NFS export group permissions failing to be applied

I have several NFS shares, mounted on RHEL/Centos 4.5 clients. Only posix permissions are used, no acl. The RHEL client authenticates users through opendirectory on the server.
jim and bob belong to the same group, staff
There are two files on the nfs mount, one belongs to jim, one to bob.
Both files have rw group permissions, and belong to group staff.
On the server, or logged into the server via ssh, jim can edit and save bobs file, since he has write permission for the group.
However on the nfs mount, jim is not given permission to write to bob's file. Jim can delete bob's file though.
Similarly, bob cannot edit jim's file, though he is in the same group.
The group and user names are identical across systems, as are the group and user ids, which is to be expected as they served from the same directory.
This problem has been affecting us for quite a while - from the original clean install of 10.4 and through to the current 10.5.6 server
The issue has already been raised (and archived) at
http://discussions.apple.com/thread.jspa?threadID=1442054&tstart=570
with no useful result.

Hi frndsss, Seems like we have an enemy in common.. well will keep this space updated if we come across any solutions... thanks..,
Ricky.
Edited by: user781890 on Aug 25, 2008 10:06 PM

Similar Messages

NFS export external USB device fails

I am trying to NFS export a FAT32 formatted external USB device, which fails with the error:
/sbin/nfsd: Can't export /Volumes/<external>: Operation not supported (45)
I am able to export internal/HFS drives, which have the "Owners Enabled: Yes" attribute, and therefore assume I need to set the flag accordingly on my external drive.
Despite the fact that the device has been assigned a uuid (it appears to be in place in .fseventsd and running 'repair disk' echos it in syslog), I get this error when running vsdbutil:
vsdbutil: Couldn't update volume information for '/Volumes/<external>/': Invalid argument
vsdbutil: no valid volume UUID found on '/Volumes/<external>/': Invalid argument
And diskutil returns this:
Permissions are not enabled on the disk (-9973)
I attempted to add the uuid to /var/db/volinfo.database in order to set the permissions there, to no effect.
I don't believe that I am the only person who has attempted this, but I can find no evidence to the contrary. Thank you.

NFS exporting requires specific NFS serving support from the file system.
Unfortunately, the "msdos" file system implementation doesn't currently
support NFS exporting.
If you'd like that support added, I would strongly encourage filing a
bug report/enhancement request with Apple:
http://developer.apple.com/bugreporter/
HTH
--macko

OS X extern drive ownership/permissions and NFS exporting

- I have an external (250GB) firewire drive on OS X 10.4.9.
- I want to have it available to local users of this Mac but with ownership/permissions of created files/directories protected in the usual UNIX sense of unique UID/GID -- files/directories created by one user cannot be read/written by other users of this Mac except as allowed by standard UNIX permissions groups settings; eg., those set with 'chmod' command.
- I want to NFS-server this drive volume to a linux NFS client (eg., RHEL 4), again with files/directories protected in this same UID/GID UNIX sense. In our case, the users' UID/GIDs will be made to match, but regardless, I wish likewise for file/directory use on the linux client to be restricted as per UNIX permissions and the files/directories created by the Mac users have protections remain in place against linux user access, and visa versa, as above.
Is this feasable in Mac OS X (without OS X Server)?
How does one go about acheiving it?
I have basic Netinfo Manager skills for creating NFS exports and starting NFS daemon services, but am not expert on all available export options. I have average linux IT NFS server/client and user management skills.
Thanks,
-Neil

I don't know about networking with Linux, but I don know that for OS X users, enforcing permissions on an external drive without OS X Server is tricky.
First, log in to your admin account. Right-click the drive, Get Info, expand Ownership & Permissions, and uncheck "Ignore ownership on this volume". Then set permissions accordingly.
The problem is that any unprivileged user can log in to his own account, Get Info, recheck the box, and get ownership of the entire contents of the drive. This is possible even without the admin password.
There is a workaround that will remove the Ignore Ownership box from the Get Info panel so that there will be no box for them to check. First make sure that the box is unchecked and that the permissions are set how you want. Then enable ACLs on the volume by entering this command in a Terminal window:
sudo fsaclctl -p /Volumes/volumename -e
Then restart Finder. Now there's no box for the unprivileged user to check. But I don't know where this setting is stored; perhaps the unprivileged user can find some command-line way of getting the box re-checked and thus getting ownership of everything.
If there is some way you can get the data off of the external drive and onto the main boot drive you will have the best chance of keeping the data safe.

The user '*' preference item in the 'User - 6th Form Students Policy {E03166E7-A848-48B5-AA93-97B848AA9C13}' Group Policy object did not apply because it failed with error code '0x80070003 The system cannot find the path specified.' This error was suppres

I am looking at an issue with users not getting specific group policies.
After searching a number of client computers I found that the following error
The user '*' preference item in the 'User - 6th Form Students Policy {E03166E7-A848-48B5-AA93-97B848AA9C13}' Group Policy object did not apply because it failed with error code '0x80070003 The system cannot find the path specified.' This error was suppressed.
I can find the folder in the Sysvol folder on all of the domain controllers.
The issue with end users seems to be that the proxy settings for internet explorer is not being applied.
Potential problems?
one folder in sysvol entry is empty
\\<server>\SYSVOL\<domain.name>\Policies\{E03166E7-A848-48B5-AA93-97B848AA9C13}\User\microsoft\IEAK\LOCK
or is this our issue
The old method of configuring proxy settings to Internet Explorer 9 has changed?
https://support2.microsoft.com/kb/2530309?wa=wsignin1.0
http://thommck.wordpress.com/2013/11/08/the-new-way-to-configure-internet-explorer-proxy-settings-with-group-policy/

Hi all
In administering this policy I am a little confused.
We have a policy that distributes proxy settings in the internet explorer maintenance settings section - however when opening this policy up in GPO editor the internet explorer maintenance section is not present.
I plan to apply the settings via User/preferences/control panel settings/ internet settings (or registry settings from article) however I am unable to edit the settings for internet explorer maintenance and these will persist. Ideas????

The processing of Group Policy failed. Windows attempted to read the file...

Hello all-
I am currently trying to configure group policy (specifically folder redirects) from a new Windows Server 2008 in my home... the server acts as both an AD DS and file server for 4 client computers, all running Windows Vista Ultimate.
Here are the steps I am currently taking:
I create a new Group Policy called All Users and Computers and apply it to the All Users and Computers OU, which contains exactly what it says (all users and computers in the domain).
I verify that a new folder was created in \\<FQDN>\sysvol\<FQDN>\Policies. The new folder created is named {6479C8E0-3134-4B4F-B047-7ADD51684684}
I change the GPO Enforced setting to Enforced.
I attempt to use the gpupdate command to see if the group policy can be updated successfully. In a command prompt, I type gpupdate <enter>. I receive the message 'Updating Policy...' then after about 15 seconds the message 'User Policy update has completed successfully.'
I keep the cmd window open. After about 10 seconds another message apperas which says "Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows attempted to read the file \\<FQDN>\sysvol\<FQDN>\Policies\{6AC1786C-016F-11D2-945F-00C04Fb984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or invoke gpmc.msc to access information about Group Policy results."
I confirm that the error code is #3 using the Event Log, "The system cannot find the file specificed"
Of course the system cannot find the file specified because the folder does not exist in the sysvol folder. I am wondering why Windows is trying to read from this location when it does not exist, and is not the new group policy I created! I have no other group policies linked or enforced to any other OU/Domain/etc. Any help resolving this issue would be greatly appreciated.

Hello all and thanks for the help. First a few things:
I understand that the DC should not be running RRAS, but this a simple server being used in aa home environment by 4 users and getting another server just for RRAS would be overkill.
Secondly, I currently have it so that while the router is handling DHCP, I have reserved a fixed IP for the server, so it always has 192.168.1.100. If I were to use the server as the DHCP, what would my hardware configuration have to look like? I currently have the router plugged into the ISP modem, and then server plugged into the router. All other clients connect to the router wirelessly.
Here's the dcdiag output. I tried dcdiag /fix but to no avail.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine KELLERDCFS, is a Directory Server.
Home Server = KELLERDCFS
* Connecting to directory service on server KELLERDCFS.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=keller-pa,DC=net,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=keller-pa,DC=net
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=keller-pa,DC=net,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=KELLERDCFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=keller-pa,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\KELLERDCFS
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... KELLERDCFS passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\KELLERDCFS
Starting test: Advertising
The DC KELLERDCFS is advertising itself as a DC and having a DS.
The DC KELLERDCFS is advertising as an LDAP server
The DC KELLERDCFS is advertising as having a writeable directory
The DC KELLERDCFS is advertising as a Key Distribution Center
The DC KELLERDCFS is advertising as a time server
The DS KELLERDCFS is advertising as a GC.
......................... KELLERDCFS passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the event log File Replication Service does not exist.
......................... KELLERDCFS passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... KELLERDCFS passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... KELLERDCFS passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... KELLERDCFS passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=KELLERDCFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=keller-pa,DC=net
Role Domain Owner = CN=NTDS Settings,CN=KELLERDCFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=keller-pa,DC=net
Role PDC Owner = CN=NTDS Settings,CN=KELLERDCFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=keller-pa,DC=net
Role Rid Owner = CN=NTDS Settings,CN=KELLERDCFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=keller-pa,DC=net
Role Infrastructure Update Owner = CN=NTDS Settings,CN=KELLERDCFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=keller-pa,DC=net
......................... KELLERDCFS passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC KELLERDCFS on DC KELLERDCFS.
* SPN found :LDAP/KELLERDCFS.keller-pa.net/keller-pa.net
* SPN found :LDAP/KELLERDCFS.keller-pa.net
* SPN found :LDAP/KELLERDCFS
* SPN found :LDAP/KELLERDCFS.keller-pa.net/KELLER-PA
* SPN found :LDAP/42268b36-801f-4a6d-b162-34f3b01e04bb._msdcs.keller-pa.net
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/42268b36-801f-4a6d-b162-34f3b01e04bb/keller-pa.net
* SPN found :HOST/KELLERDCFS.keller-pa.net/keller-pa.net
* SPN found :HOST/KELLERDCFS.keller-pa.net
* SPN found :HOST/KELLERDCFS
* SPN found :HOST/KELLERDCFS.keller-pa.net/KELLER-PA
* SPN found :GC/KELLERDCFS.keller-pa.net/keller-pa.net
......................... KELLERDCFS passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC KELLERDCFS.
* Security Permissions Check for
DC=ForestDnsZones,DC=keller-pa,DC=net
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=keller-pa,DC=net
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=keller-pa,DC=net
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=keller-pa,DC=net
(Configuration,Version 3)
* Security Permissions Check for
DC=keller-pa,DC=net
(Domain,Version 3)
......................... KELLERDCFS passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\KELLERDCFS\netlogon
Verified share \\KELLERDCFS\sysvol
......................... KELLERDCFS passed test NetLogons
Starting test: ObjectsReplicated
KELLERDCFS is in domain DC=keller-pa,DC=net
Checking for CN=KELLERDCFS,OU=Domain Controllers,DC=keller-pa,DC=net in domain DC=keller-pa,DC=net on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=KELLERDCFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=keller-pa,DC=net in domain CN=Configuration,DC=keller-pa,DC=net on 1 servers
Object is up-to-date on all servers.
......................... KELLERDCFS passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
......................... KELLERDCFS passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 1600 to 1073741823
* KELLERDCFS.keller-pa.net is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1100 to 1599
* rIDPreviousAllocationPool is 1100 to 1599
* rIDNextRID: 1111
......................... KELLERDCFS passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... KELLERDCFS passed test Services
Starting test: SystemLog
* The System Event log test
An Error Event occurred. EventID: 0x00000422
Time Generated: 07/07/2009 17:53:59
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
An Error Event occurred. EventID: 0x00000422
Time Generated: 07/07/2009 17:59:02
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
An Error Event occurred. EventID: 0x00000422
Time Generated: 07/07/2009 18:04:04
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
An Error Event occurred. EventID: 0x00000422
Time Generated: 07/07/2009 18:09:06
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
An Error Event occurred. EventID: 0x00000422
Time Generated: 07/07/2009 18:14:08
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
An Error Event occurred. EventID: 0x00000422
Time Generated: 07/07/2009 18:19:10
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
An Error Event occurred. EventID: 0x00000422
Time Generated: 07/07/2009 18:24:12
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
An Error Event occurred. EventID: 0x00000422
Time Generated: 07/07/2009 18:29:15
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
An Error Event occurred. EventID: 0x00000422
Time Generated: 07/07/2009 18:34:17
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
An Error Event occurred. EventID: 0x00000422
Time Generated: 07/07/2009 18:39:19
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
An Error Event occurred. EventID: 0x00000422
Time Generated: 07/07/2009 18:49:23
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\keller-pa.net\sysvol\keller-pa.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
......................... KELLERDCFS failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=KELLERDCFS,OU=Domain Controllers,DC=keller-pa,DC=net and backlink
on
CN=KELLERDCFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=keller-pa,DC=net
are correct.
The system object reference (serverReferenceBL)
CN=KELLERDCFS,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=keller-pa,DC=net
and backlink on
CN=NTDS Settings,CN=KELLERDCFS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=keller-pa,DC=net
are correct.
......................... KELLERDCFS passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : keller-pa
Starting test: CheckSDRefDom
......................... keller-pa passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... keller-pa passed test CrossRefValidation
Running enterprise tests on : keller-pa.net
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\KELLERDCFS.keller-pa.net
Locator Flags: 0xe00013fd
PDC Name: \\KELLERDCFS.keller-pa.net
Locator Flags: 0xe00013fd
Time Server Name: \\KELLERDCFS.keller-pa.net
Locator Flags: 0xe00013fd
Preferred Time Server Name: \\KELLERDCFS.keller-pa.net
Locator Flags: 0xe00013fd
KDC Name: \\KELLERDCFS.keller-pa.net
Locator Flags: 0xe00013fd
......................... keller-pa.net passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... keller-pa.net passed test Intersite
Here's the nslookup from Vista client:
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\Andrew>nslookup KELLERDCFS
Server: UnKnown
Address: 192.168.1.100
Name: KELLERDCFS.keller-pa.net
Addresses: 192.168.1.150
192.168.1.100
C:\Users\Andrew>
Thanks again!

Processing of Group Policy Failed - Single DC error 1058

I have been getting the error every 5 mins for awhile:
The processing of Group Policy failed. Windows attempted to read the file \\xx.company\sysvol\xxx.company\Policies\{0000000-2323-2222-2222-333333}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this
event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
So - this is a single DC 2008R2. It started (I think) back when I joined another server on the domain and did a DCPromo to help build some redundancy. DFS was/is not enabled, do I need to set this up to resolve this?
User are able to login and policy are working, I only see this error on the DC, but other than the error everything seems to be working fine. I can access the share \\xx.company\sysvol\xxx.company\Policies\ and see it from all systems on the domain.
I looked for the Burflags to see if that would help but since there is no DFS there was nothing in the registry.
So at this point, I removed the secondary server via DCpromo, going back to just the 1 server DC but I still get the error. DNS works. When I do a DCDiag everything looks ok except the SysVol - I get about 10 of these
Starting test: SystemLog
An error event occurred. EventID: 0x00000422
Time Generated: 03/17/2015 14:49:41
Event String:
The processing of Group Policy failed... blah blah - same as above.
I looked at this link because of the combination of the 2 errors - Error 1058 and 00422 but its suggesting Authoritative restore, but I don't have the replication.
Now I am wondering if there is a left over connection somewhere in the system that doesn't know that there isn't another DC on the network?
So - any suggestions? Thanks in advance.

Hi,
>>Now I am wondering if there is a left over connection somewhere in the system that doesn't know that there isn't another DC on the network?
Did we clean up the metadata of the removed domain controller? If not, we can follow the article below to do this.
Clean Up Server Metadata
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
Besides, on the existing domain controller, check Applications and Services Logs\FRS or DFSR logs in Event Viewer. If the issue persists, we can follow the method below to do an authoritative restore for Sysvol.
If we use FRS to replicate Sysvol, we can try to follow the article below to an authoritative restore for Sysvol.
Using the BurFlags registry key to reinitialize File Replication Service replica sets
https://support.microsoft.com/en-us/kb/290762
If we use DFSR to replicate Sysvol, we can try to follow the article below to do an authoritative restore for Sysvol.
How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)
https://support.microsoft.com/en-us/kb/2218556
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

The processing of Group Policy failed because of lack of network connectivity to a domain controller

We are setting up a new AD environment with one AD/DC running DNS services, and a secondary DNS server configured with secondary zone. The problem is that none of the machines in the the domain are getting GPO.
When I run a gpupdate /force from a machine, I get the following output:
"Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed because of lack of network connectivity to
a domain controller. This may be a transient condition. A success message would
be generated once the machine gets connected to the domain controller and Group
Policy has succesfully processed. If you do not see a success message for sever
al hours, then contact your administrator.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results."
While the system event log outputs the following:
"The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy
has succesfully processed. If you do not see a success message for several hours, then contact your administrator."
All the machines that were joined to the domain are able to resolve in forward and reverse lookups, ping the DC and ping each other so I dont understand how the error can be resolved.
Here are few things I have tried:
1. I came across this KB which checked ok for me: http://support.microsoft.com/kb/241515
2. Made a copy of the default GPO, applied to a OU with one machine, and made sure to remove any GPO links from above
3. Enabled the following two local Group policies on a test member:
GP slow link detection
Startup policy processing wait time
4. Modified firewall to allow everything on both member and DC
5. Verified DSN logs, SRV records, access to sysvol ( added authenticated users to sysvol)
I have yet to figure out the reason for this issue. Has anyone seen anything like this before?

1. I checked the NIC, it only has one IP. and I followed your article. I set the primary DNS to its own IP and the secondary DNS to the loopback ip
2. This is a new DC and DNS server. I dont have old records yet. I also check the DNS event logs. No errors
3. I made sure the member server is pointing only to the only DC/DNS server
4. Here is the output from the dcdiag.... everything passed except, the Netlogons part. I'm not sure what means or how to fix it yet:
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Complete output:
> hostname
Server: hostname.domain.local
Address: X.X.X.95
> ^C
C:\Windows\system32>
C:\Windows\system32>nslookup
> set type=all
>
>
>
> _ldap._tcp.dc._msdcs.domainname
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = hostname.domain.local
hostname.domain.local internet address = X.X.X.95
> ^C
C:\Windows\system32>cd ..
C:\Windows>cd SYSVOL
C:\Windows\SYSVOL>cd sysvol
C:\Windows\SYSVOL\sysvol>dir
Volume in drive C has no label.
Volume Serial Number is F624-CDB2
Directory of C:\Windows\SYSVOL\sysvol
10/29/2014 08:25 PM <DIR> .
10/29/2014 08:25 PM <DIR> ..
10/29/2014 08:25 PM <JUNCTION> domain.local [C:\Windows\SYSVOL\domain]
0 File(s) 0 bytes
3 Dir(s) 63,971,037,184 bytes free
C:\Windows\SYSVOL\sysvol>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = hostname
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\hostname
Starting test: Connectivity
......................... hostname passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\hostname
Starting test: Advertising
......................... hostname passed test Advertising
Starting test: FrsEvent
......................... hostname passed test FrsEvent
Starting test: DFSREvent
......................... hostname passed test DFSREvent
Starting test: SysVolCheck
......................... hostname passed test SysVolCheck
Starting test: KccEvent
......................... hostname passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... hostname passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... hostname passed test MachineAccount
Starting test: NCSecDesc
......................... hostname passed test NCSecDesc
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Starting test: ObjectsReplicated
......................... hostname passed test
ObjectsReplicated
Starting test: Replications
......................... hostname passed test Replications
Starting test: RidManager
......................... hostname passed test RidManager
Starting test: Services
......................... hostname passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/04/2015 18:23:06
Event String:
Name resolution for the name ctldl.windowsupdate.com timed out after
none of the configured DNS servers responded.
......................... hostname passed test SystemLog
Starting test: VerifyReferences
......................... hostname passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : emcdsm
Starting test: CheckSDRefDom
......................... emcdsm passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... emcdsm passed test CrossRefValidation
Running enterprise tests on : domain.local
Starting test: LocatorCheck
......................... domain.local passed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite
C:\Windows\SYSVOL\sysvol>

Sharepoint 2013 setup group permissions

In my SharePoint 2013 test sharepoint site, I would like to know how the users should normally have access to the test sharepoint site. Would the user sign as themselves individually or would they sign on with a group id? Can you tell me and/or point me
to a url that will show how to setup group permissions and how the users should login?

There are two suggested ways to assign permissions on SharePoint sites:
    Using SharePoint Groups
    Using Active Directory Groups
Note: A site can be set up to either inherit permissions from the parent site, or to allow unique permissions to be set for the site. If the site is set up to inherit permissions from the parent site, you will have to Add Users or Active Directory Groups
to pre-existing SharePoint groups in the parent site.
Using SharePoint groups:
Click on “People and Groups”
Click on “New” from the drop-down menu
Select “New Group” Under “Choose the permission level group members get on this site:… ”
Select “Contribute” and click OK.
Click on “People and Groups”
Click “New”, from the drop-down menu
select “Add Users” Type in the netID(s) you wish to add
Click on “Check Names” (the netID(s) should now be underlined)
Under “Give permission”, select the group you just created and click OK.
Note: If site owners want their site to show up automatically in users' "My Links" in "My Site" then those users must be part of a SharePoint group and that group must be defined as the "Members of this Site" group.
Using Active Directory Groups:
Click on “Peoples and Groups”
Click on “New” from the drop-down menu
select “Add Users” Type in the name of the Active Directory group you wish to add
Click on Check Names (the group name should now be underlined)
Under Give Users permissions directly, select “Contribute” &click ok.
Note: You can specify multiple netID(s) or AD groups by separating the names with a semi-colon(;).
Below are list of permissions you can use for the site..
Permission Level
Description
Full Control
This permission level contains all permissions.      Assigned to the
Site name Owners SharePoint group, by default. This      permission level cannot be customized or deleted.
Design
Can create lists and document libraries, edit      pages and apply themes, borders, and style sheets in the Web site. Not assigned      to any SharePoint group, by default.
Contribute
Can add, edit, and delete items in existing      lists and document libraries. Assigned to the
Site name Members SharePoint      group, by default.
Read
Read-only access to the Web site. Users and      SharePoint groups with this permission level can view items and pages, open      items, and documents. Assigned to the
Site name Visitors SharePoint      group, by default.
Limited Access
The Limited Access permission level is designed      to be combined with fine-grained permissions to give users access to a specific      list, document library, item, or document,
without giving them access to      the entire site. However, to access a list or library, for example, a user      must have permission to open the parent Web site and read shared data such
as the theme and navigation bars of the Web site. The Limited Access permission      level cannot be customized or deleted.
NOTE You cannot assign this permission level to users or SharePoint      groups. Instead, Windows SharePoint Services 3.0 automatically assigns this      permission level to users and SharePoint
groups when you grant them access      to an object on your site that requires that they have access to a higher      level object on which they do not have permissions. For example, if you grant
users access to an item in a list and they do not have access to the list      itself, Windows SharePoint Services 3.0 automatically grants them Limited      Access on the list, and also the site, if needed.

Need info about group permissions

Hi All,
I'm confused with OIM group permissions for the following scenario.
Consider three groups G1,G2,G3 with the following permissions to a particular resource object RO.
G1 - Has all permission in all places for this RO(resource object,process form,process definition,etc)
G2 - Has only read permissions in all places for this RO.
G3 - Doesn't have any permission with respect to this RO.
And also "Provision by Object Admin Only" is selected for this RO and G1 is an object administartor.
Now I got the follwing result when I try to provision this resource object.
case 1:The actor(logged in user) is a member of G1 & G2 ------- Got this error "DOBJ.INSERT_PERMISSION_DENIED.You do not have permission to insert this object " and the provisioning operation is failed.
case 2:The actor is a member of G1 & G3 ----- Able to provision this resource object.
Now my question is, in case1 if OIM is denying the operation as G2 doesn't have insert or write permission then how come it is allowing the opertion in case 2 where G3 doesn't have any permission ?
Is this an expected behaviour or am I missing something ?
How OIM is handling the permissions for this operation ?
Thanks in advance.
Regards,
NS

I have the same problem here.. the issue we have is that some users have groups that give permissions, other group that are used by access policies and others for menu visibility. The last two aren't for permissions purposes but they impact on the effective rights of the users, because for example, when users try to revoke resource, OIM says that they don't have permissions. Do you figure a workaround to solve this problem?

DB installs fails with [INS-30060] Check for group existence failed

Hi folks
as user jjayet I'm running on OEL 5.6 64 bits the following command to install DB 11gR2 :
$ /mntmats/SOAVM0504/AUTO_WORK/dbzip_shiphome/database/Disk1/runInstaller -ignoreSysPrereqs -invPtrLoc /ade/jjayet_dte9672/oracle/work/DATABASE1/oraInst.loc -force -silent -waitforcompletion -responseFile /ade/jjayet_dte9672/oracle/work/DATABASE1/db.rsp
Starting Oracle Universal Installer...
Checking Temp space: must be greater than 120 MB. Actual 15258 MB Passed
Checking swap space: must be greater than 150 MB. Actual 16454 MB Passed
Preparing to launch Oracle Universal Installer from /tmp/OraInstall2012-04-05_06-07-54AM. Please wait ...[FATAL] [INS-30060] Check for group existence failed.
CAUSE: Unexpected error occurred while trying to check for group existence.
$ id
uid=511053(jjayet) gid=8500(dba) groups=8500(dba),59031(oinstall)
the problems seems relater to accessing /tmp
as the local disk is not enough to use the default /tmp (the DB install will fail with full disk error as the local disk space is very low )
I've created a partition from new disk to /tmp which I have then mounted (default is nfs3) :
# mount /dev/xvdc1 /tmp
# mount
/dev/xvdc1 on /tmp type ext2 (rw)
the result of DB install into /tmp is :
# cd /tmp
# ls -altr
drwxr-xr-x 32 root root 4096 Apr 5 06:07 ..
drwxr-xr-x 2 jjayet dba 4096 Apr 5 06:36 CVU_11.2.0.2.0_jjayet
drwxrwxrwx 7 root root 4096 Apr 5 06:36 .
if I umount /tmp but use the local /tmp
re-running the DB installer as user jjayet it does not raise the error above
and now local /tmp contains :
# cd /tmp
# ls -altr
drwxr-xr-x 32 root root 4096 Apr 5 06:07 ..
drwxr-x--- 10 jjayet dba 4096 Apr 5 06:25 OraInstall2012-04-05_06-25-28AM
drwxr-xr-x 3 jjayet dba 4096 Apr 5 06:25 CVU_11.2.0.2.0_jjayet
drwxrwxrwt 5 root root 4096 Apr 5 06:25 .
do you know how to use tmp over nfs with user jjayet so that the DB can install properly ?
it seems that the files created as user jjayet into mounted /tmp are not identified properly
thks in advance
jean

thks for the pointer
I found the post you mention but it does not help
it does not explain the root cause of the problem but just propose a workaround to pass an option to installer which will popi\up an interactive messgae at install time
as installation is done automatically through ADE / DTE I cannot use this workaround
any expert in oracle DB install can help ?
thks
Jean

OSR11g - Setting Group Permissions on a Business

I tried setting permissions on a particular business for a group, setting all 5 (Find,Get,Save,Delete, Create) to "Allow" for the group within the OSR Control.
However, after the permissions were set, the business was no longer visible within OSB 11g's "Import from Uddi". The user configured within the OSB UDDI registry is a member of the same group within OSR.
If I remove the group permissions from the business, the business returns to being visible within OSB.
So what's the missing step?

The same problem also occurs in an even simpler scenario:
If I apply "FIND ALLOWED" permissions to the "admin" user on a particular business within OSR 11g, that business is no longer visible to my OSB 11g dashboard for either the "Publish to UDDI" or "Import from UDDI" actions.
So I've given this to Oracle Support to digest.

Group Policy failing intermittently on one of my servers

Have you checked the event logs to see if a specific thing is triggering it?
CMOS battery been changed (if the date/time is being reset this can be the cause)?
Or GPResult to check that what should be applied is being applied?

I have a server-2008 R2 box where Group Policy fails intermittently. The result is the server looses it's domain trust connection, exact error message is: Remote Desktop cannot verify the ID of the remote computer because there is a time or date difference....
I can reboot the server and it's fixed, but a month later it will have the same issue.
What can I look for to troubleshoot resolve, and what can I monitor to fix this? GP service? If the service is running & the interface, port, or bad cable, I will not be alerted. Can I configure some type of alert that tells me when GP replication with the domain controller has succeeded/failed?
This topic first appeared in the Spiceworks Community

PDF export from Pages fails "Print - error while printing"

Every month I have been generating PDF versions of my invoices by using the 'export' function of Pages. This has always worked fine without any problems.
Today (end of Feb 08), the pdf export function always fails with 'Print - error while printing". A pdf file is saved to disc but it is corrupted and unreadable. I can still export as rtfd.
I don't see anything about this in the logs, but I do notice that there was a Pages software update to 3.0.2 earlier this month.
Anybody know how to fix this?

Hello
Before re-installing, it may be useful to
a - repair permissions with Disk Utility
b - trash the preferences file: <bootVolume>:Users:<yourAccount>:Library:Preferences:com.apple.iWork.Pages.plis t
if it's not sufficient, try to print from an other user account.
If it works this way, you will know that the application's files are not the wrongdoers as every account calls the same application file.
Yvan KOENIG (from FRANCE samedi 1 mars 2008 15:33:41)

Export Mailbox permissions to CSV

I am looking for a powershell script to export mailbox permissions. I have a list of accounts that I know are shared to other users but I want to be able to export all their permissions to a CSV so I can then replicate these permissions in Office 365. I
have a script now that pulls every mailbox and its permissions but it is such a mess i would like to be able to pull a file much cleaner they what i have.
The one I have now is
Get-Mailbox | Get-MailboxPermission | Select {$_.AccessRights}, Deny, InheritanceType, User, Identity, IsInherited, IsValid | Export-Csv D:\test_permission.csv
I want to be able to only pull data from the list of mailboxes that i have, and only see accounts/groups that have full mailbox rights. If I could filter out system accounts that would be great as well. i tried modifying this script but had no such luck.
Thanks!

Hi,
I have a test in my environment using Exchange 2010. You can use the following cmdlet Amit provided to find who has full mailbox access on one or more mailboxes in your environment and export the result to a CSV file.
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where {$_.user -notlike "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[String]::join(‘, ‘, $_.AccessRights)}} | Export-Csv C:\MailboxAccess.csv
-NoTypeInformation
Please change the "C:\MailboxAccess.csv " to the location that you use to save this .csv file.
Hope it helps.
Best regards,
Amy Wang
TechNet Community Support

Copying files from Windows rips out group permissions

Hi there all,
Having some problems with group permissions being removed from files when data is copied from a Windows OS.
We currently have a network of Macs that are tied to a AD/OD structure.
We have also set a custom umask for each mac defining 002 as the permissions to be written to files.
However, when we connect to a Windows file share using the smb:// protocol and copy files/folders across to the Mac environment the umask permissions are not written correctly.
The User is given full control and the Everyone group is denied access. However, no group permissions are written at all.
We have tried altering the smb.conf file to no effect.
Could anybody shed some light on this annoying problem?
Many thanks

You have to install this version of samba as Apple have made a complete hash of implementing their own... Another massive fail from the worlds favourite consumer electrics company... Listen to the pro users leaving in droves...
http://eduo.info/apps/smbup

NFS export group permissions failing to be applied

Similar Messages

Maybe you are looking for