> I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain > migrated from Windows 2003 R2. I post them altogether, since they look > related. > > 1. Unable to create or delete GPOs. > # bin/samba-tool gpo create somegpo > ERROR(ldb): uncaught exception - LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on > CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <> > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", > line 952, in run > self.samdb.add(m) > > I'm not sure if this is a schema or authentication problem. Could someone > suggest how should that be investigated?
It looks like in default Windows schema only members of Domain Admins can modify cn=Policies. If one will allow "Domain controllers" group to have rw access too, the LDAP-related error disappears. However, sysvol FS access error will raise (due to the fact machine accounts do not have write permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset). So, should samba-tool really use machine account for GPO operations? -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
