Problem creating GPO samba4 beta6

Dieter Modig dieter.m at inputinterior.se
Mon Nov 12 11:38:30 MST 2012


Hi! 

We're back! ;) Since we had no luck with getting GPO:s working for us with samba beta7 we had to put it all on ice (other things need to be broken as well ;) Now that we had a chance to delve into it again there was a RC4 out for us to test against! 

We've upgraded to RC4 and can't see many problems so far but still no luck with creating new GPO:s (editing old ones - yes but no new ones). Running the suggested ntacl sysvolreset yielded the following error. Suggestions? We can also see that there are others with this exact problem in the mail list. Are you close to any solution or want us to try anything to give more clues? 

set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_ACCESS_DENIED. 
ERROR(runtime): uncaught exception - (-1073741790, 'Access denied') 
File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run 
return self.run(*args, **kwargs) 
File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/ntacl.py", line 214, in run 
lp, use_ntvfs=use_ntvfs) 
File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 1458, in setsysvolacl 
setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb) 
File "/usr/local/samba/lib/python2.6/site-packages/samba/ntacls.py", line 141, in setntacl 
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) 

Regards 
Dieter Modig 

----- Ursprungligt meddelande -----

> Från: "Andrew Bartlett" <abartlet at samba.org>
> Till: "Dieter Modig" <dieter.m at inputinterior.se>
> Kopia: samba-technical at lists.samba.org
> Skickat: tisdag, 28 aug 2012 14:23:57
> Ämne: Re: Problem creating GPO samba4 beta6

> On Tue, 2012-08-28 at 14:17 +0200, Dieter Modig wrote:
> > Hi again!
> >
> > ----- Ursprungligt meddelande -----
> >
> > > Från: "Andrew Bartlett" <abartlet at samba.org>
> > > Till: "Dieter Modig" <dieter.m at inputinterior.se>
> > > Kopia: samba-technical at lists.samba.org
> > > Skickat: måndag, 27 aug 2012 23:51:01
> > > Ämne: Re: Problem creating GPO samba4 beta6
> >
> > > On Mon, 2012-08-27 at 11:05 +0200, Dieter Modig wrote:
> > > > Hi!
> > > >
> > > > Since one of the updates on our Samba4 environment (from alpa17
> > > > to
> > > > beta4) we can't seem to create new GPOs using windows GPO
> > > > manager.
> > > > We can edit the existing ones but not create new ones. When
> > > > trying
> > > > to create a new GPO I get an error message saying something
> > > > like
> > > > "File/object not found". Removing this message and trying again
> > > > (with the same name) gets me a different error message saying
> > > > "Access denied". No logs seem to catch this so there is no
> > > > further
> > > > debug info.
> > > >
> > > > We could however create a GPO from the linux command line using
> > > > samba-tool and that works but this GPO can't be used from
> > > > windows
> > > > GPO manager.
> > > >
> > > > It seems to be a problem with access rights. Looking in the
> > > > folder
> > > > /usr/local/samba/var/locks/sysvol/input.se/Policies/ we can see
> > > > that existing policies have different owners and groups. Some
> > > > of
> > > > them have local linux users as owners and some of them have
> > > > users
> > > > from the domain as owners. The theory that the problem is all
> > > > rights based is corraborated by the fact that sometimes we get
> > > > an
> > > > error message saying "The permissions for this GPO in the
> > > > sysvol
> > > > folder are inconsistent with those in active directory" and the
> > > > option to repair this. It does not, however, help to repair it
> > > > :(
> > > >
> > > > What are the rights supposed to be? Is the Policies folder
> > > > supposed
> > > > to be owned by local linux user (which is running the
> > > > processes)
> > > > or a domain user (which is the one accessing the files)? Are
> > > > there
> > > > any checks/fixes that we can run in order to see if there are
> > > > errors in the setup? This was working just fine before updating
> > > > to
> > > > the beta release so has there been any changes in how the
> > > > rights
> > > > are suppose to be set?
> >
> > > G'day,
> >
> > > I've been working to make this handle much better, and the beta7
> > > due
> > > today (and current master) will work much better for you.
> >
> > > In particular, the new tool 'samba-tool ntacl sysvolreset' will
> > > set
> > > posix permissions to match the NT ACL, the lack of which is I
> > > hope
> > > the
> > > cause of your problems.
> >
> > > Let me know if it does or doesn't help, and I'll see what I can
> > > do.
> >
> > Uumm... I was very excited about the beta7 so it was downloaded,
> > compiled and installed. And then we can't the server online
> > anymore at all! :( Log.samba was not very forthcoming other than:
> >
> > [2012/08/28 12:21:38, 0] ../lib/util/fault.c:73(fault_report)
> > INTERNAL ERROR: Signal 11 in pid 1498 (4.0.0beta7)
> > Please read the Trouble-Shooting section of the Samba HOWTO
> > [2012/08/28 12:21:38, 0] ../lib/util/fault.c:75(fault_report)
> > ===============================================================
> > [2012/08/28 12:21:38, 0] ../lib/util/fault.c:144(smb_panic_default)
> > PANIC: internal error
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1509 on SIGTERM
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1508 on SIGTERM
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1507 on SIGTERM
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1506 on SIGTERM
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1505 on SIGTERM
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1504 on SIGTERM
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1503 on SIGTERM
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1502 on SIGTERM
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1501 on SIGTERM
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1499 on SIGTERM
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1497 on SIGTERM
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:115(sig_term)
> > SIGTERM: killing children
> > [2012/08/28 12:29:00, 0] ../source4/smbd/server.c:120(sig_term)
> > Exiting pid 1045 on SIGTERM
> > [2012/08/28 13:16:37, 0]
> > ../source4/smbd/server.c:369(binary_smbd_main)
> > samba version 4.0.0beta7 started.
> > Copyright Andrew Tridgell and the Samba Team 1992-2012
> > [2012/08/28 13:16:37, 0]
> > ../source4/smbd/server.c:475(binary_smbd_main)
> > samba: using 'standard' process model
> > [2012/08/28 13:16:39, 0] ../lib/util/fault.c:72(fault_report)
> >
> > So we had to go back to beta6 and now it's once again online. Next
> > step would be to install beta7 from scratch using a clean database
> > in order to see if the problem is the beta release or our
> > database. Any suggestions?

> If your database can make us segfault, then please get us the details
> of
> the fault (the backtrace).

> Andrew Bartlett

> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org


More information about the samba-technical mailing list