[Samba] Missing Policies folder after failure; how to recreate
Rowland Penny
rowlandpenny at googlemail.com
Fri Jan 16 10:01:53 MST 2015
On 16/01/15 16:41, "Gergely, Kaszás" wrote:
>
> 2015.01.14. 15:48 keltezéssel, Marc Muehlfeld írta:
>> Am 14.01.2015 um 11:18 schrieb "Gergely, Kaszás":
>>>> If you just lost your sysvol folder content, restore the files from
>>>> your backup or copy them from an additional DC in the domain + run
>>>> 'samba-tool ntacl sysvolreset'.
>>> Yes if the site would have backups or a second DC this wouldn't be a
>>> problem.
>>> But unfortunately this isn't the case. The admin of this site didn't
>>> make backups and there is no other DC in the domain.
>> As I already said: If you don't give more information about the
>> situation and details, we can't help.
>
> Forgive me for being vauge;
> There is only a single active DC in this domain that was recovered
> after a hardware failure caused by an unplaned outage.
> This DC is mostly used for radius authentication and for a simple
> library lab with 5 computers.
> The domain has around ~400 users.
> The real name of the domain is not "domain.of", I just masked it.
>
> *Listing of the sysvol folder gives*
> sysvol # find .
> .
> ./domain.of/
> ./domain.of/scripts
>
> The DC is a *4.1.6 ubuntu* packaged samba
>
> Trying to *delete one of the gpo*-s gives:
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed
> on CN={MASKED},CN=Policies,CN=System,DC=domain,DC=of> <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
> 1083, in run
> self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)))
>
> *samba-tool ntacl sysvolcheck*
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No
> such file or directory')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
> 249, in run
> lp)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1695, in checksysvolacl
> direct_db_access)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1631, in check_gpos_acl
> direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in
> getntacl
> xattr.XATTR_NTACL_NAME)
>
> *samba-tool ntacl sysvolreset*
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
> 218, in run
> lp, use_ntvfs=use_ntvfs)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1581, in setsysvolacl
> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs, passdb=s4_passdb)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1499, in set_gpos_acl
> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> service=SYSVOL_SERVICE)
> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154,
> in setntacl
> smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
>
> the *smb.conf*
> [global]
> workgroup = DOMAINOF
> realm = domain.of
> netbios name = DC
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
> nt acl support = yes
> inherit acls = yes
> wins support = yes
> #security = ads
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind refresh tickets = true
> kerberos method = secrets and keytab
> socket options = TCP_NODELAY
>
> idmap config *:backend = tdb
> idmap config *:range = 30001-40000
> idmap config DOMAINOF:backend = ad
> idmap config DOMAINOF:schema_mode = rfc2307
> idmap config DOMAINOF:range = 1000-20000
> idmap_ldb:use rfc2307 = yes
>
> load printers = no
> printcap name = /dev/null
> template shell = /bin/bash
>
> # ca.pem - /etc/ssl/certs/sambaca.pem, cert.pem
> /etc/ssl/certs/samba.pem
> tls enabled = yes
> tls keyfile = /var/lib/samba/private/tls/dc.domain.of.key.pem
> tls certfile = /var/lib/samba/private/tls/dc.domain.of.cert.pem
> tls cafile = /var/lib/samba/private/tls/dc.domain.of.chain.pem
>
> [netlogon]
> path = /var/lib/samba/sysvol/domain.of/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>>>> If the security stuff inside the AD is messed up, too, I have no
>>>> idea, if you don't give more information and if we aren't allowed to
>>>> ask to find out what happened and what exactly is broken. ;-)
>>
>>
>> Regards,
>> Marc
>
Hi, your smb.conf seems to be a mixture of an AD DC smb.conf and a
member server smb.conf, I would suggest that you remove these lines:
nt acl support = yes
inherit acls = yes
wins support = yes
#security = ads
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = true
kerberos method = secrets and keytab
socket options = TCP_NODELAY
idmap config *:backend = tdb
idmap config *:range = 30001-40000
idmap config DOMAINOF:backend = ad
idmap config DOMAINOF:schema_mode = rfc2307
idmap config DOMAINOF:range = 1000-20000
They are the member server lines and no place on a samba AD DC.
Rowland
More information about the samba
mailing list