samba - Oct 2012 - Unable to create GPO with rc3 and a few authentication problems

Hello.

I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated
from Windows 2003 R2. I post them altogether, since they look related.

1. Unable to create or delete GPOs.
# bin/samba-tool gpo create somegpo
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -
<dsdb_access: Access check failed on
CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
line 952, in run
    self.samdb.add(m)

I'm not sure if this is a schema or authentication problem. Could someone
suggest how should that be investigated?

2. Some hosts fail to update records via Samba internal DNS (Andrew, sorry for
duplicating, but this is updated).
It looks like this on debug level = 5:
[2012/10/30 02:23:38,  1]
../source4/dns_server/dns_server.c:150(dns_process_send)
  Failed to verify TSIG!
Hosts are Windows XP, Windows 7, Samba 3 on Linux. Some do update succesfully,
some can succeed some time (say, 5 hours) later, or may still fail. This is
weird.
I should mention that we had some problem with Windows 2k3 demotion - during the
process it had rewritten the SOA on (the only at that moment) Samba DC and put
it's own hostname in SOA's "primary NS" field. We had to fix
that manually by replacing the SOA record in corresponding LDB.
Maybe we had just missed something? Any ideas on what's wrong?

3. Some hosts may suddenly reject valid tickets for RPC calls.
Somewhat like the previous one. For example, on some non-DC host I do:
$ kinit
$ #Got a ticket for some admin user, btw MIT is used here
$ net rpc shutdown -S somehost -f -k # Samba 3's "net" command
It may succeed for some hosts, but fail with NT_LOGON_FAILURE few hours later,
before the ticket expires (and DCs still accept this ticket for e.g. samba-tool
drs showrepl). Or it may later suceed for a host it was failing for. Renewing
the ticket doesn't change anything.
So, something strange for me, too. I had tried to reset some machine accounts
and to rejoin some hosts. No luck.

4. Unrelated to the previous ones. Well, I'm sorry, I hadn't read the
source to see if this is supposed to happen. But I'd better say that before
I forget, just in case.
Try to rename some host using Windows GUI (My Computer -> Properties) and
check if CN, sAMAccountName and member for corresponding groups are changed
correctly. In my experience, only sAMAccountName is changed.
Once again, sorry if this is OK.


Thanks in advance.

-- 
Best regards,
Dmitry Khromov

> Hello.
>
> I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain
> migrated from Windows 2003 R2. I post them altogether, since they look
> related.
>
> 1. Unable to create or delete GPOs.
> # bin/samba-tool gpo create somegpo
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on
> CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
>   File
>
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
>
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
> line 952, in run
>     self.samdb.add(m)
>
> I'm not sure if this is a schema or authentication problem. Could
someone
> suggest how should that be investigated?
>
> 2. Some hosts fail to update records via Samba internal DNS (Andrew, sorry
> for duplicating, but this is updated).
> It looks like this on debug level = 5:
> [2012/10/30 02:23:38,  1]
> ../source4/dns_server/dns_server.c:150(dns_process_send)
>   Failed to verify TSIG!
> Hosts are Windows XP, Windows 7, Samba 3 on Linux. Some do update
> succesfully, some can succeed some time (say, 5 hours) later, or may still
> fail. This is weird.
> I should mention that we had some problem with Windows 2k3 demotion -
> during the process it had rewritten the SOA on (the only at that moment)
> Samba DC and put it's own hostname in SOA's "primary NS"
field. We had to
> fix that manually by replacing the SOA record in corresponding LDB.
> Maybe we had just missed something? Any ideas on what's wrong?
>
> 3. Some hosts may suddenly reject valid tickets for RPC calls.
> Somewhat like the previous one. For example, on some non-DC host I do:
> $ kinit
> $ #Got a ticket for some admin user, btw MIT is used here
> $ net rpc shutdown -S somehost -f -k # Samba 3's "net"
command
> It may succeed for some hosts, but fail with NT_LOGON_FAILURE few hours
> later, before the ticket expires (and DCs still accept this ticket for
> e.g. samba-tool drs showrepl). Or it may later suceed for a host it was
> failing for. Renewing the ticket doesn't change anything.
> So, something strange for me, too. I had tried to reset some machine
> accounts and to rejoin some hosts. No luck.
>
> 4. Unrelated to the previous ones. Well, I'm sorry, I hadn't read
the
> source to see if this is supposed to happen. But I'd better say that
> before I forget, just in case.
> Try to rename some host using Windows GUI (My Computer -> Properties)
and
> check if CN, sAMAccountName and member for corresponding groups are
> changed correctly. In my experience, only sAMAccountName is changed.
> Once again, sorry if this is OK.
>
>
Something similar happens to me. But I noticed that I can create a new GPO
only with the first user the system had: administrator. None of the new
admin users I created worked, only administrator.

Best regards,
Felix.

> I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain
migrated from Windows 2003 R2. I post them altogether, since they look related.
> 
> 1. Unable to create or delete GPOs.
> # bin/samba-tool gpo create somegpo
> ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on
CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
>   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
>     return self.run(*args, **kwargs)
>   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
line 952, in run
>     self.samdb.add(m)
> 
> I'm not sure if this is a schema or authentication problem. Could
someone suggest how should that be investigated?
It looks like in default Windows schema only members of Domain Admins can modify
cn=Policies. If one will allow "Domain controllers" group to have rw
access too, the LDAP-related error disappears. However, sysvol FS access error
will raise (due to the fact machine accounts do not have write permissions on
sysvol/fqdn/Policies after samba-tool ntacl sysvolreset).
So, should samba-tool really use machine account for GPO operations?

-- 
Best regards,
Dmitry Khromov

Hello.

Samba 4 rc 3.
I had noticed a strange behavior. If host creates a record, it won't be
further updated until the record gets deleted manually. What could cause this?

Another question: how could the dynamically added record's TTL be enforced?
For example, we have a user-based VLAN assignment in our networks. When Windows
host boots, it authenticates with machine account and goes to the one of
"parking" VLANs. Later, when user logs in, he gets a different VLAN
and different IP address. So, we really want other DNS servers to not cache this
records for too long.
Normally, this is done by modifying SOA record (and, as I recall, Samba's
internal DNS respects TTLs in SOA). But samba-tool can't edit SOA records,
MMC DNS snap-in fails to do it too.

Thanks.

-- 
Best regards,
Dmitry Khromov