[Samba] Sysvol acl check failed
Stefan Kania
stefan at kania-online.de
Tue Oct 13 09:20:37 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 12.10.2015 um 18:47 schrieb James:
> On 10/12/2015 12:20 PM, Stefan Kania wrote:
>> Hello,
>>
>> when I check ACLs on my sysvol I got the following errors:
>>
>> root at DKHHDC1:~# samba-tool gpo aclcheck ERROR(<type
>> 'exceptions.KeyError'>): uncaught exception - 'No such element'
>> File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run return self.run(*args, **kwargs) File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
>> 1150, in run ds_sd_ndr = m['nTSecurityDescriptor'][0]
>>
>>
>> root at DKHHDC1:~# samba-tool ntacl sysvolcheck ERROR(<type
>> 'exceptions.TypeError'>): uncaught exception - (2, 'No such file
>> or directory') File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run return self.run(*args, **kwargs) File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>> 249, in run lp) File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1733, in checksysvolacl direct_db_access) File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1684, in check_gpos_acl domainsid, direct_db_access) File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1628, in check_dir_acl fsacl = getntacl(lp, path,
>> direct_db_access=direct_db_access, service=SYSVOL_SERVICE) File
>> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in
>> getntacl xattr.XATTR_NTACL_NAME)
>>
>> Then I tried to fix erros. Doing this, I got the next errors
>>
>> root at DKHHDC1:~# samba-tool ntacl sysvolreset open: error=2 (No
>> such file or directory) ERROR(runtime): uncaught exception -
>> (-1073741823, 'Undetermined error') File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run return self.run(*args, **kwargs) File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>> 218, in run lp, use_ntvfs=use_ntvfs) File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1619, in setsysvolacl set_gpos_acl(sysvol, dnsdomain,
>> domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1524, in set_gpos_acl passdb=passdb) File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1487, in set_dir_acl setntacl(lp, path, acl, domsid,
>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
>> service=service) File
>> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154, in
>> setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd, service=service)
>>
>> When I check the database everything is ok.
>>
>> root at DKHHDC1:~# samba-tool dbcheck Checking 1185 objects Checked
>> 1185 objects (0 errors)
>>
>> Here are the permissions in sysvol:
>>
>> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/Policies/
>> insgesamt 80 drwxrws---+ 6 root 3000000 4096 Jun 25 2014
>> {08BE834B-49D1-4F47-950E-C0D0CB4D2486} drwxrws---+ 6 root
>> 3000015 4096 Nov 5 2013 {31B2F340-016D-11D2-945F-00C04FB984F9}
>> drwxrws---+ 4 3000015 3000015 4096 Mai 15 2014
>> {4D8D96AA-C7E4-47F9-A8AF-D1D72CA6CBA1} drwxrws---+ 4 3000015
>> 3000015 4096 Nov 11 2014 {5C3768B4-E734-4168-A370-E0BB95C00B29}
>> drwxrws---+ 4 3000015 3000015 4096 Mär 1 2013
>> {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrws---+ 5 3000015
>> 3000015 4096 Jun 11 2014 {6FBD7831-E891-41A4-A5FA-B3BCCEAEA519}
>> drwxrws---+ 4 3000015 3000015 4096 Mai 26 2014
>> {8DD38317-E675-4042-84DD-0CF499F8C5F1} drwxrws---+ 5 3000015
>> 3000015 4096 Mär 23 2015 {9C353A54-854E-4CA5-A038-98B5F935627A}
>> drwxrws---+ 4 3000015 3000015 4096 Dez 3 2014
>> {A42F9750-57C8-4E48-8928-EF22B6E27CAE} drwxrws---+ 5 3000015
>> 3000015 4096 Jun 16 2014 {EE730522-233D-47BB-A05C-058B5D9E10DB}
>>
>> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/ insgesamt
>> 24 drwxrws---+ 12 root 3000000 4096 Jan 29 2015 Policies
>> drwxrws---+ 5 root 3000000 4096 Jun 30 2014 scripts drwxrws---+
>> 10 root 3000000 4096 Mär 26 2013 StarterGPOs
>>
>> YES I know .local is not a good choice, but it is as it is NOT
>> my choice
>>
>> All GPOs are working
>>
>> One more thing. The old DC was a selfcompiled Samba 4 with
>> /usr/local/samba/sysvol. The new one is running the
>> sernet-packeges with /var/lib/samba/sysvol als path.
>>
>> Where should I look next?
>>
>>
>> Thank you
>>
>> Stefan
>>
> Hello,
>
> Can you post your smb.conf?
>
Here are the smb.conf
- --------------# Global parameters
[global]
workgroup = DKHH
realm = dkhh.local
netbios name = DKHHDC2
server role = active directory domain controller
dns forwarder = 172.16.0.52
allow dns updates = nonsecure
[netlogon]
path = /var/lib/samba/sysvol/dkhh.local/scripts
read only = No
write ok = Yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
write ok = Yes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlYczOQACgkQ2JOGcNAHDTZ2TQCfWc+u/IytXLsB4+EJw8xVULpC
q5IAnjAZ4zxi4PLmWZPAgvQw2e+DVRcn
=7cAX
-----END PGP SIGNATURE-----
More information about the samba
mailing list