samba - Mar 2016 - Permission denied on GPT.ini (Event ID 1058)

I'm not an expert in idmap (at all in fact :p) but I thought idmap stuffs
were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
In others words, if you configure correctly idmap into smb.conf I expect
you don't need any more declaring UID/GID for machine accounts.

Anyway here my machines get access to their GPO: I tested one computer's
GPO this morning, the one giving the possibility to use userPrincipalName
without @samba.domain.tld when logging into a computer. That worked so the
GPO was applied and my machines have no UID/GID nor my smb.conf contains
anything about idmap:
----------------------------------------
[global]
        workgroup = SAMBA
        realm = SAMBA.DOMAIN.TLD
        netbios name = DC200
        server role = active directory domain controller

        server services = -dns
        idmap_ldb:use rfc2307 = yes

        # NOTE: removed as we now use BIND-DLZ DNS backend
        #dns forwarder = 10.156.32.99

        #kccsrv:samba_kcc=true

[netlogon]
        path = /var/lib/samba/sysvol/samba.domain.tld/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
----------------------------------------

But my nsswitch.conf is configured to use winbind:
 grep win /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind

And that works:
For users:
id administrator
uid=0(root) gid=0(root) groupes=0(root)
For computers:
id dc200$
uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
groupes=3000011(AD.DGFIP\domain
controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
replication group)

So idmapping seems to be enabled by default as there are no UID/GID
declared on DC200 computer:
ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7

So I still expect an issue about mapping computer accounts to UNIX/Linux
local user.

Hoping this helps, cheers,

mathias



2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
> I add UNIX attributes (gid/uid) using RSAT. You need to select an
> additional option when installing the tools. I believe it is
"something
> for NIS attributes". This adds the "UNIX" tab to ADUC and
allows you to
> set the uid/gid as well as group memberships for UNIX systems. I have
> done this on my networks, but I may have forgotten it on this one. I
> will check. I still have the issue, it is not a "node type"
issue.
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 03/23/2016 12:01 PM, mj wrote:
> >
> >
> > On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
> >> And did you add those IDs to the sysvol share permissions?
> >> I guess you used samba-tool since I cannot find any gid/uid fields
in
> >> RSAT
> >
> > I added them using LAM, because yes: using RSAT i also could not.
> >
> > (lam: www.ldap-account-manager.org/)
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi

Same here, GPO work without UID/GID on machine account (since issue 
"resolves" itself sometime)

It really seems to depend on which DC is chosen at start.

One of the affected machine just recovered without any change except a 
reboot

So I guess root issue is the kerberos one "max reference tickets 
exceeded" but cannot see why it happens and on which DC

I noticed this morning that sysvolcheck returns errors that won't be 
fixed by sysvolreset (!), I manually fixed ntacl but this does not seem 
to have fixed anything

Regards



Le 29/03/2016 11:57, mathias dufresne a écrit :
> I'm not an expert in idmap (at all in fact :p) but I thought idmap
stuffs
> were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
> In others words, if you configure correctly idmap into smb.conf I expect
> you don't need any more declaring UID/GID for machine accounts.
>
> Anyway here my machines get access to their GPO: I tested one
computer's
> GPO this morning, the one giving the possibility to use userPrincipalName
> without @samba.domain.tld when logging into a computer. That worked so the
> GPO was applied and my machines have no UID/GID nor my smb.conf contains
> anything about idmap:
> ----------------------------------------
> [global]
>          workgroup = SAMBA
>          realm = SAMBA.DOMAIN.TLD
>          netbios name = DC200
>          server role = active directory domain controller
>
>          server services = -dns
>          idmap_ldb:use rfc2307 = yes
>
>          # NOTE: removed as we now use BIND-DLZ DNS backend
>          #dns forwarder = 10.156.32.99
>
>          #kccsrv:samba_kcc=true
>
> [netlogon]
>          path = /var/lib/samba/sysvol/samba.domain.tld/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> ----------------------------------------
>
> But my nsswitch.conf is configured to use winbind:
>   grep win /etc/nsswitch.conf
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
> And that works:
> For users:
> id administrator
> uid=0(root) gid=0(root) groupes=0(root)
> For computers:
> id dc200$
> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
> groupes=3000011(AD.DGFIP\domain
> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc password
> replication group)
>
> So idmapping seems to be enabled by default as there are no UID/GID
> declared on DC200 computer:
> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
>
> So I still expect an issue about mapping computer accounts to UNIX/Linux
> local user.
>
> Hoping this helps, cheers,
>
> mathias
>
>
>
> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>:
>
>> I add UNIX attributes (gid/uid) using RSAT. You need to select an
>> additional option when installing the tools. I believe it is
"something
>> for NIS attributes". This adds the "UNIX" tab to ADUC
and allows you to
>> set the uid/gid as well as group memberships for UNIX systems. I have
>> done this on my networks, but I may have forgotten it on this one. I
>> will check. I still have the issue, it is not a "node type"
issue.
>>
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> On 03/23/2016 12:01 PM, mj wrote:
>>>
>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
>>>> And did you add those IDs to the sysvol share permissions?
>>>> I guess you used samba-tool since I cannot find any gid/uid
fields in
>>>> RSAT
>>> I added them using LAM, because yes: using RSAT i also could not.
>>>
>>> (lam: www.ldap-account-manager.org/)
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

To see which DC is used by Windows client: open a MSDOS console, type
"set", look for LOGONSERVER=\\<your_dc>

<your_dc> is the DC used to connect on.

If issue comes from one DC I would have on sysvol synchronisation between
DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS issue
if
you have only GPO issue).

2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien-samba at
orniz.org>:
> Hi
>
> Same here, GPO work without UID/GID on machine account (since issue
> "resolves" itself sometime)
>
> It really seems to depend on which DC is chosen at start.
>
> One of the affected machine just recovered without any change except a
> reboot
>
> So I guess root issue is the kerberos one "max reference tickets
exceeded"
> but cannot see why it happens and on which DC
>
> I noticed this morning that sysvolcheck returns errors that won't be
fixed
> by sysvolreset (!), I manually fixed ntacl but this does not seem to have
> fixed anything
>
> Regards
>
>
>
>
> Le 29/03/2016 11:57, mathias dufresne a écrit :
>
>> I'm not an expert in idmap (at all in fact :p) but I thought idmap
stuffs
>> were here to replace RFC2307 UID/GID declared into AD/LDAP objects.
>> In others words, if you configure correctly idmap into smb.conf I
expect
>> you don't need any more declaring UID/GID for machine accounts.
>>
>> Anyway here my machines get access to their GPO: I tested one
computer's
>> GPO this morning, the one giving the possibility to use
userPrincipalName
>> without @samba.domain.tld when logging into a computer. That worked so
the
>> GPO was applied and my machines have no UID/GID nor my smb.conf
contains
>> anything about idmap:
>> ----------------------------------------
>> [global]
>>          workgroup = SAMBA
>>          realm = SAMBA.DOMAIN.TLD
>>          netbios name = DC200
>>          server role = active directory domain controller
>>
>>          server services = -dns
>>          idmap_ldb:use rfc2307 = yes
>>
>>          # NOTE: removed as we now use BIND-DLZ DNS backend
>>          #dns forwarder = 10.156.32.99
>>
>>          #kccsrv:samba_kcc=true
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/samba.domain.tld/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> ----------------------------------------
>>
>> But my nsswitch.conf is configured to use winbind:
>>   grep win /etc/nsswitch.conf
>> passwd:     files winbind
>> shadow:     files winbind
>> group:      files winbind
>>
>> And that works:
>> For users:
>> id administrator
>> uid=0(root) gid=0(root) groupes=0(root)
>> For computers:
>> id dc200$
>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain controllers)
>> groupes=3000011(AD.DGFIP\domain
>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied rodc
>> password
>> replication group)
>>
>> So idmapping seems to be enabled by default as there are no UID/GID
>> declared on DC200 computer:
>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid'
>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7
>>
>> So I still expect an issue about mapping computer accounts to
UNIX/Linux
>> local user.
>>
>> Hoping this helps, cheers,
>>
>> mathias
>>
>>
>>
>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at
reachtechfp.com>:
>>
>> I add UNIX attributes (gid/uid) using RSAT. You need to select an
>>> additional option when installing the tools. I believe it is
"something
>>> for NIS attributes". This adds the "UNIX" tab to
ADUC and allows you to
>>> set the uid/gid as well as group memberships for UNIX systems. I
have
>>> done this on my networks, but I may have forgotten it on this one.
I
>>> will check. I still have the issue, it is not a "node
type" issue.
>>>
>>> Lead IT/IS Specialist
>>> Reach Technology FP, Inc
>>>
>>> On 03/23/2016 12:01 PM, mj wrote:
>>>
>>>>
>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote:
>>>>
>>>>> And did you add those IDs to the sysvol share permissions?
>>>>> I guess you used samba-tool since I cannot find any gid/uid
fields in
>>>>> RSAT
>>>>>
>>>> I added them using LAM, because yes: using RSAT i also could
not.
>>>>
>>>> (lam: www.ldap-account-manager.org/)
>>>>
>>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>