Corrupted GPO

George Lazar lazar.george at gmail.com
Tue Jun 29 13:47:54 MDT 2010




Matthieu Patou-7 wrote:
> 
>   On 29/06/2010 19:09, George Lazar wrote:
>>
>>
>> Matthieu Patou-7 wrote:
>>>    On 29/06/2010 18:39, George Lazar wrote:
>>>>
>>>> Matthieu Patou-7 wrote:
>>>>>     Hi Georges,
>>>>>
>>>>>>>> Regarding the output, the GPO I was creating when I started to
>>>>>>>> receive
>>>>>>>> "there is not enough space" is record no. 13... (Themes Enabled
>>>>>>>> GPO)
>>>>>>>>
>>>>>>>> The content of /usr/local/samba/var/locks/.. doesn't seems not
>>>>>>>> unusual.
>>>>>>>> I
>>>>>>>> have there all the policies owned by 3000008 as before.
>>>>>>> Yes but I need it to see if all the policy object declared in the
>>>>>>> Policies container are also here on the filesystem.
>>>>>>>
>>>>>>> See attached policies.png
>>>>>>>
>>>>>>> More specifically can you show the content of
>>>>>>> {391F2562-1AB9-4CA5-BC87-4BD72929CC5E} folder ?
>>>>>>> Can you access
>>>>>>> \\domain.eu\SysVol\domain.eu\Policies\{391F2562-1AB9-4CA5-BC87-4BD72929CC5E}
>>>>>>> ?
>>>>>>> Do you see a file called gpt.ini and two folders MACHINE and USER ?
>>>>>>> If no can create the folder and the file with the following content:
>>>>>>> [General]
>>>>>>> Version=65543
>>>>>>>
>>>>>>> See attached policy.png http://old.nabble.com/file/p29022853/GPO.JPG
>>>>>>> GPO.JPG  http://old.nabble.com/file/p29022853/polcies.PNG
>>>>>>> polcies.PNG
>>>>>>> http://old.nabble.com/file/p29022853/policy.PNG policy.PNG
>>>>> It's the fist time I see such things but I'm not the most experienced
>>>>> with gpo.
>>>>>
>>>>> Ok let's try to nuke the GPO:
>>>>> do a tdbbackup on all the ldb files in /usr/local/samba/private then
>>>>>
>>>>> Done.
>>>>>
>>>>> ldbedit -H ldap:/localhost -b
>>>>> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
>>>>>
>>>>> You should have three objects, remove them.
>>>>>
>>>>> It doesn't let me delete them, I got:
>>>>> failed to delete
>>>>> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
>>>>> - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -<00002098:
>>>>> insufficient
>>>>> access rights>   <>
>>>>>
>>>>> I'm doing this as root but should I stop samba first?
>>>>>
>>> no You have to get authenticated: ldbedit -H .... -U DOMAIN\\User
>>>
>>> with authentication I got another error:
>>>   LDAP error 66 LDAP_NOT_ALLOWED_ON_NON_LEAF -<00002015: Not allowed on
> Hum ok let's try to do it on the ldb files directly:
> 
> ldbedit -H /usr/local/samba/private/sam.ldb -b 
> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
> 
> another error:
> failed to delete
> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
> - Cannot delete
> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu,
> not a leaf node (has 2 children)
> 
> :(
> 
> I will join tomorrow morning on #samba-technical.
> Thx.
> 
> ps: can you join #samba-technical it would be easier for realtime debug.
> 
> 
> -- 
> Matthieu Patou
> Samba Team        http://samba.org
> 
> 
> 

-- 
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29027608.html
Sent from the Samba - samba-technical mailing list archive at Nabble.com.



More information about the samba-technical mailing list