Jonathan Hunter
2016-Apr-14 16:03 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
I hate 'me too' replies - but I have also been struggling with this for some years in my multi-DC environment. (yes, replicated sysvol via lsyncd + rsync; permissions looked identical via getfacl last time I checked). Sometimes a client machine will run gpupdate just fine; other times it will fail, seemingly randomly. My next step was going to be to run wireshark on a client machine to see if the problem follows a particular DC or pattern - as someone has already said elsewhere in this thread, the LOGONSERVER isn't necessarily the DC that GPOs are fetched from. I don't have UIDs/GIDs for my machine accounts but maybe I should try to add them.. Unfortunately every time I sit down to troubleshoot this, the client machine runs gpupdate with no errors at all; and of course every time I make a GPO update that needs to be pushed out, it chooses that time to not work.. :) I will try and do some wireshark work and let you know what I find.. It's definitely "not just you", though - and I'm glad it's not just me, as well! :-) On 14 April 2016 at 15:42, Ryan Ashley <ryana at reachtechfp.com> wrote:> Sorry for my delayed response, my job has had me out of state for a > while. I wanted to add that I am not getting the Kerberos error in my > event logs. It just flat out claims that it cannot read gpt.ini for some > reason. This happens randomly, whether dc01 or dc02 is the logon server, > and the strange part is that most PCs can work fine, but one or two > randomly won't. > > In other words, if pc1 and pc3 are using dc01, and pc2 is using dc02, > pc1 and pc2 work fine, but pc3 says it can't read the gpt.ini on dc01. > This may persist for weeks, then it suddenly works. > > Lead IT/IS Specialist > Reach Technology FP, Inc > > On 03/30/2016 06:01 AM, L.P.H. van Belle wrote: > > > > I found this one. > > Check which one works for you. > > > > > http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm > > > > Im sure this is not a samba configuration problem. > > > > > > Greetz, > > > > Louis > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > Belle > >> Verzonden: dinsdag 29 maart 2016 16:18 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > >> > >> I dont read any france but translators work ok. ;-) pfew.. > >> > >> Ok any firewalling on the DC's? if so, open TCP and UDP port 88. > >> Or try short without firewalls on, on the DC's. > >> > >> Other options to try is recude the MaxPacketSize in windows. > >> > >> Looks like a to big package which is rejected. > >> > >> Ow and above is also needed on the DNS port 53. > >> Open tcp and udp. > >> > >> If the upd packages are to big, tcp is tried. > >> > >> > >> And let us know the result. > >> > >> Greetz, > >> > >> Louis > >> > >> > >> > >>> -----Oorspronkelijk bericht----- > >>> Van: Sébastien Le Ray [mailto:sebastien at orniz.org] > >>> Verzonden: dinsdag 29 maart 2016 16:10 > >>> Aan: L.P.H. van Belle; samba at lists.samba.org > >>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > >>> > >>> Hi > >>> > >>> French windows version > >>> > >>> LSA Error > >>> > >>> Nom du journal :System > >>> Source : LsaSrv > >>> Date : 29/03/2016 15:49:56 > >>> ID de l?événement :40960 > >>> Catégorie de la tâche :Aucun > >>> Niveau : Avertissement > >>> Mots clés : > >>> Utilisateur : Système > >>> Ordinateur : computer.domain > >>> Description : > >>> Le système de sécurité a détecté une erreur d?authentification pour le > >>> serveur cifs/domain. Le code de la panne à partir du protocole > >>> d?authentification Kerberos était "Le nombre maximal de tickets de > >>> référence a été dépassé. > >>> (0xc00002f4)". > >>> XML de l?événement : > >>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > >>> <System> > >>> <Provider Name="LsaSrv" > >>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> > >>> <EventID>40960</EventID> > >>> <Version>0</Version> > >>> <Level>3</Level> > >>> <Task>0</Task> > >>> <Opcode>0</Opcode> > >>> <Keywords>0x8000000000000000</Keywords> > >>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> > >>> <EventRecordID>8737</EventRecordID> > >>> <Correlation /> > >>> <Execution ProcessID="840" ThreadID="900" /> > >>> <Channel>System</Channel> > >>> <Computer>computer.domain</Computer> > >>> <Security UserID="S-1-5-18" /> > >>> </System> > >>> <EventData> > >>> <Data Name="Target">cifs/computer.domain</Data> > >>> <Data Name="Protocol">Kerberos</Data> > >>> <Data Name="Error">"Le nombre maximal de tickets de référence a > été > >>> dépassé. > >>> (0xc00002f4)"</Data> > >>> </EventData> > >>> </Event> > >>> > >>> > >>> GPT.ini error > >>> > >>> Nom du journal :System > >>> Source : LsaSrv > >>> Date : 29/03/2016 15:49:56 > >>> ID de l?événement :40960 > >>> Catégorie de la tâche :Aucun > >>> Niveau : Avertissement > >>> Mots clés : > >>> Utilisateur : Système > >>> Ordinateur : computer.domain > >>> Description : > >>> Le système de sécurité a détecté une erreur d?authentification pour le > >>> serveur cifs/domain. Le code de la panne à partir du protocole > >>> d?authentification Kerberos était "Le nombre maximal de tickets de > >>> référence a été dépassé. > >>> (0xc00002f4)". > >>> XML de l?événement : > >>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > >>> <System> > >>> <Provider Name="LsaSrv" > >>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> > >>> <EventID>40960</EventID> > >>> <Version>0</Version> > >>> <Level>3</Level> > >>> <Task>0</Task> > >>> <Opcode>0</Opcode> > >>> <Keywords>0x8000000000000000</Keywords> > >>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> > >>> <EventRecordID>8737</EventRecordID> > >>> <Correlation /> > >>> <Execution ProcessID="840" ThreadID="900" /> > >>> <Channel>System</Channel> > >>> <Computer>computer.domain</Computer> > >>> <Security UserID="S-1-5-18" /> > >>> </System> > >>> <EventData> > >>> <Data Name="Target">cifs/domain</Data> > >>> <Data Name="Protocol">Kerberos</Data> > >>> <Data Name="Error">"Le nombre maximal de tickets de référence a > été > >>> dépassé. > >>> (0xc00002f4)"</Data> > >>> </EventData> > >>> </Event> > >>> > >>> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl > >>> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ > >>> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ > >>> # owner: root > >>> # group: 10000 > >>> user::rwx > >>> user:root:rwx > >>> user:3000002:rwx > >>> user:3000003:r-x > >>> user:3000007:rwx > >>> user:3000008:r-x > >>> group::rwx > >>> group:10000:rwx > >>> group:3000002:rwx > >>> group:3000003:r-x > >>> group:3000007:rwx > >>> group:3000008:r-x > >>> mask::rwx > >>> other::--- > >>> default:user::rwx > >>> default:user:root:rwx > >>> default:user:3000002:rwx > >>> default:user:3000003:r-x > >>> default:user:3000007:rwx > >>> default:user:3000008:r-x > >>> default:group::--- > >>> default:group:10000:rwx > >>> default:group:3000002:rwx > >>> default:group:3000003:r-x > >>> default:group:3000007:rwx > >>> default:group:3000008:r-x > >>> default:mask::rwx > >>> default:other::--- > >>> > >>> > >>> DHCP IP > >>> > >>> Regards > >>> > >>> > >>> Le 29/03/2016 15:46, L.P.H. van Belle a écrit : > >>>> Complete event id of : > >>>>> But still, events log show a warning about kerberos ticket from > >> LsaSrv > >>>>> source and right after a permission denied on GPT.ini > >>>> And a getfacl of the problem GPO SID please, i'll check. > >>>> > >>>> And a output of ipconfig /all on the problem pc. > >>>> > >>>> And question, dedicated IP or dhcp IP? > >>>> > >>>> > >>>> Greetz, > >>>> > >>>> Louis > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>> -----Oorspronkelijk bericht----- > >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien > Le > >>> Ray > >>>>> Verzonden: dinsdag 29 maart 2016 15:41 > >>>>> CC: samba > >>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > >>>>> > >>>>> LOGONSERVER is the server used to authenticate currently logged in > >>> user, > >>>>> this does not mean that it is the one on which machine GPO was > >> fetched > >>>>> (which seem to be round-robinized, but maybe not) > >>>>> > >>>>> Got no more sysvolcheck error, manually fixed those (what a pain) > >>>>> > >>>>> But still, events log show a warning about kerberos ticket from > >> LsaSrv > >>>>> source and right after a permission denied on GPT.ini > >>>>> > >>>>> Regards > >>>>> > >>>>> Le 29/03/2016 15:16, mathias dufresne a écrit : > >>>>>> About sysvolreset errors: send them to us. There is (at least) one > >>> error > >>>>>> from sysvolcheck which is not too much important (if I have well > >>>>> understood > >>>>>> it): ACL is set on FS to Local Admins when it should be Domain > >> admins > >>>>> (or > >>>>>> the contrary). That one should be a simple warning, or it is and it > >>> can > >>>>> be > >>>>>> ignored (once more: according to my memory). > >>>>>> > >>>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>: > >>>>>> > >>>>>>> To see which DC is used by Windows client: open a MSDOS console, > >> type > >>>>>>> "set", look for LOGONSERVER=\\<your_dc> > >>>>>>> > >>>>>>> <your_dc> is the DC used to connect on. > >>>>>>> > >>>>>>> If issue comes from one DC I would have on sysvol synchronisation > >>>>> between > >>>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS > >>>>> issue if > >>>>>>> you have only GPO issue). > >>>>>>> > >>>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- > >>>>> samba at orniz.org>: > >>>>>>>> Hi > >>>>>>>> > >>>>>>>> Same here, GPO work without UID/GID on machine account (since > >> issue > >>>>>>>> "resolves" itself sometime) > >>>>>>>> > >>>>>>>> It really seems to depend on which DC is chosen at start. > >>>>>>>> > >>>>>>>> One of the affected machine just recovered without any change > >> except > >>> a > >>>>>>>> reboot > >>>>>>>> > >>>>>>>> So I guess root issue is the kerberos one "max reference tickets > >>>>>>>> exceeded" but cannot see why it happens and on which DC > >>>>>>>> > >>>>>>>> I noticed this morning that sysvolcheck returns errors that won't > >> be > >>>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does not > >>>>> seem to > >>>>>>>> have fixed anything > >>>>>>>> > >>>>>>>> Regards > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit : > >>>>>>>> > >>>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought > >> idmap > >>>>> stuffs > >>>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP > >> objects. > >>>>>>>>> In others words, if you configure correctly idmap into smb.conf I > >>>>> expect > >>>>>>>>> you don't need any more declaring UID/GID for machine accounts. > >>>>>>>>> > >>>>>>>>> Anyway here my machines get access to their GPO: I tested one > >>>>> computer's > >>>>>>>>> GPO this morning, the one giving the possibility to use > >>>>> userPrincipalName > >>>>>>>>> without @samba.domain.tld when logging into a computer. That > >> worked > >>>>> so > >>>>>>>>> the > >>>>>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf > >>>>> contains > >>>>>>>>> anything about idmap: > >>>>>>>>> ---------------------------------------- > >>>>>>>>> [global] > >>>>>>>>> workgroup = SAMBA > >>>>>>>>> realm = SAMBA.DOMAIN.TLD > >>>>>>>>> netbios name = DC200 > >>>>>>>>> server role = active directory domain controller > >>>>>>>>> > >>>>>>>>> server services = -dns > >>>>>>>>> idmap_ldb:use rfc2307 = yes > >>>>>>>>> > >>>>>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend > >>>>>>>>> #dns forwarder = 10.156.32.99 > >>>>>>>>> > >>>>>>>>> #kccsrv:samba_kcc=true > >>>>>>>>> > >>>>>>>>> [netlogon] > >>>>>>>>> path = /var/lib/samba/sysvol/samba.domain.tld/scripts > >>>>>>>>> read only = No > >>>>>>>>> > >>>>>>>>> [sysvol] > >>>>>>>>> path = /var/lib/samba/sysvol > >>>>>>>>> read only = No > >>>>>>>>> ---------------------------------------- > >>>>>>>>> > >>>>>>>>> But my nsswitch.conf is configured to use winbind: > >>>>>>>>> grep win /etc/nsswitch.conf > >>>>>>>>> passwd: files winbind > >>>>>>>>> shadow: files winbind > >>>>>>>>> group: files winbind > >>>>>>>>> > >>>>>>>>> And that works: > >>>>>>>>> For users: > >>>>>>>>> id administrator > >>>>>>>>> uid=0(root) gid=0(root) groupes=0(root) > >>>>>>>>> For computers: > >>>>>>>>> id dc200$ > >>>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain > >>> controllers) > >>>>>>>>> groupes=3000011(AD.DGFIP\domain > >>>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied > >> rodc > >>>>>>>>> password > >>>>>>>>> replication group) > >>>>>>>>> > >>>>>>>>> So idmapping seems to be enabled by default as there are no > >> UID/GID > >>>>>>>>> declared on DC200 computer: > >>>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' > >>>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 > >>>>>>>>> > >>>>>>>>> So I still expect an issue about mapping computer accounts to > >>>>> UNIX/Linux > >>>>>>>>> local user. > >>>>>>>>> > >>>>>>>>> Hoping this helps, cheers, > >>>>>>>>> > >>>>>>>>> mathias > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>: > >>>>>>>>> > >>>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an > >>>>>>>>>> additional option when installing the tools. I believe it is > >>>>> "something > >>>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows > >>> you > >>>>> to > >>>>>>>>>> set the uid/gid as well as group memberships for UNIX systems. I > >>>>> have > >>>>>>>>>> done this on my networks, but I may have forgotten it on this > >> one. > >>> I > >>>>>>>>>> will check. I still have the issue, it is not a "node type" > >> issue. > >>>>>>>>>> > >>>>>>>>>> Lead IT/IS Specialist > >>>>>>>>>> Reach Technology FP, Inc > >>>>>>>>>> > >>>>>>>>>> On 03/23/2016 12:01 PM, mj wrote: > >>>>>>>>>> > >>>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote: > >>>>>>>>>>> > >>>>>>>>>>>> And did you add those IDs to the sysvol share permissions? > >>>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid > >>> fields > >>>>> in > >>>>>>>>>>>> RSAT > >>>>>>>>>>>> > >>>>>>>>>>> I added them using LAM, because yes: using RSAT i also could > >> not. > >>>>>>>>>>> > >>>>>>>>>>> (lam: www.ldap-account-manager.org/) > >>>>>>>>>>> > >>>>>>>>>>> -- > >>>>>>>>>> To unsubscribe from this list go to the following URL and read > >> the > >>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>> -- > >>>>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>>> > >>>>> > >>>>> -- > >>>>> To unsubscribe from this list go to the following URL and read the > >>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>>> > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Sébastien Le Ray
2016-Apr-18 09:22 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
Hi list I have another box hitting the problem It's rather strange since manual run of gpupdate terminates smoothly, the only failure seem to be on boot time (sadly this seem to prevent the boot scripts to be run, which is of course what we need…) My guess was that the issue was raising when boot up GPO fetching wasn't performed on the DC on which machine authentication was done (as I said before, this is due to the fact that sysvol is supposed to be a DFS share so it is accessed through \\domain.fqdn\ which, when using samba, is a dumb round robin). So what I did was to remove all DNS entry for domain.fqdn except for the site DC IP, thus ensuring that GPO was fetched from the same machine… Without success I ran wireshark during machine boot up sequence is basically dig -t SRV _ldap._tcp.dc._msdcs.domain.fqdn <= all domain controllers => pick one to get my site <= your site is XXX dig -t SRV _ldap._tcp.XXX._sites.dc._msdcs.domain.fqdn <= site DC All subsequent communication is made with the DC the box fetched… Still no success I can see SMB2 negociate procotol request/response, DNS updates, but GPT.ini reading still fails Regards Le 14/04/2016 18:03, Jonathan Hunter a écrit :> I hate 'me too' replies - but I have also been struggling with this for > some years in my multi-DC environment. (yes, replicated sysvol via lsyncd + > rsync; permissions looked identical via getfacl last time I checked). > Sometimes a client machine will run gpupdate just fine; other times it will > fail, seemingly randomly. > > My next step was going to be to run wireshark on a client machine to see if > the problem follows a particular DC or pattern - as someone has already > said elsewhere in this thread, the LOGONSERVER isn't necessarily the DC > that GPOs are fetched from. > > I don't have UIDs/GIDs for my machine accounts but maybe I should try to > add them.. Unfortunately every time I sit down to troubleshoot this, the > client machine runs gpupdate with no errors at all; and of course every > time I make a GPO update that needs to be pushed out, it chooses that time > to not work.. :) > > I will try and do some wireshark work and let you know what I find.. It's > definitely "not just you", though - and I'm glad it's not just me, as well! > :-) > > On 14 April 2016 at 15:42, Ryan Ashley <ryana at reachtechfp.com> wrote: > >> Sorry for my delayed response, my job has had me out of state for a >> while. I wanted to add that I am not getting the Kerberos error in my >> event logs. It just flat out claims that it cannot read gpt.ini for some >> reason. This happens randomly, whether dc01 or dc02 is the logon server, >> and the strange part is that most PCs can work fine, but one or two >> randomly won't. >> >> In other words, if pc1 and pc3 are using dc01, and pc2 is using dc02, >> pc1 and pc2 work fine, but pc3 says it can't read the gpt.ini on dc01. >> This may persist for weeks, then it suddenly works. >> >> Lead IT/IS Specialist >> Reach Technology FP, Inc >> >> On 03/30/2016 06:01 AM, L.P.H. van Belle wrote: >>> I found this one. >>> Check which one works for you. >>> >>> >> http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm >>> Im sure this is not a samba configuration problem. >>> >>> >>> Greetz, >>> >>> Louis >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van >> Belle >>>> Verzonden: dinsdag 29 maart 2016 16:18 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) >>>> >>>> I dont read any france but translators work ok. ;-) pfew.. >>>> >>>> Ok any firewalling on the DC's? if so, open TCP and UDP port 88. >>>> Or try short without firewalls on, on the DC's. >>>> >>>> Other options to try is recude the MaxPacketSize in windows. >>>> >>>> Looks like a to big package which is rejected. >>>> >>>> Ow and above is also needed on the DNS port 53. >>>> Open tcp and udp. >>>> >>>> If the upd packages are to big, tcp is tried. >>>> >>>> >>>> And let us know the result. >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: Sébastien Le Ray [mailto:sebastien at orniz.org] >>>>> Verzonden: dinsdag 29 maart 2016 16:10 >>>>> Aan: L.P.H. van Belle; samba at lists.samba.org >>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) >>>>> >>>>> Hi >>>>> >>>>> French windows version >>>>> >>>>> LSA Error >>>>> >>>>> Nom du journal :System >>>>> Source : LsaSrv >>>>> Date : 29/03/2016 15:49:56 >>>>> ID de l?événement :40960 >>>>> Catégorie de la tâche :Aucun >>>>> Niveau : Avertissement >>>>> Mots clés : >>>>> Utilisateur : Système >>>>> Ordinateur : computer.domain >>>>> Description : >>>>> Le système de sécurité a détecté une erreur d?authentification pour le >>>>> serveur cifs/domain. Le code de la panne à partir du protocole >>>>> d?authentification Kerberos était "Le nombre maximal de tickets de >>>>> référence a été dépassé. >>>>> (0xc00002f4)". >>>>> XML de l?événement : >>>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> >>>>> <System> >>>>> <Provider Name="LsaSrv" >>>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> >>>>> <EventID>40960</EventID> >>>>> <Version>0</Version> >>>>> <Level>3</Level> >>>>> <Task>0</Task> >>>>> <Opcode>0</Opcode> >>>>> <Keywords>0x8000000000000000</Keywords> >>>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> >>>>> <EventRecordID>8737</EventRecordID> >>>>> <Correlation /> >>>>> <Execution ProcessID="840" ThreadID="900" /> >>>>> <Channel>System</Channel> >>>>> <Computer>computer.domain</Computer> >>>>> <Security UserID="S-1-5-18" /> >>>>> </System> >>>>> <EventData> >>>>> <Data Name="Target">cifs/computer.domain</Data> >>>>> <Data Name="Protocol">Kerberos</Data> >>>>> <Data Name="Error">"Le nombre maximal de tickets de référence a >> été >>>>> dépassé. >>>>> (0xc00002f4)"</Data> >>>>> </EventData> >>>>> </Event> >>>>> >>>>> >>>>> GPT.ini error >>>>> >>>>> Nom du journal :System >>>>> Source : LsaSrv >>>>> Date : 29/03/2016 15:49:56 >>>>> ID de l?événement :40960 >>>>> Catégorie de la tâche :Aucun >>>>> Niveau : Avertissement >>>>> Mots clés : >>>>> Utilisateur : Système >>>>> Ordinateur : computer.domain >>>>> Description : >>>>> Le système de sécurité a détecté une erreur d?authentification pour le >>>>> serveur cifs/domain. Le code de la panne à partir du protocole >>>>> d?authentification Kerberos était "Le nombre maximal de tickets de >>>>> référence a été dépassé. >>>>> (0xc00002f4)". >>>>> XML de l?événement : >>>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> >>>>> <System> >>>>> <Provider Name="LsaSrv" >>>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> >>>>> <EventID>40960</EventID> >>>>> <Version>0</Version> >>>>> <Level>3</Level> >>>>> <Task>0</Task> >>>>> <Opcode>0</Opcode> >>>>> <Keywords>0x8000000000000000</Keywords> >>>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> >>>>> <EventRecordID>8737</EventRecordID> >>>>> <Correlation /> >>>>> <Execution ProcessID="840" ThreadID="900" /> >>>>> <Channel>System</Channel> >>>>> <Computer>computer.domain</Computer> >>>>> <Security UserID="S-1-5-18" /> >>>>> </System> >>>>> <EventData> >>>>> <Data Name="Target">cifs/domain</Data> >>>>> <Data Name="Protocol">Kerberos</Data> >>>>> <Data Name="Error">"Le nombre maximal de tickets de référence a >> été >>>>> dépassé. >>>>> (0xc00002f4)"</Data> >>>>> </EventData> >>>>> </Event> >>>>> >>>>> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl >>>>> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ >>>>> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ >>>>> # owner: root >>>>> # group: 10000 >>>>> user::rwx >>>>> user:root:rwx >>>>> user:3000002:rwx >>>>> user:3000003:r-x >>>>> user:3000007:rwx >>>>> user:3000008:r-x >>>>> group::rwx >>>>> group:10000:rwx >>>>> group:3000002:rwx >>>>> group:3000003:r-x >>>>> group:3000007:rwx >>>>> group:3000008:r-x >>>>> mask::rwx >>>>> other::--- >>>>> default:user::rwx >>>>> default:user:root:rwx >>>>> default:user:3000002:rwx >>>>> default:user:3000003:r-x >>>>> default:user:3000007:rwx >>>>> default:user:3000008:r-x >>>>> default:group::--- >>>>> default:group:10000:rwx >>>>> default:group:3000002:rwx >>>>> default:group:3000003:r-x >>>>> default:group:3000007:rwx >>>>> default:group:3000008:r-x >>>>> default:mask::rwx >>>>> default:other::--- >>>>> >>>>> >>>>> DHCP IP >>>>> >>>>> Regards >>>>> >>>>> >>>>> Le 29/03/2016 15:46, L.P.H. van Belle a écrit : >>>>>> Complete event id of : >>>>>>> But still, events log show a warning about kerberos ticket from >>>> LsaSrv >>>>>>> source and right after a permission denied on GPT.ini >>>>>> And a getfacl of the problem GPO SID please, i'll check. >>>>>> >>>>>> And a output of ipconfig /all on the problem pc. >>>>>> >>>>>> And question, dedicated IP or dhcp IP? >>>>>> >>>>>> >>>>>> Greetz, >>>>>> >>>>>> Louis >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> -----Oorspronkelijk bericht----- >>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien >> Le >>>>> Ray >>>>>>> Verzonden: dinsdag 29 maart 2016 15:41 >>>>>>> CC: samba >>>>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) >>>>>>> >>>>>>> LOGONSERVER is the server used to authenticate currently logged in >>>>> user, >>>>>>> this does not mean that it is the one on which machine GPO was >>>> fetched >>>>>>> (which seem to be round-robinized, but maybe not) >>>>>>> >>>>>>> Got no more sysvolcheck error, manually fixed those (what a pain) >>>>>>> >>>>>>> But still, events log show a warning about kerberos ticket from >>>> LsaSrv >>>>>>> source and right after a permission denied on GPT.ini >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> Le 29/03/2016 15:16, mathias dufresne a écrit : >>>>>>>> About sysvolreset errors: send them to us. There is (at least) one >>>>> error >>>>>>>> from sysvolcheck which is not too much important (if I have well >>>>>>> understood >>>>>>>> it): ACL is set on FS to Local Admins when it should be Domain >>>> admins >>>>>>> (or >>>>>>>> the contrary). That one should be a simple warning, or it is and it >>>>> can >>>>>>> be >>>>>>>> ignored (once more: according to my memory). >>>>>>>> >>>>>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne <infractory at gmail.com>: >>>>>>>> >>>>>>>>> To see which DC is used by Windows client: open a MSDOS console, >>>> type >>>>>>>>> "set", look for LOGONSERVER=\\<your_dc> >>>>>>>>> >>>>>>>>> <your_dc> is the DC used to connect on. >>>>>>>>> >>>>>>>>> If issue comes from one DC I would have on sysvol synchronisation >>>>>>> between >>>>>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a DNS >>>>>>> issue if >>>>>>>>> you have only GPO issue). >>>>>>>>> >>>>>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- >>>>>>> samba at orniz.org>: >>>>>>>>>> Hi >>>>>>>>>> >>>>>>>>>> Same here, GPO work without UID/GID on machine account (since >>>> issue >>>>>>>>>> "resolves" itself sometime) >>>>>>>>>> >>>>>>>>>> It really seems to depend on which DC is chosen at start. >>>>>>>>>> >>>>>>>>>> One of the affected machine just recovered without any change >>>> except >>>>> a >>>>>>>>>> reboot >>>>>>>>>> >>>>>>>>>> So I guess root issue is the kerberos one "max reference tickets >>>>>>>>>> exceeded" but cannot see why it happens and on which DC >>>>>>>>>> >>>>>>>>>> I noticed this morning that sysvolcheck returns errors that won't >>>> be >>>>>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does not >>>>>>> seem to >>>>>>>>>> have fixed anything >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit : >>>>>>>>>> >>>>>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought >>>> idmap >>>>>>> stuffs >>>>>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP >>>> objects. >>>>>>>>>>> In others words, if you configure correctly idmap into smb.conf I >>>>>>> expect >>>>>>>>>>> you don't need any more declaring UID/GID for machine accounts. >>>>>>>>>>> >>>>>>>>>>> Anyway here my machines get access to their GPO: I tested one >>>>>>> computer's >>>>>>>>>>> GPO this morning, the one giving the possibility to use >>>>>>> userPrincipalName >>>>>>>>>>> without @samba.domain.tld when logging into a computer. That >>>> worked >>>>>>> so >>>>>>>>>>> the >>>>>>>>>>> GPO was applied and my machines have no UID/GID nor my smb.conf >>>>>>> contains >>>>>>>>>>> anything about idmap: >>>>>>>>>>> ---------------------------------------- >>>>>>>>>>> [global] >>>>>>>>>>> workgroup = SAMBA >>>>>>>>>>> realm = SAMBA.DOMAIN.TLD >>>>>>>>>>> netbios name = DC200 >>>>>>>>>>> server role = active directory domain controller >>>>>>>>>>> >>>>>>>>>>> server services = -dns >>>>>>>>>>> idmap_ldb:use rfc2307 = yes >>>>>>>>>>> >>>>>>>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend >>>>>>>>>>> #dns forwarder = 10.156.32.99 >>>>>>>>>>> >>>>>>>>>>> #kccsrv:samba_kcc=true >>>>>>>>>>> >>>>>>>>>>> [netlogon] >>>>>>>>>>> path = /var/lib/samba/sysvol/samba.domain.tld/scripts >>>>>>>>>>> read only = No >>>>>>>>>>> >>>>>>>>>>> [sysvol] >>>>>>>>>>> path = /var/lib/samba/sysvol >>>>>>>>>>> read only = No >>>>>>>>>>> ---------------------------------------- >>>>>>>>>>> >>>>>>>>>>> But my nsswitch.conf is configured to use winbind: >>>>>>>>>>> grep win /etc/nsswitch.conf >>>>>>>>>>> passwd: files winbind >>>>>>>>>>> shadow: files winbind >>>>>>>>>>> group: files winbind >>>>>>>>>>> >>>>>>>>>>> And that works: >>>>>>>>>>> For users: >>>>>>>>>>> id administrator >>>>>>>>>>> uid=0(root) gid=0(root) groupes=0(root) >>>>>>>>>>> For computers: >>>>>>>>>>> id dc200$ >>>>>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain >>>>> controllers) >>>>>>>>>>> groupes=3000011(AD.DGFIP\domain >>>>>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied >>>> rodc >>>>>>>>>>> password >>>>>>>>>>> replication group) >>>>>>>>>>> >>>>>>>>>>> So idmapping seems to be enabled by default as there are no >>>> UID/GID >>>>>>>>>>> declared on DC200 computer: >>>>>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' >>>>>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 >>>>>>>>>>> >>>>>>>>>>> So I still expect an issue about mapping computer accounts to >>>>>>> UNIX/Linux >>>>>>>>>>> local user. >>>>>>>>>>> >>>>>>>>>>> Hoping this helps, cheers, >>>>>>>>>>> >>>>>>>>>>> mathias >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley <ryana at reachtechfp.com>: >>>>>>>>>>> >>>>>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select an >>>>>>>>>>>> additional option when installing the tools. I believe it is >>>>>>> "something >>>>>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and allows >>>>> you >>>>>>> to >>>>>>>>>>>> set the uid/gid as well as group memberships for UNIX systems. I >>>>>>> have >>>>>>>>>>>> done this on my networks, but I may have forgotten it on this >>>> one. >>>>> I >>>>>>>>>>>> will check. I still have the issue, it is not a "node type" >>>> issue. >>>>>>>>>>>> Lead IT/IS Specialist >>>>>>>>>>>> Reach Technology FP, Inc >>>>>>>>>>>> >>>>>>>>>>>> On 03/23/2016 12:01 PM, mj wrote: >>>>>>>>>>>> >>>>>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> And did you add those IDs to the sysvol share permissions? >>>>>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid >>>>> fields >>>>>>> in >>>>>>>>>>>>>> RSAT >>>>>>>>>>>>>> >>>>>>>>>>>>> I added them using LAM, because yes: using RSAT i also could >>>> not. >>>>>>>>>>>>> (lam: www.ldap-account-manager.org/) >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>> To unsubscribe from this list go to the following URL and read >>>> the >>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
L.P.H. van Belle
2016-Apr-18 09:57 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
Hai, Yeah, you have probely one of these 2 problems. ( or both ) 1) This is probely because your "computer" *(user) does not have any acces. Recheck you permissions on the share and and folders for that specific policie. 2) Connections specific suffic and/or network suffic is wrong. Check if you pc is setup correct with dhcp. Ipconfig /all ( check these, and make sure you have "hybrib" (H-node) This is not a samba problem but a configuration problem, or a corruption in you ip stack, (netsh int ip reset) can help also. I've posted a link before this one, go throug it, here are multiple good options to check out. http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htm Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray > Verzonden: maandag 18 april 2016 11:22 > Aan: Jonathan Hunter; samba > Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > > Hi list > > I have another box hitting the problem > > It's rather strange since manual run of gpupdate terminates smoothly, > the only failure seem to be on boot time (sadly this seem to prevent the > boot scripts to be run, which is of course what we need?) > > My guess was that the issue was raising when boot up GPO fetching wasn't > performed on the DC on which machine authentication was done (as I said > before, this is due to the fact that sysvol is supposed to be a DFS > share so it is accessed through \\domain.fqdn\ which, when using samba, > is a dumb round robin). So what I did was to remove all DNS entry for > domain.fqdn except for the site DC IP, thus ensuring that GPO was > fetched from the same machine? Without success > > I ran wireshark during machine boot up sequence is basically > dig -t SRV _ldap._tcp.dc._msdcs.domain.fqdn > <= all domain controllers > => pick one to get my site > <= your site is XXX > dig -t SRV _ldap._tcp.XXX._sites.dc._msdcs.domain.fqdn > <= site DC > All subsequent communication is made with the DC the box fetched? Still > no success > I can see SMB2 negociate procotol request/response, DNS updates, but > GPT.ini reading still fails > > Regards > > Le 14/04/2016 18:03, Jonathan Hunter a écrit : > > I hate 'me too' replies - but I have also been struggling with this for > > some years in my multi-DC environment. (yes, replicated sysvol via > lsyncd + > > rsync; permissions looked identical via getfacl last time I checked). > > Sometimes a client machine will run gpupdate just fine; other times it > will > > fail, seemingly randomly. > > > > My next step was going to be to run wireshark on a client machine to see > if > > the problem follows a particular DC or pattern - as someone has already > > said elsewhere in this thread, the LOGONSERVER isn't necessarily the DC > > that GPOs are fetched from. > > > > I don't have UIDs/GIDs for my machine accounts but maybe I should try to > > add them.. Unfortunately every time I sit down to troubleshoot this, the > > client machine runs gpupdate with no errors at all; and of course every > > time I make a GPO update that needs to be pushed out, it chooses that > time > > to not work.. :) > > > > I will try and do some wireshark work and let you know what I find.. > It's > > definitely "not just you", though - and I'm glad it's not just me, as > well! > > :-) > > > > On 14 April 2016 at 15:42, Ryan Ashley <ryana at reachtechfp.com> wrote: > > > >> Sorry for my delayed response, my job has had me out of state for a > >> while. I wanted to add that I am not getting the Kerberos error in my > >> event logs. It just flat out claims that it cannot read gpt.ini for > some > >> reason. This happens randomly, whether dc01 or dc02 is the logon > server, > >> and the strange part is that most PCs can work fine, but one or two > >> randomly won't. > >> > >> In other words, if pc1 and pc3 are using dc01, and pc2 is using dc02, > >> pc1 and pc2 work fine, but pc3 says it can't read the gpt.ini on dc01. > >> This may persist for weeks, then it suddenly works. > >> > >> Lead IT/IS Specialist > >> Reach Technology FP, Inc > >> > >> On 03/30/2016 06:01 AM, L.P.H. van Belle wrote: > >>> I found this one. > >>> Check which one works for you. > >>> > >>> > >> http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno- > 8508-phase-1.htm > >>> Im sure this is not a samba configuration problem. > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > >> Belle > >>>> Verzonden: dinsdag 29 maart 2016 16:18 > >>>> Aan: samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > >>>> > >>>> I dont read any france but translators work ok. ;-) pfew.. > >>>> > >>>> Ok any firewalling on the DC's? if so, open TCP and UDP port 88. > >>>> Or try short without firewalls on, on the DC's. > >>>> > >>>> Other options to try is recude the MaxPacketSize in windows. > >>>> > >>>> Looks like a to big package which is rejected. > >>>> > >>>> Ow and above is also needed on the DNS port 53. > >>>> Open tcp and udp. > >>>> > >>>> If the upd packages are to big, tcp is tried. > >>>> > >>>> > >>>> And let us know the result. > >>>> > >>>> Greetz, > >>>> > >>>> Louis > >>>> > >>>> > >>>> > >>>>> -----Oorspronkelijk bericht----- > >>>>> Van: Sébastien Le Ray [mailto:sebastien at orniz.org] > >>>>> Verzonden: dinsdag 29 maart 2016 16:10 > >>>>> Aan: L.P.H. van Belle; samba at lists.samba.org > >>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > >>>>> > >>>>> Hi > >>>>> > >>>>> French windows version > >>>>> > >>>>> LSA Error > >>>>> > >>>>> Nom du journal :System > >>>>> Source : LsaSrv > >>>>> Date : 29/03/2016 15:49:56 > >>>>> ID de l?événement :40960 > >>>>> Catégorie de la tâche :Aucun > >>>>> Niveau : Avertissement > >>>>> Mots clés : > >>>>> Utilisateur : Système > >>>>> Ordinateur : computer.domain > >>>>> Description : > >>>>> Le système de sécurité a détecté une erreur d?authentification pour > le > >>>>> serveur cifs/domain. Le code de la panne à partir du protocole > >>>>> d?authentification Kerberos était "Le nombre maximal de tickets de > >>>>> référence a été dépassé. > >>>>> (0xc00002f4)". > >>>>> XML de l?événement : > >>>>> <Event > xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > >>>>> <System> > >>>>> <Provider Name="LsaSrv" > >>>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> > >>>>> <EventID>40960</EventID> > >>>>> <Version>0</Version> > >>>>> <Level>3</Level> > >>>>> <Task>0</Task> > >>>>> <Opcode>0</Opcode> > >>>>> <Keywords>0x8000000000000000</Keywords> > >>>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> > >>>>> <EventRecordID>8737</EventRecordID> > >>>>> <Correlation /> > >>>>> <Execution ProcessID="840" ThreadID="900" /> > >>>>> <Channel>System</Channel> > >>>>> <Computer>computer.domain</Computer> > >>>>> <Security UserID="S-1-5-18" /> > >>>>> </System> > >>>>> <EventData> > >>>>> <Data Name="Target">cifs/computer.domain</Data> > >>>>> <Data Name="Protocol">Kerberos</Data> > >>>>> <Data Name="Error">"Le nombre maximal de tickets de référence > a > >> été > >>>>> dépassé. > >>>>> (0xc00002f4)"</Data> > >>>>> </EventData> > >>>>> </Event> > >>>>> > >>>>> > >>>>> GPT.ini error > >>>>> > >>>>> Nom du journal :System > >>>>> Source : LsaSrv > >>>>> Date : 29/03/2016 15:49:56 > >>>>> ID de l?événement :40960 > >>>>> Catégorie de la tâche :Aucun > >>>>> Niveau : Avertissement > >>>>> Mots clés : > >>>>> Utilisateur : Système > >>>>> Ordinateur : computer.domain > >>>>> Description : > >>>>> Le système de sécurité a détecté une erreur d?authentification pour > le > >>>>> serveur cifs/domain. Le code de la panne à partir du protocole > >>>>> d?authentification Kerberos était "Le nombre maximal de tickets de > >>>>> référence a été dépassé. > >>>>> (0xc00002f4)". > >>>>> XML de l?événement : > >>>>> <Event > xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > >>>>> <System> > >>>>> <Provider Name="LsaSrv" > >>>>> Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> > >>>>> <EventID>40960</EventID> > >>>>> <Version>0</Version> > >>>>> <Level>3</Level> > >>>>> <Task>0</Task> > >>>>> <Opcode>0</Opcode> > >>>>> <Keywords>0x8000000000000000</Keywords> > >>>>> <TimeCreated SystemTime="2016-03-29T13:49:56.437021000Z" /> > >>>>> <EventRecordID>8737</EventRecordID> > >>>>> <Correlation /> > >>>>> <Execution ProcessID="840" ThreadID="900" /> > >>>>> <Channel>System</Channel> > >>>>> <Computer>computer.domain</Computer> > >>>>> <Security UserID="S-1-5-18" /> > >>>>> </System> > >>>>> <EventData> > >>>>> <Data Name="Target">cifs/domain</Data> > >>>>> <Data Name="Protocol">Kerberos</Data> > >>>>> <Data Name="Error">"Le nombre maximal de tickets de référence > a > >> été > >>>>> dépassé. > >>>>> (0xc00002f4)"</Data> > >>>>> </EventData> > >>>>> </Event> > >>>>> > >>>>> root at dc:/var/lib/samba/sysvol/domain/Policies# getfacl > >>>>> \{0C4FEDE7-E06F-44AA-8866-8502A95C0EE0\}/ > >>>>> # file: {0C4FEDE7-E06F-44AA-8866-8502A95C0EE0}/ > >>>>> # owner: root > >>>>> # group: 10000 > >>>>> user::rwx > >>>>> user:root:rwx > >>>>> user:3000002:rwx > >>>>> user:3000003:r-x > >>>>> user:3000007:rwx > >>>>> user:3000008:r-x > >>>>> group::rwx > >>>>> group:10000:rwx > >>>>> group:3000002:rwx > >>>>> group:3000003:r-x > >>>>> group:3000007:rwx > >>>>> group:3000008:r-x > >>>>> mask::rwx > >>>>> other::--- > >>>>> default:user::rwx > >>>>> default:user:root:rwx > >>>>> default:user:3000002:rwx > >>>>> default:user:3000003:r-x > >>>>> default:user:3000007:rwx > >>>>> default:user:3000008:r-x > >>>>> default:group::--- > >>>>> default:group:10000:rwx > >>>>> default:group:3000002:rwx > >>>>> default:group:3000003:r-x > >>>>> default:group:3000007:rwx > >>>>> default:group:3000008:r-x > >>>>> default:mask::rwx > >>>>> default:other::--- > >>>>> > >>>>> > >>>>> DHCP IP > >>>>> > >>>>> Regards > >>>>> > >>>>> > >>>>> Le 29/03/2016 15:46, L.P.H. van Belle a écrit : > >>>>>> Complete event id of : > >>>>>>> But still, events log show a warning about kerberos ticket from > >>>> LsaSrv > >>>>>>> source and right after a permission denied on GPT.ini > >>>>>> And a getfacl of the problem GPO SID please, i'll check. > >>>>>> > >>>>>> And a output of ipconfig /all on the problem pc. > >>>>>> > >>>>>> And question, dedicated IP or dhcp IP? > >>>>>> > >>>>>> > >>>>>> Greetz, > >>>>>> > >>>>>> Louis > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>> -----Oorspronkelijk bericht----- > >>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien > >> Le > >>>>> Ray > >>>>>>> Verzonden: dinsdag 29 maart 2016 15:41 > >>>>>>> CC: samba > >>>>>>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID > 1058) > >>>>>>> > >>>>>>> LOGONSERVER is the server used to authenticate currently logged in > >>>>> user, > >>>>>>> this does not mean that it is the one on which machine GPO was > >>>> fetched > >>>>>>> (which seem to be round-robinized, but maybe not) > >>>>>>> > >>>>>>> Got no more sysvolcheck error, manually fixed those (what a pain) > >>>>>>> > >>>>>>> But still, events log show a warning about kerberos ticket from > >>>> LsaSrv > >>>>>>> source and right after a permission denied on GPT.ini > >>>>>>> > >>>>>>> Regards > >>>>>>> > >>>>>>> Le 29/03/2016 15:16, mathias dufresne a écrit : > >>>>>>>> About sysvolreset errors: send them to us. There is (at least) > one > >>>>> error > >>>>>>>> from sysvolcheck which is not too much important (if I have well > >>>>>>> understood > >>>>>>>> it): ACL is set on FS to Local Admins when it should be Domain > >>>> admins > >>>>>>> (or > >>>>>>>> the contrary). That one should be a simple warning, or it is and > it > >>>>> can > >>>>>>> be > >>>>>>>> ignored (once more: according to my memory). > >>>>>>>> > >>>>>>>> 2016-03-29 15:14 GMT+02:00 mathias dufresne > <infractory at gmail.com>: > >>>>>>>> > >>>>>>>>> To see which DC is used by Windows client: open a MSDOS console, > >>>> type > >>>>>>>>> "set", look for LOGONSERVER=\\<your_dc> > >>>>>>>>> > >>>>>>>>> <your_dc> is the DC used to connect on. > >>>>>>>>> > >>>>>>>>> If issue comes from one DC I would have on sysvol > synchronisation > >>>>>>> between > >>>>>>>>> DC, ACL on all sysvol, DNS entries (but I don't think that's a > DNS > >>>>>>> issue if > >>>>>>>>> you have only GPO issue). > >>>>>>>>> > >>>>>>>>> 2016-03-29 14:51 GMT+02:00 Sébastien Le Ray <sebastien- > >>>>>>> samba at orniz.org>: > >>>>>>>>>> Hi > >>>>>>>>>> > >>>>>>>>>> Same here, GPO work without UID/GID on machine account (since > >>>> issue > >>>>>>>>>> "resolves" itself sometime) > >>>>>>>>>> > >>>>>>>>>> It really seems to depend on which DC is chosen at start. > >>>>>>>>>> > >>>>>>>>>> One of the affected machine just recovered without any change > >>>> except > >>>>> a > >>>>>>>>>> reboot > >>>>>>>>>> > >>>>>>>>>> So I guess root issue is the kerberos one "max reference > tickets > >>>>>>>>>> exceeded" but cannot see why it happens and on which DC > >>>>>>>>>> > >>>>>>>>>> I noticed this morning that sysvolcheck returns errors that > won't > >>>> be > >>>>>>>>>> fixed by sysvolreset (!), I manually fixed ntacl but this does > not > >>>>>>> seem to > >>>>>>>>>> have fixed anything > >>>>>>>>>> > >>>>>>>>>> Regards > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Le 29/03/2016 11:57, mathias dufresne a écrit : > >>>>>>>>>> > >>>>>>>>>>> I'm not an expert in idmap (at all in fact :p) but I thought > >>>> idmap > >>>>>>> stuffs > >>>>>>>>>>> were here to replace RFC2307 UID/GID declared into AD/LDAP > >>>> objects. > >>>>>>>>>>> In others words, if you configure correctly idmap into > smb.conf I > >>>>>>> expect > >>>>>>>>>>> you don't need any more declaring UID/GID for machine > accounts. > >>>>>>>>>>> > >>>>>>>>>>> Anyway here my machines get access to their GPO: I tested one > >>>>>>> computer's > >>>>>>>>>>> GPO this morning, the one giving the possibility to use > >>>>>>> userPrincipalName > >>>>>>>>>>> without @samba.domain.tld when logging into a computer. That > >>>> worked > >>>>>>> so > >>>>>>>>>>> the > >>>>>>>>>>> GPO was applied and my machines have no UID/GID nor my > smb.conf > >>>>>>> contains > >>>>>>>>>>> anything about idmap: > >>>>>>>>>>> ---------------------------------------- > >>>>>>>>>>> [global] > >>>>>>>>>>> workgroup = SAMBA > >>>>>>>>>>> realm = SAMBA.DOMAIN.TLD > >>>>>>>>>>> netbios name = DC200 > >>>>>>>>>>> server role = active directory domain controller > >>>>>>>>>>> > >>>>>>>>>>> server services = -dns > >>>>>>>>>>> idmap_ldb:use rfc2307 = yes > >>>>>>>>>>> > >>>>>>>>>>> # NOTE: removed as we now use BIND-DLZ DNS backend > >>>>>>>>>>> #dns forwarder = 10.156.32.99 > >>>>>>>>>>> > >>>>>>>>>>> #kccsrv:samba_kcc=true > >>>>>>>>>>> > >>>>>>>>>>> [netlogon] > >>>>>>>>>>> path > /var/lib/samba/sysvol/samba.domain.tld/scripts > >>>>>>>>>>> read only = No > >>>>>>>>>>> > >>>>>>>>>>> [sysvol] > >>>>>>>>>>> path = /var/lib/samba/sysvol > >>>>>>>>>>> read only = No > >>>>>>>>>>> ---------------------------------------- > >>>>>>>>>>> > >>>>>>>>>>> But my nsswitch.conf is configured to use winbind: > >>>>>>>>>>> grep win /etc/nsswitch.conf > >>>>>>>>>>> passwd: files winbind > >>>>>>>>>>> shadow: files winbind > >>>>>>>>>>> group: files winbind > >>>>>>>>>>> > >>>>>>>>>>> And that works: > >>>>>>>>>>> For users: > >>>>>>>>>>> id administrator > >>>>>>>>>>> uid=0(root) gid=0(root) groupes=0(root) > >>>>>>>>>>> For computers: > >>>>>>>>>>> id dc200$ > >>>>>>>>>>> uid=3000025(AD.DGFIP\dc200$) gid=3000011(AD.DGFIP\domain > >>>>> controllers) > >>>>>>>>>>> groupes=3000011(AD.DGFIP\domain > >>>>>>>>>>> controllers),3000025(AD.DGFIP\dc200$),3000002(AD.DGFIP\denied > >>>> rodc > >>>>>>>>>>> password > >>>>>>>>>>> replication group) > >>>>>>>>>>> > >>>>>>>>>>> So idmapping seems to be enabled by default as there are no > >>>> UID/GID > >>>>>>>>>>> declared on DC200 computer: > >>>>>>>>>>> ldbsearch -H $sam cn=dc200 | egrep -i 'uid|gid' > >>>>>>>>>>> objectGUID: 0f8f8882-59f2-44dd-bccf-dda8c4c3ecc7 > >>>>>>>>>>> > >>>>>>>>>>> So I still expect an issue about mapping computer accounts to > >>>>>>> UNIX/Linux > >>>>>>>>>>> local user. > >>>>>>>>>>> > >>>>>>>>>>> Hoping this helps, cheers, > >>>>>>>>>>> > >>>>>>>>>>> mathias > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> 2016-03-26 22:04 GMT+01:00 Ryan Ashley > <ryana at reachtechfp.com>: > >>>>>>>>>>> > >>>>>>>>>>> I add UNIX attributes (gid/uid) using RSAT. You need to select > an > >>>>>>>>>>>> additional option when installing the tools. I believe it is > >>>>>>> "something > >>>>>>>>>>>> for NIS attributes". This adds the "UNIX" tab to ADUC and > allows > >>>>> you > >>>>>>> to > >>>>>>>>>>>> set the uid/gid as well as group memberships for UNIX > systems. I > >>>>>>> have > >>>>>>>>>>>> done this on my networks, but I may have forgotten it on this > >>>> one. > >>>>> I > >>>>>>>>>>>> will check. I still have the issue, it is not a "node type" > >>>> issue. > >>>>>>>>>>>> Lead IT/IS Specialist > >>>>>>>>>>>> Reach Technology FP, Inc > >>>>>>>>>>>> > >>>>>>>>>>>> On 03/23/2016 12:01 PM, mj wrote: > >>>>>>>>>>>> > >>>>>>>>>>>>> On 03/23/2016 03:12 PM, Sébastien Le Ray wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>>> And did you add those IDs to the sysvol share permissions? > >>>>>>>>>>>>>> I guess you used samba-tool since I cannot find any gid/uid > >>>>> fields > >>>>>>> in > >>>>>>>>>>>>>> RSAT > >>>>>>>>>>>>>> > >>>>>>>>>>>>> I added them using LAM, because yes: using RSAT i also could > >>>> not. > >>>>>>>>>>>>> (lam: www.ldap-account-manager.org/) > >>>>>>>>>>>>> > >>>>>>>>>>>>> -- > >>>>>>>>>>>> To unsubscribe from this list go to the following URL and > read > >>>> the > >>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> -- > >>>>>>>>>> To unsubscribe from this list go to the following URL and read > the > >>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>>>>> > >>>>>>> -- > >>>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>> > >>>> > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Sébastien Le Ray
2016-Apr-18 10:46 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
Hi Le 18/04/2016 11:57, L.P.H. van Belle a écrit :> Hai, > > Yeah, you have probely one of these 2 problems. ( or both ) > > 1) > This is probely because your "computer" *(user) does not have any acces. > Recheck you permissions on the share and and folders for that specific policie.Performed sysvolreset, checked access in Windows, all DC the same (authenticated users & enterprise DC can read, system, domain/enterprise admins have full control) How do you explain that manual gpupdate /force works with no issue Tried to leave/rejoin domain (with machine account deletion after leave) → no change> > 2) > Connections specific suffic and/or network suffic is wrong. > Check if you pc is setup correct with dhcp. > Ipconfig /all ( check these, and make sure you have "hybrib" (H-node)Node type is hybrid. Wireshark show that DNS queries are performed against right suffices and does not show any DNS error> > This is not a samba problem but a configuration problem, > or a corruption in you ip stack, (n ) can help also.Done without success> > I've posted a link before this one, go throug it, here are multiple good options to check out. > > http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-phase-1.htmYeah checked a good part of them with no success. This seems more like some random voodoo. And a good part of them involves configuration on windows DC…
L.P.H. van Belle
2016-Apr-18 10:58 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
Ok, try this. Gif the pc a uid and check again. If it works then, its a share or security right. Gpupdate /force works because at that point you "user"/user has a uid and gid. The error occurs at start up because the COMPUTERNAME$ doent have access to that gpt.ini. Resetting sysvol in that case doent help because the right on the gpt.ini is set by the group you assigned to the policy. ( so can be an inherrentance problem also ) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray > Verzonden: maandag 18 april 2016 12:46 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058) > > Hi > > Le 18/04/2016 11:57, L.P.H. van Belle a écrit : > > Hai, > > > > Yeah, you have probely one of these 2 problems. ( or both ) > > > > 1) > > This is probely because your "computer" *(user) does not have any > acces. > > Recheck you permissions on the share and and folders for that specific > policie. > > Performed sysvolreset, checked access in Windows, all DC the same > (authenticated users & enterprise DC can read, system, domain/enterprise > admins have full control) > > How do you explain that manual gpupdate /force works with no issue > > Tried to leave/rejoin domain (with machine account deletion after leave) > ??? no change > > > > > 2) > > Connections specific suffic and/or network suffic is wrong. > > Check if you pc is setup correct with dhcp. > > Ipconfig /all ( check these, and make sure you have "hybrib" (H-node) > > Node type is hybrid. Wireshark show that DNS queries are performed > against right suffices and does not show any DNS error > > > > > This is not a samba problem but a configuration problem, > > or a corruption in you ip stack, (n ) can help also. > Done without success > > > > I've posted a link before this one, go throug it, here are multiple good > options to check out. > > > > http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508- > phase-1.htm > > Yeah checked a good part of them with no success. This seems more like > some random voodoo. And a good part of them involves configuration on > windows DC? > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba