Hi, when I remove a Windows client from the domain I get the following error message in log.samba: [2020/04/21 13:06:11.453483, 1] ../../source4/rpc_server/samr/dcesrv_samr.c:4071(dcesrv_samr_SetUserInfo) Failed to modify record CN=DESKTOP-C9L2OUQ,CN=Computers,DC=ad,DC=example,DC=net: Object CN=DESKTOP-C9L2OUQ,CN=Computers,DC=ad,DC=example,DC=net has no write property access The computer can still be listed via samba-tool after the client removal (I can delete it via samba-tool without problem). We are still testing, so I'm still using the administrator account for adding and removing Windows clients to the domain. The error message itself makes sense, the computer object does not have write access to the ldap (and I think should never have), but the administrator should have them. We are currently using Samba version 4.12.1-SerNet-Debian-5.buster. Do you have any idea? Best regards Daniel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6098 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20200422/3d955b5b/smime.bin>
And for this one. Check if the object has the correct rights, does it has "SELF" rights for example. Its a longer list to take the time for it to check it. if you can not find it, try re-joining the computer to the AD domain. (more below inbetween lines)> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von > Obernitz, Daniel via samba > Verzonden: woensdag 22 april 2020 14:05 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Error when removing client from domain > > Hi, > > when I remove a Windows client from the domain I get the > following error message in log.samba: > > [2020/04/21 13:06:11.453483, 1] > ../../source4/rpc_server/samr/dcesrv_samr.c:4071(dcesrv_samr_S > etUserInfo) > Failed to modify record > CN=DESKTOP-C9L2OUQ,CN=Computers,DC=ad,DC=example,DC=net: > Object > CN=DESKTOP-C9L2OUQ,CN=Computers,DC=ad,DC=example,DC=net has > no write property access > > The computer can still be listed via samba-tool after the > client removal (I can delete it via samba-tool without problem). > > We are still testing, so I'm still using the administrator > account for adding and removing Windows clients to the domain.Because that you most probley have problems.> The error message itself makes sense, the computer object > does not have write access to the ldap (and I think should > never have), but the administrator should have them.No it has no rights on it's own computer object in the AD. And they should have that. Try joining an other computer and verify the settings.> > We are currently using Samba version 4.12.1-SerNet-Debian-5.buster. > > Do you have any idea?Yup, see above ;-) Good luck.. Greetz, Louis
And you can stop for now with this part. First check/fix on the config.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: woensdag 22 april 2020 14:52 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Error when removing client from domain > > And for this one. > > Check if the object has the correct rights, does it has > "SELF" rights for example. > Its a longer list to take the time for it to check it. > > if you can not find it, try re-joining the computer to the AD domain. > > (more below inbetween lines) > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von > > Obernitz, Daniel via samba > > Verzonden: woensdag 22 april 2020 14:05 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Error when removing client from domain > > > > Hi, > > > > when I remove a Windows client from the domain I get the > > following error message in log.samba: > > > > [2020/04/21 13:06:11.453483, 1] > > ../../source4/rpc_server/samr/dcesrv_samr.c:4071(dcesrv_samr_S > > etUserInfo) > > Failed to modify record > > CN=DESKTOP-C9L2OUQ,CN=Computers,DC=ad,DC=example,DC=net: > > Object > > CN=DESKTOP-C9L2OUQ,CN=Computers,DC=ad,DC=example,DC=net has > > no write property access > > > > The computer can still be listed via samba-tool after the > > client removal (I can delete it via samba-tool without problem). > > > > We are still testing, so I'm still using the administrator > > account for adding and removing Windows clients to the domain. > Because that you most probley have problems. > > > The error message itself makes sense, the computer object > > does not have write access to the ldap (and I think should > > never have), but the administrator should have them. > > No it has no rights on it's own computer object in the AD. > And they should have that. > Try joining an other computer and verify the settings. > > > > > We are currently using Samba version 4.12.1-SerNet-Debian-5.buster. > > > > Do you have any idea? > > Yup, see above ;-) > > Good luck.. > > Greetz, > > Louis > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi,> > The error message itself makes sense, the computer object > > does not have write access to the ldap (and I think should > > never have), but the administrator should have them. > > No it has no rights on it's own computer object in the AD. > And they should have that. > Try joining an other computer and verify the settings.I just did a test with a new computer by adding and removing it and the error message does not appear. So it seems to be a special issue with my previous tested client. I will look further into it...SELF permissions are set and they look the same on both clients, but I have another idea.. I'll come back to you if I can reproduce it better.> > We are still testing, so I'm still using the administrator > > account for adding and removing Windows clients to the domain. > Because that you most probley have problems.No, luckily there is no general problem :) The AC DC is working fine and we are currently planning and creating all administrative roles to finally get live with it.. Best regards Daniel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6098 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20200422/97a723bc/smime.bin>