> On Wed, 2012-10-31 at 03:33 +0400, Dmitry Khromov wrote: > > > I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain > > > migrated from Windows 2003 R2. I post them altogether, since they look > > > related. > > > > > > 1. Unable to create or delete GPOs. > > > # bin/samba-tool gpo create somegpo > > > ERROR(ldb): uncaught exception - LDAP error 50 > > > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on > > > CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <> > > > File > > > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > > > line 175, in _run > > > return self.run(*args, **kwargs) > > > File > > > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", > > > line 952, in run > > > self.samdb.add(m) > > > > > > I'm not sure if this is a schema or authentication problem. Could someone > > > suggest how should that be investigated? > > > > It looks like in default Windows schema only members of Domain Admins can > > modify cn=Policies. If one will allow "Domain controllers" group to have rw > > access too, the LDAP-related error disappears. However, sysvol FS access > > error will raise (due to the fact machine accounts do not have write > > permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset). > > So, should samba-tool really use machine account for GPO operations? > > Probably not for write operations. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > >
And it actually doesn't. Sorry, I'm an idiot. I forgot the -k switch, so it was falling back to machine account. Now it says NT_STATUS_INVALID_OWNER in conn.set_acl, but that's a different story. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba