Corrupted GPO
George Lazar
lazar.george at gmail.com
Wed Jun 30 03:04:25 MDT 2010
Matthieu Patou-7 wrote:
>
> On 29/06/2010 23:47, George Lazar wrote:
>>
>>
>> Matthieu Patou-7 wrote:
>>> On 29/06/2010 19:09, George Lazar wrote:
>>>>
>>>> Matthieu Patou-7 wrote:
>>>>> On 29/06/2010 18:39, George Lazar wrote:
>>>>>> Matthieu Patou-7 wrote:
>>>>>>> Hi Georges,
>>>>>>>
>>>>>>>>>> Regarding the output, the GPO I was creating when I started to
>>>>>>>>>> receive
>>>>>>>>>> "there is not enough space" is record no. 13... (Themes Enabled
>>>>>>>>>> GPO)
>>>>>>>>>>
>>>>>>>>>> The content of /usr/local/samba/var/locks/.. doesn't seems not
>>>>>>>>>> unusual.
>>>>>>>>>> I
>>>>>>>>>> have there all the policies owned by 3000008 as before.
>>>>>>>>> Yes but I need it to see if all the policy object declared in the
>>>>>>>>> Policies container are also here on the filesystem.
>>>>>>>>>
>>>>>>>>> See attached policies.png
>>>>>>>>>
>>>>>>>>> More specifically can you show the content of
>>>>>>>>> {391F2562-1AB9-4CA5-BC87-4BD72929CC5E} folder ?
>>>>>>>>> Can you access
>>>>>>>>> \\domain.eu\SysVol\domain.eu\Policies\{391F2562-1AB9-4CA5-BC87-4BD72929CC5E}
>>>>>>>>> ?
>>>>>>>>> Do you see a file called gpt.ini and two folders MACHINE and USER
>>>>>>>>> ?
>>>>>>>>> If no can create the folder and the file with the following
>>>>>>>>> content:
>>>>>>>>> [General]
>>>>>>>>> Version=65543
>>>>>>>>>
>>>>>>>>> See attached policy.png
>>>>>>>>> http://old.nabble.com/file/p29022853/GPO.JPG
>>>>>>>>> GPO.JPG http://old.nabble.com/file/p29022853/polcies.PNG
>>>>>>>>> polcies.PNG
>>>>>>>>> http://old.nabble.com/file/p29022853/policy.PNG policy.PNG
>>>>>>> It's the fist time I see such things but I'm not the most
>>>>>>> experienced
>>>>>>> with gpo.
>>>>>>>
>>>>>>> Ok let's try to nuke the GPO:
>>>>>>> do a tdbbackup on all the ldb files in /usr/local/samba/private then
>>>>>>>
>>>>>>> Done.
>>>>>>>
>>>>>>> ldbedit -H ldap:/localhost -b
>>>>>>> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
>>>>>>>
>>>>>>> You should have three objects, remove them.
>>>>>>>
>>>>>>> It doesn't let me delete them, I got:
>>>>>>> failed to delete
>>>>>>> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
>>>>>>> - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -<00002098:
>>>>>>> insufficient
>>>>>>> access rights> <>
>>>>>>>
>>>>>>> I'm doing this as root but should I stop samba first?
>>>>>>>
>>>>> no You have to get authenticated: ldbedit -H .... -U DOMAIN\\User
>>>>>
>>>>> with authentication I got another error:
>>>>> LDAP error 66 LDAP_NOT_ALLOWED_ON_NON_LEAF -<00002015: Not allowed
>>>>> on
>>> Hum ok let's try to do it on the ldb files directly:
>>>
>>> ldbedit -H /usr/local/samba/private/sam.ldb -b
>>> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
>>>
>>> another error:
>>> failed to delete
>>> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
>>> - Cannot delete
>>> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu,
>>> not a leaf node (has 2 children)
>>>
>>> :(
>>>
> Ah yes, you have to remove the CN=Machine, ... and CN=User, quit and
> reedit to remove the CN={....}, ....
>
> It works! now I can see the GPOs.. God how much I miss them!
> Everything seems fine now.
> Man, Thanks a LOT!!
>
> George
>
>
>
> --
> Matthieu Patou
> Samba Team http://samba.org
>
>
>
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29032329.html
Sent from the Samba - samba-technical mailing list archive at Nabble.com.
More information about the samba-technical
mailing list