On Wed, 2012-10-31 at 03:48 +0400, Dmitry Khromov wrote: > > On Wed, 2012-10-31 at 03:33 +0400, Dmitry Khromov wrote: > > > > I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain > > > > migrated from Windows 2003 R2. I post them altogether, since they look > > > > related. > > > > > > > > 1. Unable to create or delete GPOs. > > > > # bin/samba-tool gpo create somegpo > > > > ERROR(ldb): uncaught exception - LDAP error 50 > > > > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on > > > > CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <> > > > > File > > > > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > > > > line 175, in _run > > > > return self.run(*args, **kwargs) > > > > File > > > > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", > > > > line 952, in run > > > > self.samdb.add(m) > > > > > > > > I'm not sure if this is a schema or authentication problem. Could > > > > someone suggest how should that be investigated? > > > > > > It looks like in default Windows schema only members of Domain Admins can > > > modify cn=Policies. If one will allow "Domain controllers" group to have > > > rw access too, the LDAP-related error disappears. However, sysvol FS > > > access error will raise (due to the fact machine accounts do not have > > > write permissions on sysvol/fqdn/Policies after samba-tool ntacl > > > sysvolreset). > > > So, should samba-tool really use machine account for GPO operations? > > > > Probably not for write operations. > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett http://samba.org/~abartlet/ > > Authentication Developer, Samba Team http://samba.org > > > > > > And it actually doesn't. Sorry, I'm an idiot. I forgot the -k switch, so it > was falling back to machine account. Now it says NT_STATUS_INVALID_OWNER in > conn.set_acl, but that's a different story.
Is this an upgrade from a Samba3 domain? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
