >> <Correlation />
> >> <Execution ProcessID="840" ThreadID="900" />
> >> <Channel>System</Channel>
> >> <Computer>computer.domain</Computer>
> >> <Security UserID="S-1-5-18" />
> >> </System>
> >> <EventData>
> >> <Data Name="Target">cifs/domain</Data>
> >> <Data Name="Protocol">Kerberos</Data>
> >> <Data Name="Error">"Le nombre maximal de tickets de référence a
> été
> >> dépassé.
> >> (0xc00002f4)"</Data>
> >> </EventData>
> >> </Event>
> >>
> >> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl
> >> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
> >> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
> >> # owner: root
> >> # group: 10000
> >> user::rwx
> >> user:root:rwx
> >> user:3000002:rwx
> >> user:3000003:r-x
> >> user:3000007:rwx
> >> user:3000008:r-x
> >> group::rwx
> >> group:10000:rwx
> >> group:3000002:rwx
> >> group:3000003:r-x
> >> group:3000007:rwx
> >> group:3000008:r-x
> >> mask::rwx
> >> other::---
> >> default:user::rwx
> >> default:user:root:rwx
> >> default:user:3000002:rwx
> >> default:user:3000003:r-x
> >> default:user:3000007:rwx
> >> default:user:3000008:r-x
> >> default:group::---
> >> default:group:10000:rwx
> >> default:group:3000002:rwx
> >> default:group:3000003:r-x
> >> default:group:3000007:rwx
> >> default:group:3000008:r-x
> >> default:mask::rwx
> >> default:other::---
> >>
> >>
> >> DHCP IP
> >>
> >> Regards
> >>
> >>
> >> Le 29/03/2016 15:46, L.P.H. van Belle a écrit :
> >>> Complete event id of :
> >>>> But still, events log show a warning about kerberos ticket from
> LsaSrv
> >>>> source and right after a permission denied on GPT.ini
> >>> And a getfacl of the problem GPO SID please, i'll check.
> >>>
> >>> And a output of ipconfig /all on the problem pc.
> >>>
> >>> And question, dedicated IP or dhcp IP?
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le
> >> Ray
> >>>> Verzonden: dinsdag 29 maart 2016 15:41
> >>>> CC: samba
> >>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> >>>>
> >>>> LOGONSERVER is the server used to authenticate currently logged in
> >> user,
> >>>> this does not mean that it is the one on which machine GPO was
> fetched
> >>>> (which seem to be round-robinized, but maybe not)
> >>>>
> >>>> Got no more sysvolcheck error, manually fixed those (what a pain)
> >>>>
> >>>> But still, events log show a warning about kerberos ticket from
> LsaSrv
> >>>> source and right after a permission denied on GPT.ini
> >>>>
> >>>> Regards
> >>>>
> >>>> Le 29/03/2016 15:16, mathias dufresne a écrit :
> >>>>> About sysvolreset errors: send them to us. There is (at least) one
> >> error
> >>>>> from sysvolcheck which is not too much important (if I have well
> >>>> understood
> >>>>> it): ACL is set on FS to Local Admins when it should be Domain
> admins
> >>>> (or
> >>>>> the contrary). That one should be a simple warning, or it is and it
> >> can
> >>>> be
> >>>>> ignored (once more: according to my memory).
> >>>>>
> >>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> >>>>>
> >>>>>> To see which DC is used by Windows client: open a MSDOS console,
> type
> >>>>>> "set", look for LOGONSERVER=\\<your_dc>
> >>>>>>
> >>>>>> <your_dc> is the DC used to connect on.
> >>>>>>
> >>>>>> If issue comes from one DC I would have on sysvol synchronisation
> >>>> between
> >>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
> >>>> issue if
> >>>>>> you have only GPO issue).
> >>>>>>
> >>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
> >>>> samba at orniz.org>:
> >>>>>>> Hi
> >>>>>>>
> >>>>>>> Same here, GPO work without UID/GID on machine account (since
> issue
> >>>>>>> "resolves" itself sometime)
> >>>>>>>
> >>>>>>> It really seems to depend on which DC is chosen at start.
> >>>>>>>
> >>>>>>> One of the affected machine just recovered without any change
> except
> >> a
> >>>>>>> reboot
> >>>>>>>
> >>>>>>> So I guess root issue is the kerberos one "max reference tickets
> >>>>>>> exceeded" but cannot see why it happens and on which DC
> >>>>>>>
> >>>>>>> I noticed this morning that sysvolcheck returns errors that won't
> be
> >>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does not
> >>>> seem to
> >>>>>>> have fixed anything
> >>>>>>>
> >>>>>>> Regards
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit :
> >>>>>>>
> >>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought
> idmap
> >>>> stuffs
> >>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP
> objects.
> >>>>>>>> In others words, if you configure correctly idmap into smb.conf I
> >>>> expect
> >>>>>>>> you don't need any more declaring UID/GID for machine accounts.
> >>>>>>>>
> >>>>>>>> Anyway here my machines get access to their GPO: I tested one
> >>>> computer's
> >>>>>>>> GPO this morning, the one giving the possibility to use
> >>>> userPrincipalName
> >>>>>>>> without @samba.domain.tld when logging into a computer. That
> worked
> >>>> so
> >>>>>>>> the
> >>>>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf
> >>>> contains
> >>>>>>>> anything about idmap:
> >>>>>>>> ----------------------------------------
> >>>>>>>> [global]
> >>>>>>>> workgroup = SAMBA
> >>>>>>>> realm = SAMBA.DOMAIN.TLD
> >>>>>>>> netbios name = DC200
> >>>>>>>> server role = active directory domain controller
> >>>>>>>>
> >>>>>>>> server services = -dns
> >>>>>>>> idmap_ldb:use rfc2307 = yes
> >>>>>>>>
> >>>>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend
> >>>>>>>> #dns forwarder = 10.156.32.99
> >>>>>>>>
> >>>>>>>> #kccsrv:samba_kcc=true
> >>>>>>>>
> >>>>>>>> [netlogon]
> >>>>>>>> path = /var/lib/samba/sysvol/samba.domain.tld/scripts
> >>>>>>>> read only = No
> >>>>>>>>
> >>>>>>>> [sysvol]
> >>>>>>>> path = /var/lib/samba/sysvol
> >>>>>>>> read only = No
> >>>>>>>> ----------------------------------------
> >>>>>>>>
> >>>>>>>> But my nsswitch.conf is configured to use winbind:
> >>>>>>>> grep win /etc/nsswitch.conf
> >>>>>>>> passwd: files winbind
> >>>>>>>> shadow: files winbind
> >>>>>>>> group: files winbind
> >>>>>>>>
> >>>>>>>> And that works:
> >>>>>>>> For users:
> >>>>>>>> id administrator
> >>>>>>>> uid=0(root) gid=0(root) groupes=0(root)
> >>>>>>>> For computers:
> >>>>>>>> id dc200$
> >>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
> >> controllers)
> >>>>>>>> groupes=3000011(AD.DGFIP\domain
> >>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
> rodc
> >>>>>>>> password
> >>>>>>>> replication group)
> >>>>>>>>
> >>>>>>>> So idmapping seems to be enabled by default as there are no
> UID/GID
> >>>>>>>> declared on DC200 computer:
> >>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
> >>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
> >>>>>>>>
> >>>>>>>> So I still expect an issue about mapping computer accounts to
> >>>> UNIX/Linux
> >>>>>>>> local user.
> >>>>>>>>
> >>>>>>>> Hoping this helps, cheers,
> >>>>>>>>
> >>>>>>>> mathias
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
> >>>>>>>>
> >>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an
> >>>>>>>>> additional option when installing the tools. I believe it is
> >>>> "something
> >>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows
> >> you
> >>>> to
> >>>>>>>>> set the uid/gid as well as group memberships for UNIX systems. I
> >>>> have
> >>>>>>>>> done this on my networks, but I may have forgotten it on this
> one.
> >> I
> >>>>>>>>> will check. I still have the issue, it is not a "node type"
> issue.
> >>>>>>>>>
> >>>>>>>>> Lead IT/IS Specialist
> >>>>>>>>> Reach Technology FP, Inc
> >>>>>>>>>
> >>>>>>>>> On 03/23/2016 12:01 PM, mj wrote:
> >>>>>>>>>
> >>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
> >>>>>>>>>>
> >>>>>>>>>>> And did you add those IDs to the sysvol share permissions?
> >>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid
> >> fields
> >>>> in
> >>>>>>>>>>> RSAT
> >>>>>>>>>>>
> >>>>>>>>>> I added them using LAM, because yes: using RSAT i also could
> not.
> >>>>>>>>>>
> >>>>>>>>>> (lam: www.ldap-account-manager.org/)
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>> To unsubscribe from this list go to the following URL and read
> the
> >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>> --
> >>>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list