samba - Apr 2016 - Permission denied on GPT.ini (Event ID 1058)

Ok, try this. 

Gif the pc a uid and check again. 
If it works then, its a share or security right. 

Gpupdate /force works because at that point you "user"/user has a uid
and gid.

The error occurs at start up because the COMPUTERNAME$ doent have access to that
gpt.ini.

Resetting sysvol in that case doent help because the right on the gpt.ini is set
by the group you assigned to the policy.
( so can be an inherrentance problem also ) 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le
Ray
> Verzonden: maandag 18 april 2016 12:46
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> 
> Hi
> 
> Le 18/04/2016 11:57, L.P.H. van Belle a écrit :
> > Hai,
> >
> > Yeah, you have probely one of these 2 problems.  ( or both )
> >
> > 1)
> > This is probely because your "computer" *(user)  does not
have any
> acces.
> > Recheck you permissions on the share and and folders for that specific
> policie.
> 
> Performed sysvolreset, checked access in Windows, all DC the same
> (authenticated users & enterprise DC can read, system,
domain/enterprise
> admins have full control)
> 
> How do you explain that manual gpupdate /force works with no issue
> 
> Tried to leave/rejoin domain (with machine account deletion after leave)
> ??? no change
> 
> >
> > 2)
> > Connections specific suffic and/or network suffic is wrong.
> > Check if you pc is setup correct with dhcp.
> > Ipconfig /all ( check these, and make sure you have "hybrib"
(H-node)
> 
> Node type is hybrid. Wireshark show that DNS queries are performed
> against right suffices and does not show any DNS error
> 
> >
> > This is not a samba problem but a configuration problem,
> > or a corruption in you ip stack, (n	) can help also.
> Done without success
> >
> > I've posted a link before this one, go throug it, here are
multiple good
> options to check out.
> >
> >
http://www.eventid.net/display-eventid-40960-source-LSASRV-eventno-8508-
> phase-1.htm
> 
> Yeah checked a good part of them with no success. This seems more like
> some random voodoo. And a good part of them involves configuration on
> windows DC?
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Le 18/04/2016 12:58, L.P.H. van Belle a écrit :
> Ok, try this.
>
> Gif the pc a uid and check again.
> If it works then, its a share or security right.
>
> Gpupdate /force works because at that point you "user"/user has a
uid and gid.
I don't think so, I launch gpupdate using local admin account, so as I 
understand it, only computer account is used (since local admin as no 
existence on the domain)
>
> The error occurs at start up because the COMPUTERNAME$ doent have access to
that gpt.ini.
wbinfo -i COMPUTERNAME$ & wbinfo -r COMPUTERNAME$ correctly returns him 
as member of domain computers (with proper gid) and a custom group to 
which it was added

I added an uidNumber to the machine, should I explicitely add it to the 
GPO access rights?

Regards

Ok, 

 
> I don't think so, I launch gpupdate using local admin account, so as I
> understand it, only computer account is used (since local admin as no
> existence on the domain)
Why a local admin, please use a ?domain admin? .. 

 

Test as follow. 

Open de security tab of the GPT.INI. 

Advanced settings, last tab, effective settings, 

At objecttype, deselect all, select computer. 

Search for : COMPUTERNAME$ 

It should resolve to your computer. 

Klik ok, now check the security settings again here. 

Must have at least :

Traverse Folder / Execute file. 

List folder/ Read Data

Read Attributes. 

Read Exended Attributes. 

Read permissions. 

 

 
> wbinfo -i COMPUTERNAME$ & wbinfo -r COMPUTERNAME$ correctly returns him
> as member of domain computers (with proper gid) and a custom group to
> which it was added
When thats ok, keep it as is now, looks good. 

 

After checking you rights, 

You can try this also if we speak of windows 7, try this. 

( just found this ) 

 

Open CMD Box as Administrator. 

 

Run : 

DEL /S /F /Q "%ALLUSERSPROFILE%\Application Data\Microsoft\Group
Policy\History\*.*"

gpupdate /force ( or reboot ) 

 

Greetz, 

 

Louis

 
> -----Oorspronkelijk bericht-----
> Van: Sébastien Le Ray [mailto:sebastien-samba at orniz.org]
> Verzonden: maandag 18 april 2016 15:03
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> 
> 
> 
> Le 18/04/2016 12:58, L.P.H. van Belle a écrit :
> > Ok, try this.
> >
> > Gif the pc a uid and check again.
> > If it works then, its a share or security right.
> >
> > Gpupdate /force works because at that point you "user"/user
has a uid
> and gid.
> 
> I don't think so, I launch gpupdate using local admin account, so as I
> understand it, only computer account is used (since local admin as no
> existence on the domain)
> 
> >
> > The error occurs at start up because the COMPUTERNAME$ doent have
access
> to that gpt.ini.
> 
> wbinfo -i COMPUTERNAME$ & wbinfo -r COMPUTERNAME$ correctly returns him
> as member of domain computers (with proper gid) and a custom group to
> which it was added
> 
> I added an uidNumber to the machine, should I explicitely add it to the
> GPO access rights?
> 
> Regards
 

Le 18/04/2016 15:35, L.P.H. van Belle a écrit :
> Ok,
>
>
>
>> I don't think so, I launch gpupdate using local admin account, so
as I
>> understand it, only computer account is used (since local admin as no
>> existence on the domain)
> Why a local admin, please use a ?domain admin? ..
No incidence (since in fact interactive update always work :) )
>
>
>
> Test as follow.
>
> Open de security tab of the GPT.INI.
>
> Advanced settings, last tab, effective settings,
>
> At objecttype, deselect all, select computer.
>
> Search for : COMPUTERNAME$
>
> It should resolve to your computer.
>
> Klik ok, now check the security settings again here.
>
> Must have at least :
>
> Traverse Folder / Execute file.
>
> List folder/ Read Data
>
> Read Attributes.
>
> Read Exended Attributes.
>
> Read permissions.
>
>
>
> Run :
>
> DEL /S /F /Q "%ALLUSERSPROFILE%\Application Data\Microsoft\Group
Policy\History\*.*"
>
> gpupdate /force
This works (as usual)
> ( or reboot )
This fails


Analyzing the complete boot sequence, I see several errors

DHCP starting
DHCPv6 starting
NETLOGON error no domain controller found
LSASrv issue (max reference tickets exceeded)
GPO error (failure to read GPT.INI)

It looks like this: https://support.microsoft.com/en-us/kb/2421599 but 
suggested fix doesn't make any difference.

It may be related to SSD enabled machines which boot too fast, but 
cannot remember if non-SSD ones hit the bug too

Regards

Ok based on  the MS link. 

Have you enabled under Computer Configuration in the navigation tree on the left
side, navigate to Administrative Templates\System\Logon

Enable "Always wait for the network at computer startup and logon" 

If not done yet. 

Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le
Ray
> Verzonden: maandag 18 april 2016 16:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
> 
> 
> 
> Le 18/04/2016 15:35, L.P.H. van Belle a écrit :
> > Ok,
> >
> >
> >
> >> I don't think so, I launch gpupdate using local admin account,
so as I
> >> understand it, only computer account is used (since local admin as
no
> >> existence on the domain)
> > Why a local admin, please use a ?domain admin? ..
> 
> No incidence (since in fact interactive update always work :) )
> 
> >
> >
> >
> > Test as follow.
> >
> > Open de security tab of the GPT.INI.
> >
> > Advanced settings, last tab, effective settings,
> >
> > At objecttype, deselect all, select computer.
> >
> > Search for : COMPUTERNAME$
> >
> > It should resolve to your computer.
> >
> > Klik ok, now check the security settings again here.
> >
> > Must have at least :
> >
> > Traverse Folder / Execute file.
> >
> > List folder/ Read Data
> >
> > Read Attributes.
> >
> > Read Exended Attributes.
> >
> > Read permissions.
> >
> >
> >
> > Run :
> >
> > DEL /S /F /Q "%ALLUSERSPROFILE%\Application Data\Microsoft\Group
> Policy\History\*.*"
> >
> > gpupdate /force
> 
> This works (as usual)
> 
> > ( or reboot )
> 
> This fails
> 
> 
> Analyzing the complete boot sequence, I see several errors
> 
> DHCP starting
> DHCPv6 starting
> NETLOGON error no domain controller found
> LSASrv issue (max reference tickets exceeded)
> GPO error (failure to read GPT.INI)
> 
> It looks like this: https://support.microsoft.com/en-us/kb/2421599 but
> suggested fix doesn't make any difference.
> 
> It may be related to SSD enabled machines which boot too fast, but
> cannot remember if non-SSD ones hit the bug too
> 
> Regards
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba