Re: [Samba] Unable to create GPO with rc3 and a few authentication problems
Hello. I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related. 1. Unable to create or delete GPOs. # bin/samba-tool gpo create somegpo ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py, line 952, in run self.samdb.add(m) I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated? 2. Some hosts fail to update records via Samba internal DNS (Andrew, sorry for duplicating, but this is updated). It looks like this on debug level = 5: [2012/10/30 02:23:38, 1] ../source4/dns_server/dns_server.c:150(dns_process_send) Failed to verify TSIG! Hosts are Windows XP, Windows 7, Samba 3 on Linux. Some do update succesfully, some can succeed some time (say, 5 hours) later, or may still fail. This is weird. I should mention that we had some problem with Windows 2k3 demotion - during the process it had rewritten the SOA on (the only at that moment) Samba DC and put it's own hostname in SOA's primary NS field. We had to fix that manually by replacing the SOA record in corresponding LDB. Maybe we had just missed something? Any ideas on what's wrong? 3. Some hosts may suddenly reject valid tickets for RPC calls. Somewhat like the previous one. For example, on some non-DC host I do: $ kinit $ #Got a ticket for some admin user, btw MIT is used here $ net rpc shutdown -S somehost -f -k # Samba 3's net command It may succeed for some hosts, but fail with NT_LOGON_FAILURE few hours later, before the ticket expires (and DCs still accept this ticket for e.g. samba-tool drs showrepl). Or it may later suceed for a host it was failing for. Renewing the ticket doesn't change anything. So, something strange for me, too. I had tried to reset some machine accounts and to rejoin some hosts. No luck. 4. Unrelated to the previous ones. Well, I'm sorry, I hadn't read the source to see if this is supposed to happen. But I'd better say that before I forget, just in case. Try to rename some host using Windows GUI (My Computer - Properties) and check if CN, sAMAccountName and member for corresponding groups are changed correctly. In my experience, only sAMAccountName is changed. Once again, sorry if this is OK. Something similar happens to me. But I noticed that I can create a new GPO only with the first user the system had: administrator. None of the new admin users I created worked, only administrator. Best regards, Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to create GPO with rc3 and a few authentication problems
I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related. 1. Unable to create or delete GPOs. # bin/samba-tool gpo create somegpo ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py, line 952, in run self.samdb.add(m) I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated? It looks like in default Windows schema only members of Domain Admins can modify cn=Policies. If one will allow Domain controllers group to have rw access too, the LDAP-related error disappears. However, sysvol FS access error will raise (due to the fact machine accounts do not have write permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset). So, should samba-tool really use machine account for GPO operations? -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to create GPO with rc3 and a few authentication problems
On Wed, 2012-10-31 at 03:33 +0400, Dmitry Khromov wrote: I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related. 1. Unable to create or delete GPOs. # bin/samba-tool gpo create somegpo ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py, line 952, in run self.samdb.add(m) I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated? It looks like in default Windows schema only members of Domain Admins can modify cn=Policies. If one will allow Domain controllers group to have rw access too, the LDAP-related error disappears. However, sysvol FS access error will raise (due to the fact machine accounts do not have write permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset). So, should samba-tool really use machine account for GPO operations? Probably not for write operations. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to create GPO with rc3 and a few authentication problems
On Wed, 2012-10-31 at 03:33 +0400, Dmitry Khromov wrote: I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related. 1. Unable to create or delete GPOs. # bin/samba-tool gpo create somegpo ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py, line 952, in run self.samdb.add(m) I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated? It looks like in default Windows schema only members of Domain Admins can modify cn=Policies. If one will allow Domain controllers group to have rw access too, the LDAP-related error disappears. However, sysvol FS access error will raise (due to the fact machine accounts do not have write permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset). So, should samba-tool really use machine account for GPO operations? Probably not for write operations. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org And it actually doesn't. Sorry, I'm an idiot. I forgot the -k switch, so it was falling back to machine account. Now it says NT_STATUS_INVALID_OWNER in conn.set_acl, but that's a different story. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to create GPO with rc3 and a few authentication problems
On Wed, 2012-10-31 at 03:48 +0400, Dmitry Khromov wrote: On Wed, 2012-10-31 at 03:33 +0400, Dmitry Khromov wrote: I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related. 1. Unable to create or delete GPOs. # bin/samba-tool gpo create somegpo ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py, line 952, in run self.samdb.add(m) I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated? It looks like in default Windows schema only members of Domain Admins can modify cn=Policies. If one will allow Domain controllers group to have rw access too, the LDAP-related error disappears. However, sysvol FS access error will raise (due to the fact machine accounts do not have write permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset). So, should samba-tool really use machine account for GPO operations? Probably not for write operations. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org And it actually doesn't. Sorry, I'm an idiot. I forgot the -k switch, so it was falling back to machine account. Now it says NT_STATUS_INVALID_OWNER in conn.set_acl, but that's a different story. Is this an upgrade from a Samba3 domain? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Unable to create GPO with rc3 and a few authentication problems
Hello. I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related. 1. Unable to create or delete GPOs. # bin/samba-tool gpo create somegpo ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py, line 952, in run self.samdb.add(m) I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated? 2. Some hosts fail to update records via Samba internal DNS (Andrew, sorry for duplicating, but this is updated). It looks like this on debug level = 5: [2012/10/30 02:23:38, 1] ../source4/dns_server/dns_server.c:150(dns_process_send) Failed to verify TSIG! Hosts are Windows XP, Windows 7, Samba 3 on Linux. Some do update succesfully, some can succeed some time (say, 5 hours) later, or may still fail. This is weird. I should mention that we had some problem with Windows 2k3 demotion - during the process it had rewritten the SOA on (the only at that moment) Samba DC and put it's own hostname in SOA's primary NS field. We had to fix that manually by replacing the SOA record in corresponding LDB. Maybe we had just missed something? Any ideas on what's wrong? 3. Some hosts may suddenly reject valid tickets for RPC calls. Somewhat like the previous one. For example, on some non-DC host I do: $ kinit $ #Got a ticket for some admin user, btw MIT is used here $ net rpc shutdown -S somehost -f -k # Samba 3's net command It may succeed for some hosts, but fail with NT_LOGON_FAILURE few hours later, before the ticket expires (and DCs still accept this ticket for e.g. samba-tool drs showrepl). Or it may later suceed for a host it was failing for. Renewing the ticket doesn't change anything. So, something strange for me, too. I had tried to reset some machine accounts and to rejoin some hosts. No luck. 4. Unrelated to the previous ones. Well, I'm sorry, I hadn't read the source to see if this is supposed to happen. But I'd better say that before I forget, just in case. Try to rename some host using Windows GUI (My Computer - Properties) and check if CN, sAMAccountName and member for corresponding groups are changed correctly. In my experience, only sAMAccountName is changed. Once again, sorry if this is OK. Thanks in advance. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba