Problems with samba-tool ntacl sysvol reset

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems with samba-tool ntacl sysvol reset

Samba - General mailing list
Hi,

after adding a new GPO the ntacl sysvolcheck fails and i want wo repair
with ntacl sysvolreset.... biut this fails aslo in the end with:


connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
and 'force unknown acl user = true' for service sysvol
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
239, in run
     lp, use_ntvfs=use_ntvfs)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1514, in set_gpos_acl
     passdb=passdb)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1477, in set_dir_acl
     setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs,
skip_invalid_chown=True, passdb=passdb, service=service)
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
setntacl
     smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
sd, service=service)

I'm not sure, where to start...

Addtional debug output:

root@samba01:~# samba-tool ntacl sysvolcheck -d3
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such
file or directory')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
270, in run
     lp)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1723, in checksysvolacl
     direct_db_access)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1674, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1618, in check_dir_acl
     fsacl = getntacl(lp, path, direct_db_access=direct_db_access,
service=SYSVOL_SERVICE)
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 81, in
getntacl




and lvl 10 (ntaclreset.... just before failure)

dfs_samba4: connect to service[sysvol]
vfswrap_fs_capabilities: timestamp resolution of sec available on share sysvol, directory /
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1514, in set_gpos_acl
    passdb=passdb)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1477, in set_dir_acl
    setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

Thanks in advance...


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba-tool ntacl sysvol reset

Samba - General mailing list
On Thu, 11 May 2017 14:27:04 +0200
Dirk Laurenz via samba <[hidden email]> wrote:

> Hi,
>
> after adding a new GPO the ntacl sysvolcheck fails and i want wo
> repair with ntacl sysvolreset.... biut this fails aslo in the end
> with:
>
>

What OS ?
Can you please post the smb.conf from the DC

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba-tool ntacl sysvol reset

Samba - General mailing list
Raspian



root@samba01:~# uname -a
Linux samba01 4.9.14-v7+ #977 SMP Mon Mar 13 18:25:19 GMT 2017 armv7l GNU/Linux

root@samba01:~# cat /etc/debian_version
8.7

root@samba01:~# samba -V
Version 4.6.3

root@samba01:~# cat /etc/samba/smb.conf
# Global parameters
[global]
        netbios name = SAMBA01
        realm = LOCAL.xx.xx
        workgroup = LAURENZ
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        allow dns updates = nonsecure
        idmap_ldb:use rfc2307 = yes
        client ldap sasl wrapping = sign
        server services = -dns


[netlogon]
        path = /var/lib/samba/sysvol/xx.xx.xx/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

-----Ursprüngliche Nachricht-----
Von: samba [mailto:[hidden email]] Im Auftrag von Rowland Penny via samba
Gesendet: Donnerstag, 11. Mai 2017 15:30
An: [hidden email]
Betreff: Re: [Samba] Problems with samba-tool ntacl sysvol reset

On Thu, 11 May 2017 14:27:04 +0200
Dirk Laurenz via samba <[hidden email]> wrote:

> Hi,
>
> after adding a new GPO the ntacl sysvolcheck fails and i want wo
> repair with ntacl sysvolreset.... biut this fails aslo in the end
> with:
>
>

What OS ?
Can you please post the smb.conf from the DC

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba-tool ntacl sysvol reset

Samba - General mailing list
Any idea?

-----Ursprüngliche Nachricht-----
Von: samba [mailto:[hidden email]] Im Auftrag von Dirk Laurenz via samba
Gesendet: Samstag, 13. Mai 2017 10:14
An: 'Rowland Penny' <[hidden email]>; [hidden email]
Betreff: Re: [Samba] Problems with samba-tool ntacl sysvol reset

Raspian



root@samba01:~# uname -a
Linux samba01 4.9.14-v7+ #977 SMP Mon Mar 13 18:25:19 GMT 2017 armv7l GNU/Linux

root@samba01:~# cat /etc/debian_version
8.7

root@samba01:~# samba -V
Version 4.6.3

root@samba01:~# cat /etc/samba/smb.conf
# Global parameters
[global]
        netbios name = SAMBA01
        realm = LOCAL.xx.xx
        workgroup = LAURENZ
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        allow dns updates = nonsecure
        idmap_ldb:use rfc2307 = yes
        client ldap sasl wrapping = sign
        server services = -dns


[netlogon]
        path = /var/lib/samba/sysvol/xx.xx.xx/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

-----Ursprüngliche Nachricht-----
Von: samba [mailto:[hidden email]] Im Auftrag von Rowland Penny via samba
Gesendet: Donnerstag, 11. Mai 2017 15:30
An: [hidden email]
Betreff: Re: [Samba] Problems with samba-tool ntacl sysvol reset

On Thu, 11 May 2017 14:27:04 +0200
Dirk Laurenz via samba <[hidden email]> wrote:

> Hi,
>
> after adding a new GPO the ntacl sysvolcheck fails and i want wo
> repair with ntacl sysvolreset.... biut this fails aslo in the end
> with:
>
>

What OS ?
Can you please post the smb.conf from the DC

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba-tool ntacl sysvol reset

Samba - General mailing list
On Mon, 15 May 2017 22:02:30 +0200
"Dirk Laurenz" <[hidden email]> wrote:

> Any idea?
>
>
>
> root@samba01:~# uname -a
> Linux samba01 4.9.14-v7+ #977 SMP Mon Mar 13 18:25:19 GMT 2017 armv7l
> GNU/Linux
>
> root@samba01:~# cat /etc/debian_version
> 8.7
>
> root@samba01:~# samba -V
> Version 4.6.3

I take that you have built Samba yourself and you are using Bind9.
How did you build Samba, did you follow the Samba wiki or follow
another webpage, if the later which one ?
What was your configure line ?
What filesystem are you using ?

Please post /etc/hosts, /etc/resolv.conf, /etc/hostname, /etc/krb5.conf and
all your named.conf files.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba-tool ntacl sysvol reset

Samba - General mailing list
Good moring,

i investigated last night in this issue and was able to solve it.

Short: Reason was a missing GPO file

======================

Long Version (how i think the failure occours)

I have 3 samba ad services (all raspberry pi's)

Because one pi crashed months ago (unreadable sd card) i move all roles from samba01 to samba02, demoted samba02 as bad dc and rejoined it as fresh install.

I have sysvol replication from samba01 to ..02 and 03 (one way via rsync - as described in your wiki)

So sysvol replication from 01 to 02 / 03 but pdc role on 02

Then i added a new GPO (with windows tool - which chooses the pdc...) and creates a gpo which is deleted via rsync

Samba-tool ntacl sysvolcheck then fails (a reference for a gpo in ldap, but none in filesystem)

========================

What did i do to fix it?

Move pdc role back to samba01 (and all other roles - via samba-tool fsmo)

Deleted the gpo - i added and recreated it - now it works

What would a suggest?

Samba-tool should be more specific - if this failure occurs, as it is user risen and not a samba bug - somehting like gpo file is missing or so...

In the long term - multi-master sysvol replication....

To answer your questions...

My build optiosn are:

./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --enable-fhs --with-systemd
Make
checkinstall make install


-----Ursprüngliche Nachricht-----
Von: samba [mailto:[hidden email]] Im Auftrag von Rowland Penny via samba
Gesendet: Montag, 15. Mai 2017 22:36
An: [hidden email]
Betreff: Re: [Samba] Problems with samba-tool ntacl sysvol reset

On Mon, 15 May 2017 22:02:30 +0200
"Dirk Laurenz" <[hidden email]> wrote:

> Any idea?
>
>
>
> root@samba01:~# uname -a
> Linux samba01 4.9.14-v7+ #977 SMP Mon Mar 13 18:25:19 GMT 2017 armv7l
> GNU/Linux
>
> root@samba01:~# cat /etc/debian_version
> 8.7
>
> root@samba01:~# samba -V
> Version 4.6.3

I take that you have built Samba yourself and you are using Bind9.
How did you build Samba, did you follow the Samba wiki or follow another webpage, if the later which one ?
What was your configure line ?
What filesystem are you using ?

Please post /etc/hosts, /etc/resolv.conf, /etc/hostname, /etc/krb5.conf and all your named.conf files.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problems with samba-tool ntacl sysvol reset

Samba - General mailing list
And i was only able to find about the missing file, using strace with samba-tool

-----Ursprüngliche Nachricht-----
Von: samba [mailto:[hidden email]] Im Auftrag von Dirk Laurenz via samba
Gesendet: Dienstag, 16. Mai 2017 07:45
An: [hidden email]
Betreff: Re: [Samba] Problems with samba-tool ntacl sysvol reset

Good moring,

i investigated last night in this issue and was able to solve it.

Short: Reason was a missing GPO file

======================

Long Version (how i think the failure occours)

I have 3 samba ad services (all raspberry pi's)

Because one pi crashed months ago (unreadable sd card) i move all roles from samba01 to samba02, demoted samba02 as bad dc and rejoined it as fresh install.

I have sysvol replication from samba01 to ..02 and 03 (one way via rsync - as described in your wiki)

So sysvol replication from 01 to 02 / 03 but pdc role on 02

Then i added a new GPO (with windows tool - which chooses the pdc...) and creates a gpo which is deleted via rsync

Samba-tool ntacl sysvolcheck then fails (a reference for a gpo in ldap, but none in filesystem)

========================

What did i do to fix it?

Move pdc role back to samba01 (and all other roles - via samba-tool fsmo)

Deleted the gpo - i added and recreated it - now it works

What would a suggest?

Samba-tool should be more specific - if this failure occurs, as it is user risen and not a samba bug - somehting like gpo file is missing or so...

In the long term - multi-master sysvol replication....

To answer your questions...

My build optiosn are:

./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --enable-fhs --with-systemd Make checkinstall make install


-----Ursprüngliche Nachricht-----
Von: samba [mailto:[hidden email]] Im Auftrag von Rowland Penny via samba
Gesendet: Montag, 15. Mai 2017 22:36
An: [hidden email]
Betreff: Re: [Samba] Problems with samba-tool ntacl sysvol reset

On Mon, 15 May 2017 22:02:30 +0200
"Dirk Laurenz" <[hidden email]> wrote:

> Any idea?
>
>
>
> root@samba01:~# uname -a
> Linux samba01 4.9.14-v7+ #977 SMP Mon Mar 13 18:25:19 GMT 2017 armv7l
> GNU/Linux
>
> root@samba01:~# cat /etc/debian_version
> 8.7
>
> root@samba01:~# samba -V
> Version 4.6.3

I take that you have built Samba yourself and you are using Bind9.
How did you build Samba, did you follow the Samba wiki or follow another webpage, if the later which one ?
What was your configure line ?
What filesystem are you using ?

Please post /etc/hosts, /etc/resolv.conf, /etc/hostname, /etc/krb5.conf and all your named.conf files.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba