[Samba] Permission denied on GPT.ini (Event ID 1058)
L.P.H. van Belle
belle at bazuin.nl
Wed Mar 30 10:01:21 UTC 2016
I found this one.
Check which one works for you.
http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm
Im sure this is not a samba configuration problem.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: dinsdag 29 maart 2016 16:18
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>
> I dont read any france but translators work ok. ;-) pfew..
>
> Ok any firewalling on the DC's? if so, open TCP and UDP port 88.
> Or try short without firewalls on, on the DC's.
>
> Other options to try is recude the MaxPacketSize in windows.
>
> Looks like a to big package which is rejected.
>
> Ow and above is also needed on the DNS port 53.
> Open tcp and udp.
>
> If the upd packages are to big, tcp is tried.
>
>
> And let us know the result.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Sébastien Le Ray [mailto:sebastien at orniz.org]
> > Verzonden: dinsdag 29 maart 2016 16:10
> > Aan: L.P.H. van Belle; samba at lists.samba.org
> > Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> >
> > Hi
> >
> > French windows version
> >
> > LSA Error
> >
> > Nom du journal :System
> > Source : LsaSrv
> > Date : 29/03/2016 15:49:56
> > ID de l?événement :40960
> > Catégorie de la tâche :Aucun
> > Niveau : Avertissement
> > Mots clés :
> > Utilisateur : Système
> > Ordinateur : computer.domain
> > Description :
> > Le système de sécurité a détecté une erreur d?authentification pour le
> > serveur cifs/domain. Le code de la panne à partir du protocole
> > d?authentification Kerberos était "Le nombre maximal de tickets de
> > référence a été dépassé.
> > (0xc00002f4)".
> > XML de l?événement :
> > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> > <System>
> > <Provider Name="LsaSrv"
> > Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
> > <EventID>40960</EventID>
> > <Version>0</Version>
> > <Level>3</Level>
> > <Task>0</Task>
> > <Opcode>0</Opcode>
> > <Keywords>0x8000000000000000</Keywords>
> > <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
> > <EventRecordID>8737</EventRecordID>
> > <Correlation />
> > <Execution ProcessID="840" ThreadID="900" />
> > <Channel>System</Channel>
> > <Computer>computer.domain</Computer>
> > <Security UserID="S-1-5-18" />
> > </System>
> > <EventData>
> > <Data Name="Target">cifs/computer.domain</Data>
> > <Data Name="Protocol">Kerberos</Data>
> > <Data Name="Error">"Le nombre maximal de tickets de référence a été
> > dépassé.
> > (0xc00002f4)"</Data>
> > </EventData>
> > </Event>
> >
> >
> > GPT.ini error
> >
> > Nom du journal :System
> > Source : LsaSrv
> > Date : 29/03/2016 15:49:56
> > ID de l?événement :40960
> > Catégorie de la tâche :Aucun
> > Niveau : Avertissement
> > Mots clés :
> > Utilisateur : Système
> > Ordinateur : computer.domain
> > Description :
> > Le système de sécurité a détecté une erreur d?authentification pour le
> > serveur cifs/domain. Le code de la panne à partir du protocole
> > d?authentification Kerberos était "Le nombre maximal de tickets de
> > référence a été dépassé.
> > (0xc00002f4)".
> > XML de l?événement :
> > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> > <System>
> > <Provider Name="LsaSrv"
> > Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
> > <EventID>40960</EventID>
> > <Version>0</Version>
> > <Level>3</Level>
> > <Task>0</Task>
> > <Opcode>0</Opcode>
> > <Keywords>0x8000000000000000</Keywords>
> > <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" />
> > <EventRecordID>8737</EventRecordID>
> > <Correlation />
> > <Execution ProcessID="840" ThreadID="900" />
> > <Channel>System</Channel>
> > <Computer>computer.domain</Computer>
> > <Security UserID="S-1-5-18" />
> > </System>
> > <EventData>
> > <Data Name="Target">cifs/domain</Data>
> > <Data Name="Protocol">Kerberos</Data>
> > <Data Name="Error">"Le nombre maximal de tickets de référence a été
> > dépassé.
> > (0xc00002f4)"</Data>
> > </EventData>
> > </Event>
> >
> > root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl
> > \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/
> > # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/
> > # owner: root
> > # group: 10000
> > user::rwx
> > user:root:rwx
> > user:3000002:rwx
> > user:3000003:r-x
> > user:3000007:rwx
> > user:3000008:r-x
> > group::rwx
> > group:10000:rwx
> > group:3000002:rwx
> > group:3000003:r-x
> > group:3000007:rwx
> > group:3000008:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:3000002:rwx
> > default:user:3000003:r-x
> > default:user:3000007:rwx
> > default:user:3000008:r-x
> > default:group::---
> > default:group:10000:rwx
> > default:group:3000002:rwx
> > default:group:3000003:r-x
> > default:group:3000007:rwx
> > default:group:3000008:r-x
> > default:mask::rwx
> > default:other::---
> >
> >
> > DHCP IP
> >
> > Regards
> >
> >
> > Le 29/03/2016 15:46, L.P.H. van Belle a écrit :
> > > Complete event id of :
> > >> But still, events log show a warning about kerberos ticket from
> LsaSrv
> > >> source and right after a permission denied on GPT.ini
> > > And a getfacl of the problem GPO SID please, i'll check.
> > >
> > > And a output of ipconfig /all on the problem pc.
> > >
> > > And question, dedicated IP or dhcp IP?
> > >
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >
> > >
> > >
> > >
> > >> -----Oorspronkelijk bericht-----
> > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le
> > Ray
> > >> Verzonden: dinsdag 29 maart 2016 15:41
> > >> CC: samba
> > >> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> > >>
> > >> LOGONSERVER is the server used to authenticate currently logged in
> > user,
> > >> this does not mean that it is the one on which machine GPO was
> fetched
> > >> (which seem to be round-robinized, but maybe not)
> > >>
> > >> Got no more sysvolcheck error, manually fixed those (what a pain)
> > >>
> > >> But still, events log show a warning about kerberos ticket from
> LsaSrv
> > >> source and right after a permission denied on GPT.ini
> > >>
> > >> Regards
> > >>
> > >> Le 29/03/2016 15:16, mathias dufresne a écrit :
> > >>> About sysvolreset errors: send them to us. There is (at least) one
> > error
> > >>> from sysvolcheck which is not too much important (if I have well
> > >> understood
> > >>> it): ACL is set on FS to Local Admins when it should be Domain
> admins
> > >> (or
> > >>> the contrary). That one should be a simple warning, or it is and it
> > can
> > >> be
> > >>> ignored (once more: according to my memory).
> > >>>
> > >>> 2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> > >>>
> > >>>> To see which DC is used by Windows client: open a MSDOS console,
> type
> > >>>> "set", look for LOGONSERVER=\\<your_dc>
> > >>>>
> > >>>> <your_dc> is the DC used to connect on.
> > >>>>
> > >>>> If issue comes from one DC I would have on sysvol synchronisation
> > >> between
> > >>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS
> > >> issue if
> > >>>> you have only GPO issue).
> > >>>>
> > >>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-
> > >> samba at orniz.org>:
> > >>>>> Hi
> > >>>>>
> > >>>>> Same here, GPO work without UID/GID on machine account (since
> issue
> > >>>>> "resolves" itself sometime)
> > >>>>>
> > >>>>> It really seems to depend on which DC is chosen at start.
> > >>>>>
> > >>>>> One of the affected machine just recovered without any change
> except
> > a
> > >>>>> reboot
> > >>>>>
> > >>>>> So I guess root issue is the kerberos one "max reference tickets
> > >>>>> exceeded" but cannot see why it happens and on which DC
> > >>>>>
> > >>>>> I noticed this morning that sysvolcheck returns errors that won't
> be
> > >>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does not
> > >> seem to
> > >>>>> have fixed anything
> > >>>>>
> > >>>>> Regards
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> Le 29/03/2016 11:57, mathias dufresne a écrit :
> > >>>>>
> > >>>>>> I'm not an expert in idmap (at all in fact :p) but I thought
> idmap
> > >> stuffs
> > >>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP
> objects.
> > >>>>>> In others words, if you configure correctly idmap into smb.conf I
> > >> expect
> > >>>>>> you don't need any more declaring UID/GID for machine accounts.
> > >>>>>>
> > >>>>>> Anyway here my machines get access to their GPO: I tested one
> > >> computer's
> > >>>>>> GPO this morning, the one giving the possibility to use
> > >> userPrincipalName
> > >>>>>> without @samba.domain.tld when logging into a computer. That
> worked
> > >> so
> > >>>>>> the
> > >>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf
> > >> contains
> > >>>>>> anything about idmap:
> > >>>>>> ----------------------------------------
> > >>>>>> [global]
> > >>>>>> workgroup = SAMBA
> > >>>>>> realm = SAMBA.DOMAIN.TLD
> > >>>>>> netbios name = DC200
> > >>>>>> server role = active directory domain controller
> > >>>>>>
> > >>>>>> server services = -dns
> > >>>>>> idmap_ldb:use rfc2307 = yes
> > >>>>>>
> > >>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend
> > >>>>>> #dns forwarder = 10.156.32.99
> > >>>>>>
> > >>>>>> #kccsrv:samba_kcc=true
> > >>>>>>
> > >>>>>> [netlogon]
> > >>>>>> path = /var/lib/samba/sysvol/samba.domain.tld/scripts
> > >>>>>> read only = No
> > >>>>>>
> > >>>>>> [sysvol]
> > >>>>>> path = /var/lib/samba/sysvol
> > >>>>>> read only = No
> > >>>>>> ----------------------------------------
> > >>>>>>
> > >>>>>> But my nsswitch.conf is configured to use winbind:
> > >>>>>> grep win /etc/nsswitch.conf
> > >>>>>> passwd: files winbind
> > >>>>>> shadow: files winbind
> > >>>>>> group: files winbind
> > >>>>>>
> > >>>>>> And that works:
> > >>>>>> For users:
> > >>>>>> id administrator
> > >>>>>> uid=0(root) gid=0(root) groupes=0(root)
> > >>>>>> For computers:
> > >>>>>> id dc200$
> > >>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain
> > controllers)
> > >>>>>> groupes=3000011(AD.DGFIP\domain
> > >>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied
> rodc
> > >>>>>> password
> > >>>>>> replication group)
> > >>>>>>
> > >>>>>> So idmapping seems to be enabled by default as there are no
> UID/GID
> > >>>>>> declared on DC200 computer:
> > >>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
> > >>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
> > >>>>>>
> > >>>>>> So I still expect an issue about mapping computer accounts to
> > >> UNIX/Linux
> > >>>>>> local user.
> > >>>>>>
> > >>>>>> Hoping this helps, cheers,
> > >>>>>>
> > >>>>>> mathias
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
> > >>>>>>
> > >>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an
> > >>>>>>> additional option when installing the tools. I believe it is
> > >> "something
> > >>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows
> > you
> > >> to
> > >>>>>>> set the uid/gid as well as group memberships for UNIX systems. I
> > >> have
> > >>>>>>> done this on my networks, but I may have forgotten it on this
> one.
> > I
> > >>>>>>> will check. I still have the issue, it is not a "node type"
> issue.
> > >>>>>>>
> > >>>>>>> Lead IT/IS Specialist
> > >>>>>>> Reach Technology FP, Inc
> > >>>>>>>
> > >>>>>>> On 03/23/2016 12:01 PM, mj wrote:
> > >>>>>>>
> > >>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
> > >>>>>>>>
> > >>>>>>>>> And did you add those IDs to the sysvol share permissions?
> > >>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid
> > fields
> > >> in
> > >>>>>>>>> RSAT
> > >>>>>>>>>
> > >>>>>>>> I added them using LAM, because yes: using RSAT i also could
> not.
> > >>>>>>>>
> > >>>>>>>> (lam: www.ldap-account-manager.org/)
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>> To unsubscribe from this list go to the following URL and read
> the
> > >>>>>>> instructions: https://lists.samba.org/mailman/options/samba
> > >>>>>>>
> > >>>>>>>
> > >>>>> --
> > >>>>> To unsubscribe from this list go to the following URL and read the
> > >>>>> instructions: https://lists.samba.org/mailman/options/samba
> > >>>>>
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions: https://lists.samba.org/mailman/options/samba
> > >
> > >
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list