> Hello. > > I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain > migrated from Windows 2003 R2. I post them altogether, since they look > related. > > 1. Unable to create or delete GPOs. > # bin/samba-tool gpo create somegpo > ERROR(ldb): uncaught exception - LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on > CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <> > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", > line 952, in run > self.samdb.add(m) > > I'm not sure if this is a schema or authentication problem. Could someone > suggest how should that be investigated? > > 2. Some hosts fail to update records via Samba internal DNS (Andrew, sorry > for duplicating, but this is updated). > It looks like this on debug level = 5: > [2012/10/30 02:23:38, 1] > ../source4/dns_server/dns_server.c:150(dns_process_send) > Failed to verify TSIG! > Hosts are Windows XP, Windows 7, Samba 3 on Linux. Some do update > succesfully, some can succeed some time (say, 5 hours) later, or may still > fail. This is weird. > I should mention that we had some problem with Windows 2k3 demotion - > during the process it had rewritten the SOA on (the only at that moment) > Samba DC and put it's own hostname in SOA's "primary NS" field. We had to > fix that manually by replacing the SOA record in corresponding LDB. > Maybe we had just missed something? Any ideas on what's wrong? > > 3. Some hosts may suddenly reject valid tickets for RPC calls. > Somewhat like the previous one. For example, on some non-DC host I do: > $ kinit > $ #Got a ticket for some admin user, btw MIT is used here > $ net rpc shutdown -S somehost -f -k # Samba 3's "net" command > It may succeed for some hosts, but fail with NT_LOGON_FAILURE few hours > later, before the ticket expires (and DCs still accept this ticket for > e.g. samba-tool drs showrepl). Or it may later suceed for a host it was > failing for. Renewing the ticket doesn't change anything. > So, something strange for me, too. I had tried to reset some machine > accounts and to rejoin some hosts. No luck. > > 4. Unrelated to the previous ones. Well, I'm sorry, I hadn't read the > source to see if this is supposed to happen. But I'd better say that > before I forget, just in case. > Try to rename some host using Windows GUI (My Computer -> Properties) and > check if CN, sAMAccountName and member for corresponding groups are > changed correctly. In my experience, only sAMAccountName is changed. > Once again, sorry if this is OK. > >
Something similar happens to me. But I noticed that I can create a new GPO only with the first user the system had: administrator. None of the new admin users I created worked, only administrator. Best regards, Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
