[Samba] Permission denied on GPT.ini (Event ID 1058)

Sébastien Le Ray sebastien-samba at orniz.org
Tue Mar 29 14:58:20 UTC 2016


Company's dns which recurse on AD DC for my.ad.domain subdomain

Regards

Le 29/03/2016 16:52, L.P.H. van Belle a écrit :
> Ok, where your pc's get the DNS info from?
> Server : AD-DC + DNS
> Or
> Server : AD-DC
> +
> Some other server with DNS
>
>
> Can you give the output of
> dig NS your.domain.tld
>
> and tel us what what is.
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray
>> Verzonden: dinsdag 29 maart 2016 16:31
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>>
>> No firewall configured on DCs
>>
>> telnet dc 88 & 53 works fine (so TCP at least is OK).
>>
>> 53 isn't mandatory since AD zone is a delegation so clients never talk
>> to AD NS directly
>> Regards
>>
>> Le 29/03/2016 16:18, L.P.H. van Belle a écrit :
>>> I dont read any france but translators work ok. ;-) pfew..
>>>
>>> Ok any firewalling on the DC's?  if so, open TCP and UDP port 88.
>>> Or try short without firewalls on, on the DC's.
>>>
>>> Other options to try is recude the MaxPacketSize in windows.
>>>
>>> Looks like a to big package which is rejected.
>>>
>>> Ow and above is also needed on the DNS port 53.
>>> Open tcp and udp.
>>>
>>> If the upd packages are to big, tcp is tried.
>>>
>>>
>>> And let us know the result.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Sébastien Le Ray [mailto:sebastien at orniz.org]
>>>> Verzonden: dinsdag 29 maart 2016 16:10
>>>> Aan: L.P.H. van Belle; samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>>>>
>>>> Hi
>>>>
>>>> French windows version
>>>>
>>>> LSA Error
>>>>
>>>> Nom du journal :System
>>>> Source :       LsaSrv
>>>> Date :         29/03/2016 15:49:56
>>>> ID de l?événement :40960
>>>> Catégorie de la tâche :Aucun
>>>> Niveau :       Avertissement
>>>> Mots clés :
>>>> Utilisateur :  Système
>>>> Ordinateur :   computer.domain
>>>> Description :
>>>> Le système de sécurité a détecté une erreur d?authentification pour le
>>>> serveur cifs/domain. Le code de la panne à partir du protocole
>>>> d?authentification Kerberos était "Le nombre maximal de tickets de
>>>> référence a été dépassé.
>>>>     (0xc00002f4)".
>>>> XML de l?événement :
>>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
>>>>      <System>
>>>>        <Provider Name="LsaSrv"
>>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
>>>>        <EventID>40960</EventID>
>>>>        <Version>0</Version>
>>>>        <Level>3</Level>
>>>>        <Task>0</Task>
>>>>        <Opcode>0</Opcode>
>>>>        <Keywords>0x8000000000000000</Keywords>
>>>>        <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
>>>>        <EventRecordID>8737</EventRecordID>
>>>>        <Correlation />
>>>>        <Execution ProcessID="840" ThreadID="900" />
>>>>        <Channel>System</Channel>
>>>>        <Computer>computer.domain</Computer>
>>>>        <Security UserID="S-1-5-18" />
>>>>      </System>
>>>>      <EventData>
>>>>        <Data Name="Target">cifs/computer.domain</Data>
>>>>        <Data Name="Protocol">Kerberos</Data>
>>>>        <Data Name="Error">"Le nombre maximal de tickets de référence a
>> été
>>>> dépassé.
>>>>     (0xc00002f4)"</Data>
>>>>      </EventData>
>>>> </Event>
>>>>
>>>>
>>>> GPT.ini error
>>>>
>>>> Nom du journal :System
>>>> Source :       LsaSrv
>>>> Date :         29/03/2016 15:49:56
>>>> ID de l?événement :40960
>>>> Catégorie de la tâche :Aucun
>>>> Niveau :       Avertissement
>>>> Mots clés :
>>>> Utilisateur :  Système
>>>> Ordinateur :   computer.domain
>>>> Description :
>>>> Le système de sécurité a détecté une erreur d?authentification pour le
>>>> serveur cifs/domain. Le code de la panne à partir du protocole
>>>> d?authentification Kerberos était "Le nombre maximal de tickets de
>>>> référence a été dépassé.
>>>>     (0xc00002f4)".
>>>> XML de l?événement :
>>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
>>>>      <System>
>>>>        <Provider Name="LsaSrv"
>>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
>>>>        <EventID>40960</EventID>
>>>>        <Version>0</Version>
>>>>        <Level>3</Level>
>>>>        <Task>0</Task>
>>>>        <Opcode>0</Opcode>
>>>>        <Keywords>0x8000000000000000</Keywords>
>>>>        <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
>>>>        <EventRecordID>8737</EventRecordID>
>>>>        <Correlation />
>>>>        <Execution ProcessID="840" ThreadID="900" />
>>>>        <Channel>System</Channel>
>>>>        <Computer>computer.domain</Computer>
>>>>        <Security UserID="S-1-5-18" />
>>>>      </System>
>>>>      <EventData>
>>>>        <Data Name="Target">cifs/domain</Data>
>>>>        <Data Name="Protocol">Kerberos</Data>
>>>>        <Data Name="Error">"Le nombre maximal de tickets de référence a
>> été
>>>> dépassé.
>>>>     (0xc00002f4)"</Data>
>>>>      </EventData>
>>>> </Event>
>>>>
>>>> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl
>>>> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
>>>> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
>>>> # owner: root
>>>> # group: 10000
>>>> user::rwx
>>>> user:root:rwx
>>>> user:3000002:rwx
>>>> user:3000003:r-x
>>>> user:3000007:rwx
>>>> user:3000008:r-x
>>>> group::rwx
>>>> group:10000:rwx
>>>> group:3000002:rwx
>>>> group:3000003:r-x
>>>> group:3000007:rwx
>>>> group:3000008:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:3000002:rwx
>>>> default:user:3000003:r-x
>>>> default:user:3000007:rwx
>>>> default:user:3000008:r-x
>>>> default:group::---
>>>> default:group:10000:rwx
>>>> default:group:3000002:rwx
>>>> default:group:3000003:r-x
>>>> default:group:3000007:rwx
>>>> default:group:3000008:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>>
>>>> DHCP IP
>>>>
>>>> Regards
>>>>
>>>>
>>>> Le 29/03/2016 15:46, L.P.H. van Belle a écrit :
>>>>> Complete event id of :
>>>>>> But still, events log show a warning about kerberos ticket from
>> LsaSrv
>>>>>> source and right after a permission denied on GPT.ini
>>>>> And a getfacl of the problem GPO SID please, i'll check.
>>>>>
>>>>> And a output of ipconfig /all on the problem pc.
>>>>>
>>>>> And question, dedicated IP or dhcp IP?
>>>>>
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le
>>>> Ray
>>>>>> Verzonden: dinsdag 29 maart 2016 15:41
>>>>>> CC: samba
>>>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>>>>>>
>>>>>> LOGONSERVER is the server used to authenticate currently logged in
>>>> user,
>>>>>> this does not mean that it is the one on which machine GPO was
>> fetched
>>>>>> (which seem to be round-robinized, but maybe not)
>>>>>>
>>>>>> Got no more sysvolcheck error, manually fixed those (what a pain)
>>>>>>
>>>>>> But still, events log show a warning about kerberos ticket from
>> LsaSrv
>>>>>> source and right after a permission denied on GPT.ini
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Le 29/03/2016 15:16, mathias dufresne a écrit :
>>>>>>> About sysvolreset errors: send them to us. There is (at least) one
>>>> error
>>>>>>> from sysvolcheck which is not too much important (if I have well
>>>>>> understood
>>>>>>> it): ACL is set on FS to Local Admins when it should be Domain
>> admins
>>>>>> (or
>>>>>>> the contrary). That one should be a simple warning, or it is and it
>>>> can
>>>>>> be
>>>>>>> ignored (once more: according to my memory).
>>>>>>>
>>>>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>:
>>>>>>>
>>>>>>>> To see which DC is used by Windows client: open a MSDOS console,
>> type
>>>>>>>> "set", look for LOGONSERVER=\\<your_dc>
>>>>>>>>
>>>>>>>> <your_dc> is the DC used to connect on.
>>>>>>>>
>>>>>>>> If issue comes from one DC I would have on sysvol synchronisation
>>>>>> between
>>>>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
>>>>>> issue if
>>>>>>>> you have only GPO issue).
>>>>>>>>
>>>>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
>>>>>> samba at orniz.org>:
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> Same here, GPO work without UID/GID on machine account (since
>> issue
>>>>>>>>> "resolves" itself sometime)
>>>>>>>>>
>>>>>>>>> It really seems to depend on which DC is chosen at start.
>>>>>>>>>
>>>>>>>>> One of the affected machine just recovered without any change
>> except
>>>> a
>>>>>>>>> reboot
>>>>>>>>>
>>>>>>>>> So I guess root issue is the kerberos one "max reference tickets
>>>>>>>>> exceeded" but cannot see why it happens and on which DC
>>>>>>>>>
>>>>>>>>> I noticed this morning that sysvolcheck returns errors that won't
>> be
>>>>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does not
>>>>>> seem to
>>>>>>>>> have fixed anything
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit :
>>>>>>>>>
>>>>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought
>> idmap
>>>>>> stuffs
>>>>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP
>> objects.
>>>>>>>>>> In others words, if you configure correctly idmap into smb.conf I
>>>>>> expect
>>>>>>>>>> you don't need any more declaring UID/GID for machine accounts.
>>>>>>>>>>
>>>>>>>>>> Anyway here my machines get access to their GPO: I tested one
>>>>>> computer's
>>>>>>>>>> GPO this morning, the one giving the possibility to use
>>>>>> userPrincipalName
>>>>>>>>>> without @samba.domain.tld when logging into a computer. That
>> worked
>>>>>> so
>>>>>>>>>> the
>>>>>>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf
>>>>>> contains
>>>>>>>>>> anything about idmap:
>>>>>>>>>> ----------------------------------------
>>>>>>>>>> [global]
>>>>>>>>>>              workgroup = SAMBA
>>>>>>>>>>              realm = SAMBA.DOMAIN.TLD
>>>>>>>>>>              netbios name = DC200
>>>>>>>>>>              server role = active directory domain controller
>>>>>>>>>>
>>>>>>>>>>              server services = -dns
>>>>>>>>>>              idmap_ldb:use rfc2307 = yes
>>>>>>>>>>
>>>>>>>>>>              # NOTE: removed as we now use BIND-DLZ DNS backend
>>>>>>>>>>              #dns forwarder = 10.156.32.99
>>>>>>>>>>
>>>>>>>>>>              #kccsrv:samba_kcc=true
>>>>>>>>>>
>>>>>>>>>> [netlogon]
>>>>>>>>>>              path = /var/lib/samba/sysvol/samba.domain.tld/scripts
>>>>>>>>>>              read only = No
>>>>>>>>>>
>>>>>>>>>> [sysvol]
>>>>>>>>>>              path = /var/lib/samba/sysvol
>>>>>>>>>>              read only = No
>>>>>>>>>> ----------------------------------------
>>>>>>>>>>
>>>>>>>>>> But my nsswitch.conf is configured to use winbind:
>>>>>>>>>>       grep win /etc/nsswitch.conf
>>>>>>>>>> passwd:     files winbind
>>>>>>>>>> shadow:     files winbind
>>>>>>>>>> group:      files winbind
>>>>>>>>>>
>>>>>>>>>> And that works:
>>>>>>>>>> For users:
>>>>>>>>>> id administrator
>>>>>>>>>> uid=0(root) gid=0(root) groupes=0(root)
>>>>>>>>>> For computers:
>>>>>>>>>> id dc200$
>>>>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
>>>> controllers)
>>>>>>>>>> groupes=3000011(AD.DGFIP\domain
>>>>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
>> rodc
>>>>>>>>>> password
>>>>>>>>>> replication group)
>>>>>>>>>>
>>>>>>>>>> So idmapping seems to be enabled by default as there are no
>> UID/GID
>>>>>>>>>> declared on DC200 computer:
>>>>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
>>>>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
>>>>>>>>>>
>>>>>>>>>> So I still expect an issue about mapping computer accounts to
>>>>>> UNIX/Linux
>>>>>>>>>> local user.
>>>>>>>>>>
>>>>>>>>>> Hoping this helps, cheers,
>>>>>>>>>>
>>>>>>>>>> mathias
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>>>>>
>>>>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an
>>>>>>>>>>> additional option when installing the tools. I believe it is
>>>>>> "something
>>>>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows
>>>> you
>>>>>> to
>>>>>>>>>>> set the uid/gid as well as group memberships for UNIX systems. I
>>>>>> have
>>>>>>>>>>> done this on my networks, but I may have forgotten it on this
>> one.
>>>> I
>>>>>>>>>>> will check. I still have the issue, it is not a "node type"
>> issue.
>>>>>>>>>>> Lead IT/IS Specialist
>>>>>>>>>>> Reach Technology FP, Inc
>>>>>>>>>>>
>>>>>>>>>>> On 03/23/2016 12:01 PM, mj wrote:
>>>>>>>>>>>
>>>>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> And did you add those IDs to the sysvol share permissions?
>>>>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid
>>>> fields
>>>>>> in
>>>>>>>>>>>>> RSAT
>>>>>>>>>>>>>
>>>>>>>>>>>> I added them using LAM, because yes: using RSAT i also could
>> not.
>>>>>>>>>>>> (lam: www.ldap-account-manager.org/)
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>> To unsubscribe from this list go to the following URL and read
>> the
>>>>>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>




More information about the samba mailing list