[Samba] Online backup results using 4.10.2

James Atwell james.atwell365 at gmail.com
Thu Apr 11 17:52:16 UTC 2019 

Hello,

     I would like to share some info on how I was able to successfully 
run an online backup after several failed attempts. I would constantly 
get the following error when attempting to run an online backup.

ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.')

Looking through the list, I seen  a post by Tim that led me to resolve 
the issue.

https://lists.samba.org/archive/samba/2019-January/220361.html

  He indicated the issue was due to ACL rights on a sysvol object.  
Running samba-tool sysvolreset did not resolve the issue.  I decided to 
increase the log level per Tim to 3.

I opened two SSH connections to my DC and tailed the samba log(tail -f 
/usr/local/samba/var/log.samba) on one. The other I ran the online 
backup command with log level 5( -d5)

I could see on the SSH I was tailing, the GPO of the unique ID throwing 
the error as soon as the online backup command failed. Logging into 
Group Policy Management(RSAT) I was able to identify the GPO  in the 
details pane by verifying the unique ID.  The GPO was created years ago. 
I wanted to try and set(samba-tool ntacl set) the ACL on this object, 
but didn't know what the default should be. I decided to delete the GPO 
seeing as it was no longer in use and not needed.

Deleting the GPO allowed for the online backup to succeed without error. 
It would be nice if someone could post what the default ACL should be, 
in hopes of  resolving this issue in the future where I may actually 
need to keep the GPO.

I did decide to get the ACL on the offending GPO in hopes someone with 
more knowledge then I could possibly spot the issue. See below.


root at pfdc1:~# samba-tool ntacl get 
/usr/local/samba/var/locks/sysvol/domain.local/Policies/{AB0F05DC-D6EB-44B3-BED1-3E2F19F9A9AC}

lp_load_ex: refreshing parameters

Initialising global parameters

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

Processing section "[global]"

Processing section "[netlogon]"

Processing section "[sysvol]"

Processing section "[backup$]"

Initialising default vfs hooks

Initialising custom vfs hooks from [/[Default VFS]/]

Initialising custom vfs hooks from [acl_xattr]

load_module_absolute_path: Module 
'/usr/local/samba/lib/vfs/acl_xattr.so' loaded

Initialising custom vfs hooks from [dfs_samba4]

connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' 
and 'force unknown acl user = true' for service Unknown Service (snum == -1)

security_descriptor: struct security_descriptor

revision: SECURITY_DESCRIPTOR_REVISION_1 (1)

type: 0x9114 (37140)

0: SEC_DESC_OWNER_DEFAULTED

0: SEC_DESC_GROUP_DEFAULTED

1: SEC_DESC_DACL_PRESENT

0: SEC_DESC_DACL_DEFAULTED

1: SEC_DESC_SACL_PRESENT

0: SEC_DESC_SACL_DEFAULTED

0: SEC_DESC_DACL_TRUSTED

0: SEC_DESC_SERVER_SECURITY

1: SEC_DESC_DACL_AUTO_INHERIT_REQ

0: SEC_DESC_SACL_AUTO_INHERIT_REQ

0: SEC_DESC_DACL_AUTO_INHERITED

0: SEC_DESC_SACL_AUTO_INHERITED

1: SEC_DESC_DACL_PROTECTED

0: SEC_DESC_SACL_PROTECTED

0: SEC_DESC_RM_CONTROL_VALID

1: SEC_DESC_SELF_RELATIVE

owner_sid: *

owner_sid: S-1-5-21-940051827-2291820289-3341758437-512

group_sid: *

group_sid: S-1-5-21-940051827-2291820289-3341758437-512

sacl: NULL

dacl: *

dacl: struct security_acl

revision: SECURITY_ACL_REVISION_ADS (4)

size: 0x00c4 (196)

num_aces: 0x00000007 (7)

aces: ARRAY(7)

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0024 (36)

access_mask: 0x001f01ff (2032127)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-21-940051827-2291820289-3341758437-512

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0024 (36)

access_mask: 0x001f01ff (2032127)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-21-940051827-2291820289-3341758437-519

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x0b (11)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

1: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0014 (20)

access_mask: 0x001f01ff (2032127)

object: union security_ace_object_ctr(case 0)

trustee: S-1-3-0

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0024 (36)

access_mask: 0x001f01ff (2032127)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-21-940051827-2291820289-3341758437-512

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0014 (20)

access_mask: 0x001f01ff (2032127)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-18

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0014 (20)

access_mask: 0x001200a9 (1179817)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-9

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0014 (20)

access_mask: 0x001200a9 (1179817)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-11



--James

More information about the samba mailing list