Corrupted GPO

Matthieu Patou mat at samba.org
Tue Jun 29 10:17:51 MDT 2010 

  On 29/06/2010 19:09, George Lazar wrote:
>
>
> Matthieu Patou-7 wrote:
>>    On 29/06/2010 18:39, George Lazar wrote:
>>>
>>> Matthieu Patou-7 wrote:
>>>>     Hi Georges,
>>>>
>>>>>>> Regarding the output, the GPO I was creating when I started to
>>>>>>> receive
>>>>>>> "there is not enough space" is record no. 13... (Themes Enabled GPO)
>>>>>>>
>>>>>>> The content of /usr/local/samba/var/locks/.. doesn't seems not
>>>>>>> unusual.
>>>>>>> I
>>>>>>> have there all the policies owned by 3000008 as before.
>>>>>> Yes but I need it to see if all the policy object declared in the
>>>>>> Policies container are also here on the filesystem.
>>>>>>
>>>>>> See attached policies.png
>>>>>>
>>>>>> More specifically can you show the content of
>>>>>> {391F2562-1AB9-4CA5-BC87-4BD72929CC5E} folder ?
>>>>>> Can you access
>>>>>> \\domain.eu\SysVol\domain.eu\Policies\{391F2562-1AB9-4CA5-BC87-4BD72929CC5E}
>>>>>> ?
>>>>>> Do you see a file called gpt.ini and two folders MACHINE and USER ?
>>>>>> If no can create the folder and the file with the following content:
>>>>>> [General]
>>>>>> Version=65543
>>>>>>
>>>>>> See attached policy.png http://old.nabble.com/file/p29022853/GPO.JPG
>>>>>> GPO.JPG  http://old.nabble.com/file/p29022853/polcies.PNG polcies.PNG
>>>>>> http://old.nabble.com/file/p29022853/policy.PNG policy.PNG
>>>> It's the fist time I see such things but I'm not the most experienced
>>>> with gpo.
>>>>
>>>> Ok let's try to nuke the GPO:
>>>> do a tdbbackup on all the ldb files in /usr/local/samba/private then
>>>>
>>>> Done.
>>>>
>>>> ldbedit -H ldap:/localhost -b
>>>> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
>>>>
>>>> You should have three objects, remove them.
>>>>
>>>> It doesn't let me delete them, I got:
>>>> failed to delete
>>>> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
>>>> - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -<00002098: insufficient
>>>> access rights>   <>
>>>>
>>>> I'm doing this as root but should I stop samba first?
>>>>
>> no You have to get authenticated: ldbedit -H .... -U DOMAIN\\User
>>
>> with authentication I got another error:
>>   LDAP error 66 LDAP_NOT_ALLOWED_ON_NON_LEAF -<00002015: Not allowed on
Hum ok let's try to do it on the ldb files directly:

ldbedit -H /usr/local/samba/private/sam.ldb -b 
CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu


ps: can you join #samba-technical it would be easier for realtime debug.


-- 
Matthieu Patou
Samba Team        http://samba.org

More information about the samba-technical mailing list