Arthur Ramsey
2014-Sep-12 17:36 UTC
[Samba] Group Policy failures related to machine password replication
We are using Samba-4.1.11.
I can run gpupdate /force without error on my machine.
H:\>type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
H:\>type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
On several other machines in the same OU the computer GPOs fail.
C:\Windows\system32>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were
encountered:
The processing of Group Policy failed. Windows attempted to read the file
\\mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
from a domain controller and was not successful. Group Policy settings may not
be applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html
from the command line to access information about Group Policy results.
Event details indicate the file is accessed from DC02 as I expected due
to AD Sites configuration. If I reset the machine account using netdom
against DC02 then I can access the file on DC02, but not the other
domain controllers.
C:\Windows\system32>netdom resetpwd /server:dc01.mediture.dom
/ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc02.mediture.dom
/ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc03.mediture.dom
/ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
[General]
Version=65551
displayName=New Group Policy Object
C:\Windows\system32>type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>netdom resetpwd /server:dc04.mediture.dom
/ud:MEDITURE\arthurr /pd:*
[...]
C:\Windows\system32>type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
Access is denied.
C:\Windows\system32>type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
I use rsync to sync the sysvol folder across domain controllers. I've
also reset the access lists on all controllers using samba-tool ntacl
sysvolreset.
I don't observe any DRS errors or errors in the samba log.
samba-tool drs showrepl
Default\DC01
DSA Options: 0x00000001
DSA object GUID: da9bb168-47a0-4368-aff3-bf06d1b869d2
DSA invocationId: 58439028-5404-4b55-b267-671e626644b9
==== INBOUND NEIGHBORS ===
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:42 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:42 2014 CDT
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:42 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:42 2014 CDT
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:43 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:43 2014 CDT
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:43 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:43 2014 CDT
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:44 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:44 2014 CDT
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:44 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:44 2014 CDT
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:46 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:46 2014 CDT
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:46 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:46 2014 CDT
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:47 2014 CDT
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:47 2014 CDT
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:47 2014 CDT
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:48 2014 CDT
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:48 2014 CDT
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:48 2014 CDT
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ Fri Sep 12 11:53:49 2014 CDT was successful
0 consecutive failure(s).
Last success @ Fri Sep 12 11:53:49 2014 CDT
==== OUTBOUND NEIGHBORS ===
DC=DomainDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=mediture,DC=dom
EP\DC02 via RPC
DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=mediture,DC=dom
Default\DC03 via RPC
DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=mediture,DC=dom
AWS\DC04 via RPC
DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 6eba921b-0b6c-4cdb-8094-d4a15728d7bd
Enabled : TRUE
Server DNS name : DC02.mediture.dom
Server DN name : CN=NTDS
Settings,CN=DC02,CN=Servers,CN=EP,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 9b7312d1-a46a-435f-b867-0ca8128da202
Enabled : TRUE
Server DNS name : DC03.mediture.dom
Server DN name : CN=NTDS
Settings,CN=DC03,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: d84eed77-ab18-40ce-9023-60586596fb51
Enabled : TRUE
Server DNS name : DC04.mediture.dom
Server DN name : CN=NTDS
Settings,CN=DC04,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=mediture,DC=dom
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
I also have a possibly releated issue deleting LDAP objects. I can't
delete an object I just created and the ACL seems correct for the LDAP
object.
ldbdel -H ldap://localhost --realm=mediture.dom -UAdministrator
OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom
Password for [MEDITURE\Administrator]:
delete of
'OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom' failed
- (insufficient access rights) LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -
<>
I am totally stumped. Any help would be greatly apperciated!
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including
PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or
disclosure of this information is STRICTLY PROHIBITED; you are requested to
delete this e-mail and any attachments, notify the sender immediately, and
notify the Mediture Privacy Officer at privacyofficer at mediture.com.
Arthur Ramsey
2014-Sep-12 19:05 UTC
[Samba] Group Policy failures related to machine password replication
It appears I didn't troubleshoot correctly.
The failed access attempts with the type command were attempts to login
with guest. Once I reset the machine account it tries to login with my
account just for the domain controller used with netdom, which
succeeds. I captured debugging on DC02 while I ran gpupdate /force.
[2014/09/12 13:50:39.999633, 2]
../source3/smbd/service.c:856(make_connection_snum)
192.168.222.194 (ipv4:192.168.222.194:50493) connect to service sysvol
initially as user MEDITURE\M3074$ (uid=3000054, gid=3000013) (pid 18300)
[2014/09/12 13:50:40.001854, 3]
../source3/smbd/service.c:197(set_current_service)
chdir (/usr/local/samba/var/locks/sysvol) failed, reason: Permission denied
I still don't know why these machine accounts are denied.
getfacl: Removing leading '/' from absolute path names
# file:
usr/local/samba/var/locks/sysvol/mediture.dom/Policies/{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}/GPT.INI
# owner: 3000000
# group: MEDITURE\134Domain\040Admins
user::rwx
user:3000009:r-x
user:3000040:rwx
user:3000070:rwx
user:3000071:r-x
group::rwx
group:MEDITURE\134Domain\040Admins:rwx
group:3000009:r-x
group:MEDITURE\134Enterprise\040Admins:rwx
group:3000070:rwx
group:3000071:r-x
mask::rwx
other::---
On 09/12/2014 12:36 PM, Arthur Ramsey wrote:> We are using Samba-4.1.11.
>
> I can run gpupdate /force without error on my machine.
> H:\>type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> [General]
> Version=65551
> displayName=New Group Policy Object
>
> H:\>type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> [General]
> Version=65551
> displayName=New Group Policy Object
>
> H:\>type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> [General]
> Version=65551
> displayName=New Group Policy Object
>
> H:\>type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> [General]
> Version=65551
> displayName=New Group Policy Object
> On several other machines in the same OU the computer GPOs fail.
> C:\Windows\system32>gpupdate /force
> Updating Policy...
>
> User Policy update has completed successfully.
> Computer policy could not be updated successfully. The following errors
were encountered:
>
> The processing of Group Policy failed. Windows attempted to read the file
\\mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
from a domain controller and was not successful. Group Policy settings may not
be applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled.
>
> To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from the command line to access information about Group Policy
results.
> Event details indicate the file is accessed from DC02 as I expected
> due to AD Sites configuration. If I reset the machine account using
> netdom against DC02 then I can access the file on DC02, but not the
> other domain controllers.
> C:\Windows\system32>netdom resetpwd /server:dc01.mediture.dom
/ud:MEDITURE\arthurr /pd:*
> [...]
>
> C:\Windows\system32>type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> [General]
> Version=65551
> displayName=New Group Policy Object
>
> C:\Windows\system32>type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>netdom resetpwd /server:dc02.mediture.dom
/ud:MEDITURE\arthurr /pd:*
> [...]
>
> C:\Windows\system32>type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> [General]
> Version=65551
> displayName=New Group Policy Object
>
> C:\Windows\system32>type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>netdom resetpwd /server:dc03.mediture.dom
/ud:MEDITURE\arthurr /pd:*
> [...]
>
> C:\Windows\system32>type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> [General]
> Version=65551
> displayName=New Group Policy Object
>
> C:\Windows\system32>type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>netdom resetpwd /server:dc04.mediture.dom
/ud:MEDITURE\arthurr /pd:*
> [...]
>
> C:\Windows\system32>type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc01.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc02.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc03.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> Access is denied.
>
> C:\Windows\system32>type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> type
\\dc04.mediture.dom\SysVol\mediture.dom\Policies\{77F82F0F-AE2B-42F3-B173-D42F4BEEC0BA}\gpt.ini
> I use rsync to sync the sysvol folder across domain controllers. I've
> also reset the access lists on all controllers using samba-tool ntacl
> sysvolreset.
>
> I don't observe any DRS errors or errors in the samba log.
> samba-tool drs showrepl
> Default\DC01
> DSA Options: 0x00000001
> DSA object GUID: da9bb168-47a0-4368-aff3-bf06d1b869d2
> DSA invocationId: 58439028-5404-4b55-b267-671e626644b9
>
> ==== INBOUND NEIGHBORS ===>
> DC=DomainDnsZones,DC=mediture,DC=dom
> EP\DC02 via RPC
> DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
> Last attempt @ Fri Sep 12 11:53:42 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:42 2014 CDT
>
> DC=DomainDnsZones,DC=mediture,DC=dom
> Default\DC03 via RPC
> DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
> Last attempt @ Fri Sep 12 11:53:42 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:42 2014 CDT
>
> DC=DomainDnsZones,DC=mediture,DC=dom
> AWS\DC04 via RPC
> DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
> Last attempt @ Fri Sep 12 11:53:43 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:43 2014 CDT
>
> DC=ForestDnsZones,DC=mediture,DC=dom
> EP\DC02 via RPC
> DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
> Last attempt @ Fri Sep 12 11:53:43 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:43 2014 CDT
>
> DC=ForestDnsZones,DC=mediture,DC=dom
> Default\DC03 via RPC
> DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
> Last attempt @ Fri Sep 12 11:53:44 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:44 2014 CDT
>
> DC=ForestDnsZones,DC=mediture,DC=dom
> AWS\DC04 via RPC
> DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
> Last attempt @ Fri Sep 12 11:53:44 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:44 2014 CDT
>
> DC=mediture,DC=dom
> EP\DC02 via RPC
> DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
> Last attempt @ Fri Sep 12 11:53:46 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:46 2014 CDT
>
> DC=mediture,DC=dom
> Default\DC03 via RPC
> DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
> Last attempt @ Fri Sep 12 11:53:46 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:46 2014 CDT
>
> DC=mediture,DC=dom
> AWS\DC04 via RPC
> DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
> Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:47 2014 CDT
>
> CN=Schema,CN=Configuration,DC=mediture,DC=dom
> EP\DC02 via RPC
> DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
> Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:47 2014 CDT
>
> CN=Schema,CN=Configuration,DC=mediture,DC=dom
> Default\DC03 via RPC
> DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
> Last attempt @ Fri Sep 12 11:53:47 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:47 2014 CDT
>
> CN=Schema,CN=Configuration,DC=mediture,DC=dom
> AWS\DC04 via RPC
> DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
> Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:48 2014 CDT
>
> CN=Configuration,DC=mediture,DC=dom
> EP\DC02 via RPC
> DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
> Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:48 2014 CDT
>
> CN=Configuration,DC=mediture,DC=dom
> Default\DC03 via RPC
> DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
> Last attempt @ Fri Sep 12 11:53:48 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:48 2014 CDT
>
> CN=Configuration,DC=mediture,DC=dom
> AWS\DC04 via RPC
> DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
> Last attempt @ Fri Sep 12 11:53:49 2014 CDT was successful
> 0 consecutive failure(s).
> Last success @ Fri Sep 12 11:53:49 2014 CDT
>
> ==== OUTBOUND NEIGHBORS ===>
> DC=DomainDnsZones,DC=mediture,DC=dom
> EP\DC02 via RPC
> DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=DomainDnsZones,DC=mediture,DC=dom
> Default\DC03 via RPC
> DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=DomainDnsZones,DC=mediture,DC=dom
> AWS\DC04 via RPC
> DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=ForestDnsZones,DC=mediture,DC=dom
> EP\DC02 via RPC
> DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=ForestDnsZones,DC=mediture,DC=dom
> Default\DC03 via RPC
> DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=ForestDnsZones,DC=mediture,DC=dom
> AWS\DC04 via RPC
> DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=mediture,DC=dom
> EP\DC02 via RPC
> DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=mediture,DC=dom
> Default\DC03 via RPC
> DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=mediture,DC=dom
> AWS\DC04 via RPC
> DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> CN=Schema,CN=Configuration,DC=mediture,DC=dom
> EP\DC02 via RPC
> DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> CN=Schema,CN=Configuration,DC=mediture,DC=dom
> Default\DC03 via RPC
> DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> CN=Schema,CN=Configuration,DC=mediture,DC=dom
> AWS\DC04 via RPC
> DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> CN=Configuration,DC=mediture,DC=dom
> EP\DC02 via RPC
> DSA object GUID: 9febf392-a39d-4d92-b4d3-4d818a1ce807
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> CN=Configuration,DC=mediture,DC=dom
> Default\DC03 via RPC
> DSA object GUID: 248a73b1-ffa5-46dd-bc4d-c468bf6bfead
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> CN=Configuration,DC=mediture,DC=dom
> AWS\DC04 via RPC
> DSA object GUID: 97060bd3-0286-4417-b06d-83152aa06c4c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> ==== KCC CONNECTION OBJECTS ===>
> Connection --
> Connection name: 6eba921b-0b6c-4cdb-8094-d4a15728d7bd
> Enabled : TRUE
> Server DNS name : DC02.mediture.dom
> Server DN name : CN=NTDS
Settings,CN=DC02,CN=Servers,CN=EP,CN=Sites,CN=Configuration,DC=mediture,DC=dom
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> Connection --
> Connection name: 9b7312d1-a46a-435f-b867-0ca8128da202
> Enabled : TRUE
> Server DNS name : DC03.mediture.dom
> Server DN name : CN=NTDS
Settings,CN=DC03,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=mediture,DC=dom
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> Connection --
> Connection name: d84eed77-ab18-40ce-9023-60586596fb51
> Enabled : TRUE
> Server DNS name : DC04.mediture.dom
> Server DN name : CN=NTDS
Settings,CN=DC04,CN=Servers,CN=AWS,CN=Sites,CN=Configuration,DC=mediture,DC=dom
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> I also have a possibly releated issue deleting LDAP objects. I can't
> delete an object I just created and the ACL seems correct for the LDAP
> object.
> ldbdel -Hldap://localhost --realm=mediture.dom -UAdministrator
OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom
> Password for [MEDITURE\Administrator]:
> delete of
'OU=test,OU=Mediture_Workstations,OU=Mediture,DC=mediture,DC=dom' failed
- (insufficient access rights) LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -
<>
> I am totally stumped. Any help would be greatly apperciated!
> --
> Arthur Ramsey
> Systems Administrator
> Mediture
> arthur_ramsey at mediture.com
> 952.400.0323
>
> This e-mail and any attachments may contain CONFIDENTIAL information,
including PROTECTED HEALTH INFORMATION. If you are not the intended recipient,
any use or disclosure of this information is STRICTLY PROHIBITED; you are
requested to delete this e-mail and any attachments, notify the sender
immediately, and notify the Mediture Privacy Officer atprivacyofficer at
mediture.com.
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including
PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or
disclosure of this information is STRICTLY PROHIBITED; you are requested to
delete this e-mail and any attachments, notify the sender immediately, and
notify the Mediture Privacy Officer at privacyofficer at mediture.com.