Hello.
I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated
from Windows 2003 R2. I post them altogether, since they look related.
1. Unable to create or delete GPOs.
# bin/samba-tool gpo create somegpo
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS
- <dsdb_access: Access check failed on
CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
line 952, in run
self.samdb.add(m)
I'm not sure if this is a schema or authentication problem. Could someone
suggest how should that be investigated?
2. Some hosts fail to update records via Samba internal DNS (Andrew, sorry for
duplicating, but this is updated).
It looks like this on debug level = 5:
[2012/10/30 02:23:38, 1]
../source4/dns_server/dns_server.c:150(dns_process_send)
Failed to verify TSIG!
Hosts are Windows XP, Windows 7, Samba 3 on Linux. Some do update succesfully,
some can succeed some time (say, 5 hours) later, or may still fail. This is
weird.
I should mention that we had some problem with Windows 2k3 demotion - during
the process it had rewritten the SOA on (the only at that moment) Samba DC and
put it's own hostname in SOA's "primary NS" field. We had to fix that manually
by replacing the SOA record in corresponding LDB.
Maybe we had just missed something? Any ideas on what's wrong?
3. Some hosts may suddenly reject valid tickets for RPC calls.
Somewhat like the previous one. For example, on some non-DC host I do:
$ kinit
$ #Got a ticket for some admin user, btw MIT is used here
$ net rpc shutdown -S somehost -f -k # Samba 3's "net" command
It may succeed for some hosts, but fail with NT_LOGON_FAILURE few hours later,
before the ticket expires (and DCs still accept this ticket for e.g. samba-tool
drs showrepl). Or it may later suceed for a host it was failing for. Renewing
the ticket doesn't change anything.
So, something strange for me, too. I had tried to reset some machine accounts
and to rejoin some hosts. No luck.
4. Unrelated to the previous ones. Well, I'm sorry, I hadn't read the source to
see if this is supposed to happen. But I'd better say that before I forget,
just in case.
Try to rename some host using Windows GUI (My Computer -> Properties) and check
if CN, sAMAccountName and member for corresponding groups are changed
correctly. In my experience, only sAMAccountName is changed.
Once again, sorry if this is OK.
Thanks in advance.
--
Best regards,
Dmitry Khromov
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
