L.P.H. van Belle
2016-Mar-29 14:52 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
Ok, where your pc's get the DNS info from? Server : AD-DC + DNS Or Server : AD-DC + Some other server with DNS Can you give the output of dig NS your.domain.tld and tel us what what is.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray > Verzonden: dinsdag 29 maart 2016 16:31 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > > No firewall configured on DCs > > telnet dc 88 & 53 works fine (so TCP at least is OK). > > 53 isn't mandatory since AD zone is a delegation so clients never talk > to AD NS directly > Regards > > Le 29/03/2016 16:18, L.P.H. van Belle a écrit : > > I dont read any france but translators work ok. ;-) pfew.. > > > > Ok any firewalling on the DC's? if so, open TCP and UDP port 88. > > Or try short without firewalls on, on the DC's. > > > > Other options to try is recude the MaxPacketSize in windows. > > > > Looks like a to big package which is rejected. > > > > Ow and above is also needed on the DNS port 53. > > Open tcp and udp. > > > > If the upd packages are to big, tcp is tried. > > > > > > And let us know the result. > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: Sébastien Le Ray [mailto:sebastien at orniz.org] > >> Verzonden: dinsdag 29 maart 2016 16:10 > >> Aan: L.P.H. van Belle; samba at lists.samba.org > >> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > >> > >> Hi > >> > >> French windows version > >> > >> LSA Error > >> > >> Nom du journal :System > >> Source : LsaSrv > >> Date : 29/03/2016 15:49:56 > >> ID de l?événement :40960 > >> Catégorie de la tâche :Aucun > >> Niveau : Avertissement > >> Mots clés : > >> Utilisateur : Système > >> Ordinateur : computer.domain > >> Description : > >> Le système de sécurité a détecté une erreur d?authentification pour le > >> serveur cifs/domain. Le code de la panne à partir du protocole > >> d?authentification Kerberos était "Le nombre maximal de tickets de > >> référence a été dépassé. > >> (0xc00002f4)". > >> XML de l?événement : > >> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > >> <System> > >> <Provider Name="LsaSrv" > >> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> > >> <EventID>40960</EventID> > >> <Version>0</Version> > >> <Level>3</Level> > >> <Task>0</Task> > >> <Opcode>0</Opcode> > >> <Keywords>0x8000000000000000</Keywords> > >> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> > >> <EventRecordID>8737</EventRecordID> > >> <Correlation /> > >> <Execution ProcessID="840" ThreadID="900" /> > >> <Channel>System</Channel> > >> <Computer>computer.domain</Computer> > >> <Security UserID="S-1-5-18" /> > >> </System> > >> <EventData> > >> <Data Name="Target">cifs/computer.domain</Data> > >> <Data Name="Protocol">Kerberos</Data> > >> <Data Name="Error">"Le nombre maximal de tickets de référence a > été > >> dépassé. > >> (0xc00002f4)"</Data> > >> </EventData> > >> </Event> > >> > >> > >> GPT.ini error > >> > >> Nom du journal :System > >> Source : LsaSrv > >> Date : 29/03/2016 15:49:56 > >> ID de l?événement :40960 > >> Catégorie de la tâche :Aucun > >> Niveau : Avertissement > >> Mots clés : > >> Utilisateur : Système > >> Ordinateur : computer.domain > >> Description : > >> Le système de sécurité a détecté une erreur d?authentification pour le > >> serveur cifs/domain. Le code de la panne à partir du protocole > >> d?authentification Kerberos était "Le nombre maximal de tickets de > >> référence a été dépassé. > >> (0xc00002f4)". > >> XML de l?événement : > >> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > >> <System> > >> <Provider Name="LsaSrv" > >> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> > >> <EventID>40960</EventID> > >> <Version>0</Version> > >> <Level>3</Level> > >> <Task>0</Task> > >> <Opcode>0</Opcode> > >> <Keywords>0x8000000000000000</Keywords> > >> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> > >> <EventRecordID>8737</EventRecordID> > >> <Correlation /> > >> <Execution ProcessID="840" ThreadID="900" /> > >> <Channel>System</Channel> > >> <Computer>computer.domain</Computer> > >> <Security UserID="S-1-5-18" /> > >> </System> > >> <EventData> > >> <Data Name="Target">cifs/domain</Data> > >> <Data Name="Protocol">Kerberos</Data> > >> <Data Name="Error">"Le nombre maximal de tickets de référence a > été > >> dépassé. > >> (0xc00002f4)"</Data> > >> </EventData> > >> </Event> > >> > >> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl > >> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ > >> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ > >> # owner: root > >> # group: 10000 > >> user::rwx > >> user:root:rwx > >> user:3000002:rwx > >> user:3000003:r-x > >> user:3000007:rwx > >> user:3000008:r-x > >> group::rwx > >> group:10000:rwx > >> group:3000002:rwx > >> group:3000003:r-x > >> group:3000007:rwx > >> group:3000008:r-x > >> mask::rwx > >> other::--- > >> default:user::rwx > >> default:user:root:rwx > >> default:user:3000002:rwx > >> default:user:3000003:r-x > >> default:user:3000007:rwx > >> default:user:3000008:r-x > >> default:group::--- > >> default:group:10000:rwx > >> default:group:3000002:rwx > >> default:group:3000003:r-x > >> default:group:3000007:rwx > >> default:group:3000008:r-x > >> default:mask::rwx > >> default:other::--- > >> > >> > >> DHCP IP > >> > >> Regards > >> > >> > >> Le 29/03/2016 15:46, L.P.H. van Belle a écrit : > >>> Complete event id of : > >>>> But still, events log show a warning about kerberos ticket from > LsaSrv > >>>> source and right after a permission denied on GPT.ini > >>> And a getfacl of the problem GPO SID please, i'll check. > >>> > >>> And a output of ipconfig /all on the problem pc. > >>> > >>> And question, dedicated IP or dhcp IP? > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >>> > >>> > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le > >> Ray > >>>> Verzonden: dinsdag 29 maart 2016 15:41 > >>>> CC: samba > >>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > >>>> > >>>> LOGONSERVER is the server used to authenticate currently logged in > >> user, > >>>> this does not mean that it is the one on which machine GPO was > fetched > >>>> (which seem to be round-robinized, but maybe not) > >>>> > >>>> Got no more sysvolcheck error, manually fixed those (what a pain) > >>>> > >>>> But still, events log show a warning about kerberos ticket from > LsaSrv > >>>> source and right after a permission denied on GPT.ini > >>>> > >>>> Regards > >>>> > >>>> Le 29/03/2016 15:16, mathias dufresne a écrit : > >>>>> About sysvolreset errors: send them to us. There is (at least) one > >> error > >>>>> from sysvolcheck which is not too much important (if I have well > >>>> understood > >>>>> it): ACL is set on FS to Local Admins when it should be Domain > admins > >>>> (or > >>>>> the contrary). That one should be a simple warning, or it is and it > >> can > >>>> be > >>>>> ignored (once more: according to my memory). > >>>>> > >>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>: > >>>>> > >>>>>> To see which DC is used by Windows client: open a MSDOS console, > type > >>>>>> "set", look for LOGONSERVER=\\<your_dc> > >>>>>> > >>>>>> <your_dc> is the DC used to connect on. > >>>>>> > >>>>>> If issue comes from one DC I would have on sysvol synchronisation > >>>> between > >>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS > >>>> issue if > >>>>>> you have only GPO issue). > >>>>>> > >>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- > >>>> samba at orniz.org>: > >>>>>>> Hi > >>>>>>> > >>>>>>> Same here, GPO work without UID/GID on machine account (since > issue > >>>>>>> "resolves" itself sometime) > >>>>>>> > >>>>>>> It really seems to depend on which DC is chosen at start. > >>>>>>> > >>>>>>> One of the affected machine just recovered without any change > except > >> a > >>>>>>> reboot > >>>>>>> > >>>>>>> So I guess root issue is the kerberos one "max reference tickets > >>>>>>> exceeded" but cannot see why it happens and on which DC > >>>>>>> > >>>>>>> I noticed this morning that sysvolcheck returns errors that won't > be > >>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does not > >>>> seem to > >>>>>>> have fixed anything > >>>>>>> > >>>>>>> Regards > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit : > >>>>>>> > >>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought > idmap > >>>> stuffs > >>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP > objects. > >>>>>>>> In others words, if you configure correctly idmap into smb.conf I > >>>> expect > >>>>>>>> you don't need any more declaring UID/GID for machine accounts. > >>>>>>>> > >>>>>>>> Anyway here my machines get access to their GPO: I tested one > >>>> computer's > >>>>>>>> GPO this morning, the one giving the possibility to use > >>>> userPrincipalName > >>>>>>>> without @samba.domain.tld when logging into a computer. That > worked > >>>> so > >>>>>>>> the > >>>>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf > >>>> contains > >>>>>>>> anything about idmap: > >>>>>>>> ---------------------------------------- > >>>>>>>> [global] > >>>>>>>> workgroup = SAMBA > >>>>>>>> realm = SAMBA.DOMAIN.TLD > >>>>>>>> netbios name = DC200 > >>>>>>>> server role = active directory domain controller > >>>>>>>> > >>>>>>>> server services = -dns > >>>>>>>> idmap_ldb:use rfc2307 = yes > >>>>>>>> > >>>>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend > >>>>>>>> #dns forwarder = 10.156.32.99 > >>>>>>>> > >>>>>>>> #kccsrv:samba_kcc=true > >>>>>>>> > >>>>>>>> [netlogon] > >>>>>>>> path = /var/lib/samba/sysvol/samba.domain.tld/scripts > >>>>>>>> read only = No > >>>>>>>> > >>>>>>>> [sysvol] > >>>>>>>> path = /var/lib/samba/sysvol > >>>>>>>> read only = No > >>>>>>>> ---------------------------------------- > >>>>>>>> > >>>>>>>> But my nsswitch.conf is configured to use winbind: > >>>>>>>> grep win /etc/nsswitch.conf > >>>>>>>> passwd: files winbind > >>>>>>>> shadow: files winbind > >>>>>>>> group: files winbind > >>>>>>>> > >>>>>>>> And that works: > >>>>>>>> For users: > >>>>>>>> id administrator > >>>>>>>> uid=0(root) gid=0(root) groupes=0(root) > >>>>>>>> For computers: > >>>>>>>> id dc200$ > >>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain > >> controllers) > >>>>>>>> groupes=3000011(AD.DGFIP\domain > >>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied > rodc > >>>>>>>> password > >>>>>>>> replication group) > >>>>>>>> > >>>>>>>> So idmapping seems to be enabled by default as there are no > UID/GID > >>>>>>>> declared on DC200 computer: > >>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' > >>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 > >>>>>>>> > >>>>>>>> So I still expect an issue about mapping computer accounts to > >>>> UNIX/Linux > >>>>>>>> local user. > >>>>>>>> > >>>>>>>> Hoping this helps, cheers, > >>>>>>>> > >>>>>>>> mathias > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>: > >>>>>>>> > >>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an > >>>>>>>>> additional option when installing the tools. I believe it is > >>>> "something > >>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows > >> you > >>>> to > >>>>>>>>> set the uid/gid as well as group memberships for UNIX systems. I > >>>> have > >>>>>>>>> done this on my networks, but I may have forgotten it on this > one. > >> I > >>>>>>>>> will check. I still have the issue, it is not a "node type" > issue. > >>>>>>>>> > >>>>>>>>> Lead IT/IS Specialist > >>>>>>>>> Reach Technology FP, Inc > >>>>>>>>> > >>>>>>>>> On 03/23/2016 12:01 PM, mj wrote: > >>>>>>>>> > >>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote: > >>>>>>>>>> > >>>>>>>>>>> And did you add those IDs to the sysvol share permissions? > >>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid > >> fields > >>>> in > >>>>>>>>>>> RSAT > >>>>>>>>>>> > >>>>>>>>>> I added them using LAM, because yes: using RSAT i also could > not. > >>>>>>>>>> > >>>>>>>>>> (lam: www.ldap-account-manager.org/) > >>>>>>>>>> > >>>>>>>>>> -- > >>>>>>>>> To unsubscribe from this list go to the following URL and read > the > >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>>>> > >>>>>>>>> > >>>>>>> -- > >>>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Sébastien Le Ray
2016-Mar-29 14:58 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
Company's dns which recurse on AD DC for my.ad.domain subdomain Regards Le 29/03/2016 16:52, L.P.H. van Belle a écrit :> Ok, where your pc's get the DNS info from? > Server : AD-DC + DNS > Or > Server : AD-DC > + > Some other server with DNS > > > Can you give the output of > dig NS your.domain.tld > > and tel us what what is. > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray >> Verzonden: dinsdag 29 maart 2016 16:31 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) >> >> No firewall configured on DCs >> >> telnet dc 88 & 53 works fine (so TCP at least is OK). >> >> 53 isn't mandatory since AD zone is a delegation so clients never talk >> to AD NS directly >> Regards >> >> Le 29/03/2016 16:18, L.P.H. van Belle a écrit : >>> I dont read any france but translators work ok. ;-) pfew.. >>> >>> Ok any firewalling on the DC's? if so, open TCP and UDP port 88. >>> Or try short without firewalls on, on the DC's. >>> >>> Other options to try is recude the MaxPacketSize in windows. >>> >>> Looks like a to big package which is rejected. >>> >>> Ow and above is also needed on the DNS port 53. >>> Open tcp and udp. >>> >>> If the upd packages are to big, tcp is tried. >>> >>> >>> And let us know the result. >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: Sébastien Le Ray [mailto:sebastien at orniz.org] >>>> Verzonden: dinsdag 29 maart 2016 16:10 >>>> Aan: L.P.H. van Belle; samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) >>>> >>>> Hi >>>> >>>> French windows version >>>> >>>> LSA Error >>>> >>>> Nom du journal :System >>>> Source : LsaSrv >>>> Date : 29/03/2016 15:49:56 >>>> ID de l?événement :40960 >>>> Catégorie de la tâche :Aucun >>>> Niveau : Avertissement >>>> Mots clés : >>>> Utilisateur : Système >>>> Ordinateur : computer.domain >>>> Description : >>>> Le système de sécurité a détecté une erreur d?authentification pour le >>>> serveur cifs/domain. Le code de la panne à partir du protocole >>>> d?authentification Kerberos était "Le nombre maximal de tickets de >>>> référence a été dépassé. >>>> (0xc00002f4)". >>>> XML de l?événement : >>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> >>>> <System> >>>> <Provider Name="LsaSrv" >>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> >>>> <EventID>40960</EventID> >>>> <Version>0</Version> >>>> <Level>3</Level> >>>> <Task>0</Task> >>>> <Opcode>0</Opcode> >>>> <Keywords>0x8000000000000000</Keywords> >>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> >>>> <EventRecordID>8737</EventRecordID> >>>> <Correlation /> >>>> <Execution ProcessID="840" ThreadID="900" /> >>>> <Channel>System</Channel> >>>> <Computer>computer.domain</Computer> >>>> <Security UserID="S-1-5-18" /> >>>> </System> >>>> <EventData> >>>> <Data Name="Target">cifs/computer.domain</Data> >>>> <Data Name="Protocol">Kerberos</Data> >>>> <Data Name="Error">"Le nombre maximal de tickets de référence a >> été >>>> dépassé. >>>> (0xc00002f4)"</Data> >>>> </EventData> >>>> </Event> >>>> >>>> >>>> GPT.ini error >>>> >>>> Nom du journal :System >>>> Source : LsaSrv >>>> Date : 29/03/2016 15:49:56 >>>> ID de l?événement :40960 >>>> Catégorie de la tâche :Aucun >>>> Niveau : Avertissement >>>> Mots clés : >>>> Utilisateur : Système >>>> Ordinateur : computer.domain >>>> Description : >>>> Le système de sécurité a détecté une erreur d?authentification pour le >>>> serveur cifs/domain. Le code de la panne à partir du protocole >>>> d?authentification Kerberos était "Le nombre maximal de tickets de >>>> référence a été dépassé. >>>> (0xc00002f4)". >>>> XML de l?événement : >>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> >>>> <System> >>>> <Provider Name="LsaSrv" >>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> >>>> <EventID>40960</EventID> >>>> <Version>0</Version> >>>> <Level>3</Level> >>>> <Task>0</Task> >>>> <Opcode>0</Opcode> >>>> <Keywords>0x8000000000000000</Keywords> >>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> >>>> <EventRecordID>8737</EventRecordID> >>>> <Correlation /> >>>> <Execution ProcessID="840" ThreadID="900" /> >>>> <Channel>System</Channel> >>>> <Computer>computer.domain</Computer> >>>> <Security UserID="S-1-5-18" /> >>>> </System> >>>> <EventData> >>>> <Data Name="Target">cifs/domain</Data> >>>> <Data Name="Protocol">Kerberos</Data> >>>> <Data Name="Error">"Le nombre maximal de tickets de référence a >> été >>>> dépassé. >>>> (0xc00002f4)"</Data> >>>> </EventData> >>>> </Event> >>>> >>>> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl >>>> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ >>>> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ >>>> # owner: root >>>> # group: 10000 >>>> user::rwx >>>> user:root:rwx >>>> user:3000002:rwx >>>> user:3000003:r-x >>>> user:3000007:rwx >>>> user:3000008:r-x >>>> group::rwx >>>> group:10000:rwx >>>> group:3000002:rwx >>>> group:3000003:r-x >>>> group:3000007:rwx >>>> group:3000008:r-x >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:3000002:rwx >>>> default:user:3000003:r-x >>>> default:user:3000007:rwx >>>> default:user:3000008:r-x >>>> default:group::--- >>>> default:group:10000:rwx >>>> default:group:3000002:rwx >>>> default:group:3000003:r-x >>>> default:group:3000007:rwx >>>> default:group:3000008:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> >>>> DHCP IP >>>> >>>> Regards >>>> >>>> >>>> Le 29/03/2016 15:46, L.P.H. van Belle a écrit : >>>>> Complete event id of : >>>>>> But still, events log show a warning about kerberos ticket from >> LsaSrv >>>>>> source and right after a permission denied on GPT.ini >>>>> And a getfacl of the problem GPO SID please, i'll check. >>>>> >>>>> And a output of ipconfig /all on the problem pc. >>>>> >>>>> And question, dedicated IP or dhcp IP? >>>>> >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le >>>> Ray >>>>>> Verzonden: dinsdag 29 maart 2016 15:41 >>>>>> CC: samba >>>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) >>>>>> >>>>>> LOGONSERVER is the server used to authenticate currently logged in >>>> user, >>>>>> this does not mean that it is the one on which machine GPO was >> fetched >>>>>> (which seem to be round-robinized, but maybe not) >>>>>> >>>>>> Got no more sysvolcheck error, manually fixed those (what a pain) >>>>>> >>>>>> But still, events log show a warning about kerberos ticket from >> LsaSrv >>>>>> source and right after a permission denied on GPT.ini >>>>>> >>>>>> Regards >>>>>> >>>>>> Le 29/03/2016 15:16, mathias dufresne a écrit : >>>>>>> About sysvolreset errors: send them to us. There is (at least) one >>>> error >>>>>>> from sysvolcheck which is not too much important (if I have well >>>>>> understood >>>>>>> it): ACL is set on FS to Local Admins when it should be Domain >> admins >>>>>> (or >>>>>>> the contrary). That one should be a simple warning, or it is and it >>>> can >>>>>> be >>>>>>> ignored (once more: according to my memory). >>>>>>> >>>>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>: >>>>>>> >>>>>>>> To see which DC is used by Windows client: open a MSDOS console, >> type >>>>>>>> "set", look for LOGONSERVER=\\<your_dc> >>>>>>>> >>>>>>>> <your_dc> is the DC used to connect on. >>>>>>>> >>>>>>>> If issue comes from one DC I would have on sysvol synchronisation >>>>>> between >>>>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS >>>>>> issue if >>>>>>>> you have only GPO issue). >>>>>>>> >>>>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- >>>>>> samba at orniz.org>: >>>>>>>>> Hi >>>>>>>>> >>>>>>>>> Same here, GPO work without UID/GID on machine account (since >> issue >>>>>>>>> "resolves" itself sometime) >>>>>>>>> >>>>>>>>> It really seems to depend on which DC is chosen at start. >>>>>>>>> >>>>>>>>> One of the affected machine just recovered without any change >> except >>>> a >>>>>>>>> reboot >>>>>>>>> >>>>>>>>> So I guess root issue is the kerberos one "max reference tickets >>>>>>>>> exceeded" but cannot see why it happens and on which DC >>>>>>>>> >>>>>>>>> I noticed this morning that sysvolcheck returns errors that won't >> be >>>>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does not >>>>>> seem to >>>>>>>>> have fixed anything >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit : >>>>>>>>> >>>>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought >> idmap >>>>>> stuffs >>>>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP >> objects. >>>>>>>>>> In others words, if you configure correctly idmap into smb.conf I >>>>>> expect >>>>>>>>>> you don't need any more declaring UID/GID for machine accounts. >>>>>>>>>> >>>>>>>>>> Anyway here my machines get access to their GPO: I tested one >>>>>> computer's >>>>>>>>>> GPO this morning, the one giving the possibility to use >>>>>> userPrincipalName >>>>>>>>>> without @samba.domain.tld when logging into a computer. That >> worked >>>>>> so >>>>>>>>>> the >>>>>>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf >>>>>> contains >>>>>>>>>> anything about idmap: >>>>>>>>>> ---------------------------------------- >>>>>>>>>> [global] >>>>>>>>>> workgroup = SAMBA >>>>>>>>>> realm = SAMBA.DOMAIN.TLD >>>>>>>>>> netbios name = DC200 >>>>>>>>>> server role = active directory domain controller >>>>>>>>>> >>>>>>>>>> server services = -dns >>>>>>>>>> idmap_ldb:use rfc2307 = yes >>>>>>>>>> >>>>>>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend >>>>>>>>>> #dns forwarder = 10.156.32.99 >>>>>>>>>> >>>>>>>>>> #kccsrv:samba_kcc=true >>>>>>>>>> >>>>>>>>>> [netlogon] >>>>>>>>>> path = /var/lib/samba/sysvol/samba.domain.tld/scripts >>>>>>>>>> read only = No >>>>>>>>>> >>>>>>>>>> [sysvol] >>>>>>>>>> path = /var/lib/samba/sysvol >>>>>>>>>> read only = No >>>>>>>>>> ---------------------------------------- >>>>>>>>>> >>>>>>>>>> But my nsswitch.conf is configured to use winbind: >>>>>>>>>> grep win /etc/nsswitch.conf >>>>>>>>>> passwd: files winbind >>>>>>>>>> shadow: files winbind >>>>>>>>>> group: files winbind >>>>>>>>>> >>>>>>>>>> And that works: >>>>>>>>>> For users: >>>>>>>>>> id administrator >>>>>>>>>> uid=0(root) gid=0(root) groupes=0(root) >>>>>>>>>> For computers: >>>>>>>>>> id dc200$ >>>>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain >>>> controllers) >>>>>>>>>> groupes=3000011(AD.DGFIP\domain >>>>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied >> rodc >>>>>>>>>> password >>>>>>>>>> replication group) >>>>>>>>>> >>>>>>>>>> So idmapping seems to be enabled by default as there are no >> UID/GID >>>>>>>>>> declared on DC200 computer: >>>>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' >>>>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 >>>>>>>>>> >>>>>>>>>> So I still expect an issue about mapping computer accounts to >>>>>> UNIX/Linux >>>>>>>>>> local user. >>>>>>>>>> >>>>>>>>>> Hoping this helps, cheers, >>>>>>>>>> >>>>>>>>>> mathias >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>: >>>>>>>>>> >>>>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an >>>>>>>>>>> additional option when installing the tools. I believe it is >>>>>> "something >>>>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows >>>> you >>>>>> to >>>>>>>>>>> set the uid/gid as well as group memberships for UNIX systems. I >>>>>> have >>>>>>>>>>> done this on my networks, but I may have forgotten it on this >> one. >>>> I >>>>>>>>>>> will check. I still have the issue, it is not a "node type" >> issue. >>>>>>>>>>> Lead IT/IS Specialist >>>>>>>>>>> Reach Technology FP, Inc >>>>>>>>>>> >>>>>>>>>>> On 03/23/2016 12:01 PM, mj wrote: >>>>>>>>>>> >>>>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote: >>>>>>>>>>>> >>>>>>>>>>>>> And did you add those IDs to the sysvol share permissions? >>>>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid >>>> fields >>>>>> in >>>>>>>>>>>>> RSAT >>>>>>>>>>>>> >>>>>>>>>>>> I added them using LAM, because yes: using RSAT i also could >> not. >>>>>>>>>>>> (lam: www.ldap-account-manager.org/) >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>> To unsubscribe from this list go to the following URL and read >> the >>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> -- >>>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2016-Mar-29 15:03 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
Ok, same as im running. DC => (replicated zones) => Slave DNS << == Client pc's. Have you tried to reset the network id manualy from withing windows. ( where you change/add the computer to the network ) The button "change network-id." I have seen these things also with pc's which are wrongly syspreped. Which cases same SID's for the pc's. But please try also if you point the problem pc to the DCs as dns, please do try it.> -----Oorspronkelijk bericht----- > Van: Sébastien Le Ray [mailto:sebastien-samba at orniz.org] > Verzonden: dinsdag 29 maart 2016 16:58 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > > Company's dns which recurse on AD DC for my.ad.domain subdomain > > Regards > > Le 29/03/2016 16:52, L.P.H. van Belle a écrit : > > Ok, where your pc's get the DNS info from? > > Server : AD-DC + DNS > > Or > > Server : AD-DC > > + > > Some other server with DNS > > > > > > Can you give the output of > > dig NS your.domain.tld > > > > and tel us what what is. > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le > Ray > >> Verzonden: dinsdag 29 maart 2016 16:31 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > >> > >> No firewall configured on DCs > >> > >> telnet dc 88 & 53 works fine (so TCP at least is OK). > >> > >> 53 isn't mandatory since AD zone is a delegation so clients never talk > >> to AD NS directly > >> Regards > >> > >> Le 29/03/2016 16:18, L.P.H. van Belle a écrit : > >>> I dont read any france but translators work ok. ;-) pfew.. > >>> > >>> Ok any firewalling on the DC's? if so, open TCP and UDP port 88. > >>> Or try short without firewalls on, on the DC's. > >>> > >>> Other options to try is recude the MaxPacketSize in windows. > >>> > >>> Looks like a to big package which is rejected. > >>> > >>> Ow and above is also needed on the DNS port 53. > >>> Open tcp and udp. > >>> > >>> If the upd packages are to big, tcp is tried. > >>> > >>> > >>> And let us know the result. > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: Sébastien Le Ray [mailto:sebastien at orniz.org] > >>>> Verzonden: dinsdag 29 maart 2016 16:10 > >>>> Aan: L.P.H. van Belle; samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > >>>> > >>>> Hi > >>>> > >>>> French windows version > >>>> > >>>> LSA Error > >>>> > >>>> Nom du journal :System > >>>> Source : LsaSrv > >>>> Date : 29/03/2016 15:49:56 > >>>> ID de l?événement :40960 > >>>> Catégorie de la tâche :Aucun > >>>> Niveau : Avertissement > >>>> Mots clés : > >>>> Utilisateur : Système > >>>> Ordinateur : computer.domain > >>>> Description : > >>>> Le système de sécurité a détecté une erreur d?authentification pour > le > >>>> serveur cifs/domain. Le code de la panne à partir du protocole > >>>> d?authentification Kerberos était "Le nombre maximal de tickets de > >>>> référence a été dépassé. > >>>> (0xc00002f4)". > >>>> XML de l?événement : > >>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > >>>> <System> > >>>> <Provider Name="LsaSrv" > >>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> > >>>> <EventID>40960</EventID> > >>>> <Version>0</Version> > >>>> <Level>3</Level> > >>>> <Task>0</Task> > >>>> <Opcode>0</Opcode> > >>>> <Keywords>0x8000000000000000</Keywords> > >>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> > >>>> <EventRecordID>8737</EventRecordID> > >>>> <Correlation /> > >>>> <Execution ProcessID="840" ThreadID="900" /> > >>>> <Channel>System</Channel> > >>>> <Computer>computer.domain</Computer> > >>>> <Security UserID="S-1-5-18" /> > >>>> </System> > >>>> <EventData> > >>>> <Data Name="Target">cifs/computer.domain</Data> > >>>> <Data Name="Protocol">Kerberos</Data> > >>>> <Data Name="Error">"Le nombre maximal de tickets de référence > a > >> été > >>>> dépassé. > >>>> (0xc00002f4)"</Data> > >>>> </EventData> > >>>> </Event> > >>>> > >>>> > >>>> GPT.ini error > >>>> > >>>> Nom du journal :System > >>>> Source : LsaSrv > >>>> Date : 29/03/2016 15:49:56 > >>>> ID de l?événement :40960 > >>>> Catégorie de la tâche :Aucun > >>>> Niveau : Avertissement > >>>> Mots clés : > >>>> Utilisateur : Système > >>>> Ordinateur : computer.domain > >>>> Description : > >>>> Le système de sécurité a détecté une erreur d?authentification pour > le > >>>> serveur cifs/domain. Le code de la panne à partir du protocole > >>>> d?authentification Kerberos était "Le nombre maximal de tickets de > >>>> référence a été dépassé. > >>>> (0xc00002f4)". > >>>> XML de l?événement : > >>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > >>>> <System> > >>>> <Provider Name="LsaSrv" > >>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> > >>>> <EventID>40960</EventID> > >>>> <Version>0</Version> > >>>> <Level>3</Level> > >>>> <Task>0</Task> > >>>> <Opcode>0</Opcode> > >>>> <Keywords>0x8000000000000000</Keywords> > >>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> > >>>> <EventRecordID>8737</EventRecordID> > >>>> <Correlation /> > >>>> <Execution ProcessID="840" ThreadID="900" /> > >>>> <Channel>System</Channel> > >>>> <Computer>computer.domain</Computer> > >>>> <Security UserID="S-1-5-18" /> > >>>> </System> > >>>> <EventData> > >>>> <Data Name="Target">cifs/domain</Data> > >>>> <Data Name="Protocol">Kerberos</Data> > >>>> <Data Name="Error">"Le nombre maximal de tickets de référence > a > >> été > >>>> dépassé. > >>>> (0xc00002f4)"</Data> > >>>> </EventData> > >>>> </Event> > >>>> > >>>> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl > >>>> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ > >>>> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ > >>>> # owner: root > >>>> # group: 10000 > >>>> user::rwx > >>>> user:root:rwx > >>>> user:3000002:rwx > >>>> user:3000003:r-x > >>>> user:3000007:rwx > >>>> user:3000008:r-x > >>>> group::rwx > >>>> group:10000:rwx > >>>> group:3000002:rwx > >>>> group:3000003:r-x > >>>> group:3000007:rwx > >>>> group:3000008:r-x > >>>> mask::rwx > >>>> other::--- > >>>> default:user::rwx > >>>> default:user:root:rwx > >>>> default:user:3000002:rwx > >>>> default:user:3000003:r-x > >>>> default:user:3000007:rwx > >>>> default:user:3000008:r-x > >>>> default:group::--- > >>>> default:group:10000:rwx > >>>> default:group:3000002:rwx > >>>> default:group:3000003:r-x > >>>> default:group:3000007:rwx > >>>> default:group:3000008:r-x > >>>> default:mask::rwx > >>>> default:other::--- > >>>> > >>>> > >>>> DHCP IP > >>>> > >>>> Regards > >>>> > >>>> > >>>> Le 29/03/2016 15:46, L.P.H. van Belle a écrit : > >>>>> Complete event id of : > >>>>>> But still, events log show a warning about kerberos ticket from > >> LsaSrv > >>>>>> source and right after a permission denied on GPT.ini > >>>>> And a getfacl of the problem GPO SID please, i'll check. > >>>>> > >>>>> And a output of ipconfig /all on the problem pc. > >>>>> > >>>>> And question, dedicated IP or dhcp IP? > >>>>> > >>>>> > >>>>> Greetz, > >>>>> > >>>>> Louis > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>> -----Oorspronkelijk bericht----- > >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien > Le > >>>> Ray > >>>>>> Verzonden: dinsdag 29 maart 2016 15:41 > >>>>>> CC: samba > >>>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > >>>>>> > >>>>>> LOGONSERVER is the server used to authenticate currently logged in > >>>> user, > >>>>>> this does not mean that it is the one on which machine GPO was > >> fetched > >>>>>> (which seem to be round-robinized, but maybe not) > >>>>>> > >>>>>> Got no more sysvolcheck error, manually fixed those (what a pain) > >>>>>> > >>>>>> But still, events log show a warning about kerberos ticket from > >> LsaSrv > >>>>>> source and right after a permission denied on GPT.ini > >>>>>> > >>>>>> Regards > >>>>>> > >>>>>> Le 29/03/2016 15:16, mathias dufresne a écrit : > >>>>>>> About sysvolreset errors: send them to us. There is (at least) one > >>>> error > >>>>>>> from sysvolcheck which is not too much important (if I have well > >>>>>> understood > >>>>>>> it): ACL is set on FS to Local Admins when it should be Domain > >> admins > >>>>>> (or > >>>>>>> the contrary). That one should be a simple warning, or it is and > it > >>>> can > >>>>>> be > >>>>>>> ignored (once more: according to my memory). > >>>>>>> > >>>>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne > <infractory at gmail.com>: > >>>>>>> > >>>>>>>> To see which DC is used by Windows client: open a MSDOS console, > >> type > >>>>>>>> "set", look for LOGONSERVER=\\<your_dc> > >>>>>>>> > >>>>>>>> <your_dc> is the DC used to connect on. > >>>>>>>> > >>>>>>>> If issue comes from one DC I would have on sysvol synchronisation > >>>>>> between > >>>>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a > DNS > >>>>>> issue if > >>>>>>>> you have only GPO issue). > >>>>>>>> > >>>>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- > >>>>>> samba at orniz.org>: > >>>>>>>>> Hi > >>>>>>>>> > >>>>>>>>> Same here, GPO work without UID/GID on machine account (since > >> issue > >>>>>>>>> "resolves" itself sometime) > >>>>>>>>> > >>>>>>>>> It really seems to depend on which DC is chosen at start. > >>>>>>>>> > >>>>>>>>> One of the affected machine just recovered without any change > >> except > >>>> a > >>>>>>>>> reboot > >>>>>>>>> > >>>>>>>>> So I guess root issue is the kerberos one "max reference tickets > >>>>>>>>> exceeded" but cannot see why it happens and on which DC > >>>>>>>>> > >>>>>>>>> I noticed this morning that sysvolcheck returns errors that > won't > >> be > >>>>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does > not > >>>>>> seem to > >>>>>>>>> have fixed anything > >>>>>>>>> > >>>>>>>>> Regards > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit : > >>>>>>>>> > >>>>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought > >> idmap > >>>>>> stuffs > >>>>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP > >> objects. > >>>>>>>>>> In others words, if you configure correctly idmap into smb.conf > I > >>>>>> expect > >>>>>>>>>> you don't need any more declaring UID/GID for machine accounts. > >>>>>>>>>> > >>>>>>>>>> Anyway here my machines get access to their GPO: I tested one > >>>>>> computer's > >>>>>>>>>> GPO this morning, the one giving the possibility to use > >>>>>> userPrincipalName > >>>>>>>>>> without @samba.domain.tld when logging into a computer. That > >> worked > >>>>>> so > >>>>>>>>>> the > >>>>>>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf > >>>>>> contains > >>>>>>>>>> anything about idmap: > >>>>>>>>>> ---------------------------------------- > >>>>>>>>>> [global] > >>>>>>>>>> workgroup = SAMBA > >>>>>>>>>> realm = SAMBA.DOMAIN.TLD > >>>>>>>>>> netbios name = DC200 > >>>>>>>>>> server role = active directory domain controller > >>>>>>>>>> > >>>>>>>>>> server services = -dns > >>>>>>>>>> idmap_ldb:use rfc2307 = yes > >>>>>>>>>> > >>>>>>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend > >>>>>>>>>> #dns forwarder = 10.156.32.99 > >>>>>>>>>> > >>>>>>>>>> #kccsrv:samba_kcc=true > >>>>>>>>>> > >>>>>>>>>> [netlogon] > >>>>>>>>>> path > /var/lib/samba/sysvol/samba.domain.tld/scripts > >>>>>>>>>> read only = No > >>>>>>>>>> > >>>>>>>>>> [sysvol] > >>>>>>>>>> path = /var/lib/samba/sysvol > >>>>>>>>>> read only = No > >>>>>>>>>> ---------------------------------------- > >>>>>>>>>> > >>>>>>>>>> But my nsswitch.conf is configured to use winbind: > >>>>>>>>>> grep win /etc/nsswitch.conf > >>>>>>>>>> passwd: files winbind > >>>>>>>>>> shadow: files winbind > >>>>>>>>>> group: files winbind > >>>>>>>>>> > >>>>>>>>>> And that works: > >>>>>>>>>> For users: > >>>>>>>>>> id administrator > >>>>>>>>>> uid=0(root) gid=0(root) groupes=0(root) > >>>>>>>>>> For computers: > >>>>>>>>>> id dc200$ > >>>>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain > >>>> controllers) > >>>>>>>>>> groupes=3000011(AD.DGFIP\domain > >>>>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied > >> rodc > >>>>>>>>>> password > >>>>>>>>>> replication group) > >>>>>>>>>> > >>>>>>>>>> So idmapping seems to be enabled by default as there are no > >> UID/GID > >>>>>>>>>> declared on DC200 computer: > >>>>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' > >>>>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 > >>>>>>>>>> > >>>>>>>>>> So I still expect an issue about mapping computer accounts to > >>>>>> UNIX/Linux > >>>>>>>>>> local user. > >>>>>>>>>> > >>>>>>>>>> Hoping this helps, cheers, > >>>>>>>>>> > >>>>>>>>>> mathias > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>: > >>>>>>>>>> > >>>>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select > an > >>>>>>>>>>> additional option when installing the tools. I believe it is > >>>>>> "something > >>>>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and > allows > >>>> you > >>>>>> to > >>>>>>>>>>> set the uid/gid as well as group memberships for UNIX systems. > I > >>>>>> have > >>>>>>>>>>> done this on my networks, but I may have forgotten it on this > >> one. > >>>> I > >>>>>>>>>>> will check. I still have the issue, it is not a "node type" > >> issue. > >>>>>>>>>>> Lead IT/IS Specialist > >>>>>>>>>>> Reach Technology FP, Inc > >>>>>>>>>>> > >>>>>>>>>>> On 03/23/2016 12:01 PM, mj wrote: > >>>>>>>>>>> > >>>>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote: > >>>>>>>>>>>> > >>>>>>>>>>>>> And did you add those IDs to the sysvol share permissions? > >>>>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid > >>>> fields > >>>>>> in > >>>>>>>>>>>>> RSAT > >>>>>>>>>>>>> > >>>>>>>>>>>> I added them using LAM, because yes: using RSAT i also could > >> not. > >>>>>>>>>>>> (lam: www.ldap-account-manager.org/) > >>>>>>>>>>>> > >>>>>>>>>>>> -- > >>>>>>>>>>> To unsubscribe from this list go to the following URL and read > >> the > >>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> To unsubscribe from this list go to the following URL and read > the > >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>>>> > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > >
Sébastien Le Ray
2016-Apr-15 11:36 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
Hi, So I finally get a non-working box again Tried the change network id (I do not have it juste clicked on "network identity" and passed through the wizard No clue… Tried with DC as DNS, still not working I tried to put an acl_xattr:ignore system acls = yes on all my DCs sysvol shares but this does not seem to change anything (by the way what is this parameter supposed to do in details, I still cannot access a file is the underlying unix ACLs are not and sysvolreset still put acls on files) Le 29/03/2016 17:03, L.P.H. van Belle a écrit :> Ok, same as im running. > > DC => (replicated zones) => Slave DNS << == Client pc's. > > Have you tried to reset the network id manualy from withing windows. > ( where you change/add the computer to the network ) > The button "change network-id." > > I have seen these things also with pc's which are wrongly syspreped. > Which cases same SID's for the pc's. > > But please try also if you point the problem pc to the DCs as dns, please do try it. > > > >> -----Oorspronkelijk bericht----- >> Van: Sébastien Le Ray [mailto:sebastien-samba at orniz.org] >> Verzonden: dinsdag 29 maart 2016 16:58 >> Aan: L.P.H. van Belle; samba at lists.samba.org >> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) >> >> Company's dns which recurse on AD DC for my.ad.domain subdomain >> >> Regards >> >> Le 29/03/2016 16:52, L.P.H. van Belle a écrit : >>> Ok, where your pc's get the DNS info from? >>> Server : AD-DC + DNS >>> Or >>> Server : AD-DC >>> + >>> Some other server with DNS >>> >>> >>> Can you give the output of >>> dig NS your.domain.tld >>> >>> and tel us what what is. >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le >> Ray >>>> Verzonden: dinsdag 29 maart 2016 16:31 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) >>>> >>>> No firewall configured on DCs >>>> >>>> telnet dc 88 & 53 works fine (so TCP at least is OK). >>>> >>>> 53 isn't mandatory since AD zone is a delegation so clients never talk >>>> to AD NS directly >>>> Regards >>>> >>>> Le 29/03/2016 16:18, L.P.H. van Belle a écrit : >>>>> I dont read any france but translators work ok. ;-) pfew.. >>>>> >>>>> Ok any firewalling on the DC's? if so, open TCP and UDP port 88. >>>>> Or try short without firewalls on, on the DC's. >>>>> >>>>> Other options to try is recude the MaxPacketSize in windows. >>>>> >>>>> Looks like a to big package which is rejected. >>>>> >>>>> Ow and above is also needed on the DNS port 53. >>>>> Open tcp and udp. >>>>> >>>>> If the upd packages are to big, tcp is tried. >>>>> >>>>> >>>>> And let us know the result. >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: Sébastien Le Ray [mailto:sebastien at orniz.org] >>>>>> Verzonden: dinsdag 29 maart 2016 16:10 >>>>>> Aan: L.P.H. van Belle; samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) >>>>>> >>>>>> Hi >>>>>> >>>>>> French windows version >>>>>> >>>>>> LSA Error >>>>>> >>>>>> Nom du journal :System >>>>>> Source : LsaSrv >>>>>> Date : 29/03/2016 15:49:56 >>>>>> ID de l?événement :40960 >>>>>> Catégorie de la tâche :Aucun >>>>>> Niveau : Avertissement >>>>>> Mots clés : >>>>>> Utilisateur : Système >>>>>> Ordinateur : computer.domain >>>>>> Description : >>>>>> Le système de sécurité a détecté une erreur d?authentification pour >> le >>>>>> serveur cifs/domain. Le code de la panne à partir du protocole >>>>>> d?authentification Kerberos était "Le nombre maximal de tickets de >>>>>> référence a été dépassé. >>>>>> (0xc00002f4)". >>>>>> XML de l?événement : >>>>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> >>>>>> <System> >>>>>> <Provider Name="LsaSrv" >>>>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> >>>>>> <EventID>40960</EventID> >>>>>> <Version>0</Version> >>>>>> <Level>3</Level> >>>>>> <Task>0</Task> >>>>>> <Opcode>0</Opcode> >>>>>> <Keywords>0x8000000000000000</Keywords> >>>>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> >>>>>> <EventRecordID>8737</EventRecordID> >>>>>> <Correlation /> >>>>>> <Execution ProcessID="840" ThreadID="900" /> >>>>>> <Channel>System</Channel> >>>>>> <Computer>computer.domain</Computer> >>>>>> <Security UserID="S-1-5-18" /> >>>>>> </System> >>>>>> <EventData> >>>>>> <Data Name="Target">cifs/computer.domain</Data> >>>>>> <Data Name="Protocol">Kerberos</Data> >>>>>> <Data Name="Error">"Le nombre maximal de tickets de référence >> a >>>> été >>>>>> dépassé. >>>>>> (0xc00002f4)"</Data> >>>>>> </EventData> >>>>>> </Event> >>>>>> >>>>>> >>>>>> GPT.ini error >>>>>> >>>>>> Nom du journal :System >>>>>> Source : LsaSrv >>>>>> Date : 29/03/2016 15:49:56 >>>>>> ID de l?événement :40960 >>>>>> Catégorie de la tâche :Aucun >>>>>> Niveau : Avertissement >>>>>> Mots clés : >>>>>> Utilisateur : Système >>>>>> Ordinateur : computer.domain >>>>>> Description : >>>>>> Le système de sécurité a détecté une erreur d?authentification pour >> le >>>>>> serveur cifs/domain. Le code de la panne à partir du protocole >>>>>> d?authentification Kerberos était "Le nombre maximal de tickets de >>>>>> référence a été dépassé. >>>>>> (0xc00002f4)". >>>>>> XML de l?événement : >>>>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> >>>>>> <System> >>>>>> <Provider Name="LsaSrv" >>>>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> >>>>>> <EventID>40960</EventID> >>>>>> <Version>0</Version> >>>>>> <Level>3</Level> >>>>>> <Task>0</Task> >>>>>> <Opcode>0</Opcode> >>>>>> <Keywords>0x8000000000000000</Keywords> >>>>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> >>>>>> <EventRecordID>8737</EventRecordID> >>>>>> <Correlation /> >>>>>> <Execution ProcessID="840" ThreadID="900" /> >>>>>> <Channel>System</Channel> >>>>>> <Computer>computer.domain</Computer> >>>>>> <Security UserID="S-1-5-18" /> >>>>>> </System> >>>>>> <EventData> >>>>>> <Data Name="Target">cifs/domain</Data> >>>>>> <Data Name="Protocol">Kerberos</Data> >>>>>> <Data Name="Error">"Le nombre maximal de tickets de référence >> a >>>> été >>>>>> dépassé. >>>>>> (0xc00002f4)"</Data> >>>>>> </EventData> >>>>>> </Event> >>>>>> >>>>>> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl >>>>>> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ >>>>>> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ >>>>>> # owner: root >>>>>> # group: 10000 >>>>>> user::rwx >>>>>> user:root:rwx >>>>>> user:3000002:rwx >>>>>> user:3000003:r-x >>>>>> user:3000007:rwx >>>>>> user:3000008:r-x >>>>>> group::rwx >>>>>> group:10000:rwx >>>>>> group:3000002:rwx >>>>>> group:3000003:r-x >>>>>> group:3000007:rwx >>>>>> group:3000008:r-x >>>>>> mask::rwx >>>>>> other::--- >>>>>> default:user::rwx >>>>>> default:user:root:rwx >>>>>> default:user:3000002:rwx >>>>>> default:user:3000003:r-x >>>>>> default:user:3000007:rwx >>>>>> default:user:3000008:r-x >>>>>> default:group::--- >>>>>> default:group:10000:rwx >>>>>> default:group:3000002:rwx >>>>>> default:group:3000003:r-x >>>>>> default:group:3000007:rwx >>>>>> default:group:3000008:r-x >>>>>> default:mask::rwx >>>>>> default:other::--- >>>>>> >>>>>> >>>>>> DHCP IP >>>>>> >>>>>> Regards >>>>>> >>>>>> >>>>>> Le 29/03/2016 15:46, L.P.H. van Belle a écrit : >>>>>>> Complete event id of : >>>>>>>> But still, events log show a warning about kerberos ticket from >>>> LsaSrv >>>>>>>> source and right after a permission denied on GPT.ini >>>>>>> And a getfacl of the problem GPO SID please, i'll check. >>>>>>> >>>>>>> And a output of ipconfig /all on the problem pc. >>>>>>> >>>>>>> And question, dedicated IP or dhcp IP? >>>>>>> >>>>>>> >>>>>>> Greetz, >>>>>>> >>>>>>> Louis >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien >> Le >>>>>> Ray >>>>>>>> Verzonden: dinsdag 29 maart 2016 15:41 >>>>>>>> CC: samba >>>>>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) >>>>>>>> >>>>>>>> LOGONSERVER is the server used to authenticate currently logged in >>>>>> user, >>>>>>>> this does not mean that it is the one on which machine GPO was >>>> fetched >>>>>>>> (which seem to be round-robinized, but maybe not) >>>>>>>> >>>>>>>> Got no more sysvolcheck error, manually fixed those (what a pain) >>>>>>>> >>>>>>>> But still, events log show a warning about kerberos ticket from >>>> LsaSrv >>>>>>>> source and right after a permission denied on GPT.ini >>>>>>>> >>>>>>>> Regards >>>>>>>> >>>>>>>> Le 29/03/2016 15:16, mathias dufresne a écrit : >>>>>>>>> About sysvolreset errors: send them to us. There is (at least) one >>>>>> error >>>>>>>>> from sysvolcheck which is not too much important (if I have well >>>>>>>> understood >>>>>>>>> it): ACL is set on FS to Local Admins when it should be Domain >>>> admins >>>>>>>> (or >>>>>>>>> the contrary). That one should be a simple warning, or it is and >> it >>>>>> can >>>>>>>> be >>>>>>>>> ignored (once more: according to my memory). >>>>>>>>> >>>>>>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne >> <infractory at gmail.com>: >>>>>>>>>> To see which DC is used by Windows client: open a MSDOS console, >>>> type >>>>>>>>>> "set", look for LOGONSERVER=\\<your_dc> >>>>>>>>>> >>>>>>>>>> <your_dc> is the DC used to connect on. >>>>>>>>>> >>>>>>>>>> If issue comes from one DC I would have on sysvol synchronisation >>>>>>>> between >>>>>>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a >> DNS >>>>>>>> issue if >>>>>>>>>> you have only GPO issue). >>>>>>>>>> >>>>>>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- >>>>>>>> samba at orniz.org>: >>>>>>>>>>> Hi >>>>>>>>>>> >>>>>>>>>>> Same here, GPO work without UID/GID on machine account (since >>>> issue >>>>>>>>>>> "resolves" itself sometime) >>>>>>>>>>> >>>>>>>>>>> It really seems to depend on which DC is chosen at start. >>>>>>>>>>> >>>>>>>>>>> One of the affected machine just recovered without any change >>>> except >>>>>> a >>>>>>>>>>> reboot >>>>>>>>>>> >>>>>>>>>>> So I guess root issue is the kerberos one "max reference tickets >>>>>>>>>>> exceeded" but cannot see why it happens and on which DC >>>>>>>>>>> >>>>>>>>>>> I noticed this morning that sysvolcheck returns errors that >> won't >>>> be >>>>>>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does >> not >>>>>>>> seem to >>>>>>>>>>> have fixed anything >>>>>>>>>>> >>>>>>>>>>> Regards >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit : >>>>>>>>>>> >>>>>>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought >>>> idmap >>>>>>>> stuffs >>>>>>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP >>>> objects. >>>>>>>>>>>> In others words, if you configure correctly idmap into smb.conf >> I >>>>>>>> expect >>>>>>>>>>>> you don't need any more declaring UID/GID for machine accounts. >>>>>>>>>>>> >>>>>>>>>>>> Anyway here my machines get access to their GPO: I tested one >>>>>>>> computer's >>>>>>>>>>>> GPO this morning, the one giving the possibility to use >>>>>>>> userPrincipalName >>>>>>>>>>>> without @samba.domain.tld when logging into a computer. That >>>> worked >>>>>>>> so >>>>>>>>>>>> the >>>>>>>>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf >>>>>>>> contains >>>>>>>>>>>> anything about idmap: >>>>>>>>>>>> ---------------------------------------- >>>>>>>>>>>> [global] >>>>>>>>>>>> workgroup = SAMBA >>>>>>>>>>>> realm = SAMBA.DOMAIN.TLD >>>>>>>>>>>> netbios name = DC200 >>>>>>>>>>>> server role = active directory domain controller >>>>>>>>>>>> >>>>>>>>>>>> server services = -dns >>>>>>>>>>>> idmap_ldb:use rfc2307 = yes >>>>>>>>>>>> >>>>>>>>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend >>>>>>>>>>>> #dns forwarder = 10.156.32.99 >>>>>>>>>>>> >>>>>>>>>>>> #kccsrv:samba_kcc=true >>>>>>>>>>>> >>>>>>>>>>>> [netlogon] >>>>>>>>>>>> path >> /var/lib/samba/sysvol/samba.domain.tld/scripts >>>>>>>>>>>> read only = No >>>>>>>>>>>> >>>>>>>>>>>> [sysvol] >>>>>>>>>>>> path = /var/lib/samba/sysvol >>>>>>>>>>>> read only = No >>>>>>>>>>>> ---------------------------------------- >>>>>>>>>>>> >>>>>>>>>>>> But my nsswitch.conf is configured to use winbind: >>>>>>>>>>>> grep win /etc/nsswitch.conf >>>>>>>>>>>> passwd: files winbind >>>>>>>>>>>> shadow: files winbind >>>>>>>>>>>> group: files winbind >>>>>>>>>>>> >>>>>>>>>>>> And that works: >>>>>>>>>>>> For users: >>>>>>>>>>>> id administrator >>>>>>>>>>>> uid=0(root) gid=0(root) groupes=0(root) >>>>>>>>>>>> For computers: >>>>>>>>>>>> id dc200$ >>>>>>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain >>>>>> controllers) >>>>>>>>>>>> groupes=3000011(AD.DGFIP\domain >>>>>>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied >>>> rodc >>>>>>>>>>>> password >>>>>>>>>>>> replication group) >>>>>>>>>>>> >>>>>>>>>>>> So idmapping seems to be enabled by default as there are no >>>> UID/GID >>>>>>>>>>>> declared on DC200 computer: >>>>>>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' >>>>>>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 >>>>>>>>>>>> >>>>>>>>>>>> So I still expect an issue about mapping computer accounts to >>>>>>>> UNIX/Linux >>>>>>>>>>>> local user. >>>>>>>>>>>> >>>>>>>>>>>> Hoping this helps, cheers, >>>>>>>>>>>> >>>>>>>>>>>> mathias >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>: >>>>>>>>>>>> >>>>>>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select >> an >>>>>>>>>>>>> additional option when installing the tools. I believe it is >>>>>>>> "something >>>>>>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and >> allows >>>>>> you >>>>>>>> to >>>>>>>>>>>>> set the uid/gid as well as group memberships for UNIX systems. >> I >>>>>>>> have >>>>>>>>>>>>> done this on my networks, but I may have forgotten it on this >>>> one. >>>>>> I >>>>>>>>>>>>> will check. I still have the issue, it is not a "node type" >>>> issue. >>>>>>>>>>>>> Lead IT/IS Specialist >>>>>>>>>>>>> Reach Technology FP, Inc >>>>>>>>>>>>> >>>>>>>>>>>>> On 03/23/2016 12:01 PM, mj wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> And did you add those IDs to the sysvol share permissions? >>>>>>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid >>>>>> fields >>>>>>>> in >>>>>>>>>>>>>>> RSAT >>>>>>>>>>>>>>> >>>>>>>>>>>>>> I added them using LAM, because yes: using RSAT i also could >>>> not. >>>>>>>>>>>>>> (lam: www.ldap-account-manager.org/) >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>> To unsubscribe from this list go to the following URL and read >>>> the >>>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> To unsubscribe from this list go to the following URL and read >> the >>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>>>> >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> > >