RC2 error on samba-tool ntacl sysvolreset
Gémes Géza
geza at kzsdabas.hu
Tue Oct 2 12:36:24 MDT 2012
Hi,
> Hi,
>
> Today I've upgraded our schools (production) Samba4 DC from
> BETA6_GIT_4631723 (already s3fs) to RC2
> As stated in the whatsnew I run samba-tool ntacl sysvolreset
> (Previously I had some windows error messages about incorrect
> ownership of GPOs)
> First I tried while samba was still stopped which gave:
>
> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
> ERROR(runtime): uncaught exception - (-1073741734,
> 'NT_STATUS_INVALID_OWNER')
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 168, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 214, in run
> lp, use_ntvfs=use_ntvfs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1462, in setsysvolacl
> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1401, in set_gpos_acl
> str(domainsid), use_ntvfs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1368, in set_dir_acl
> setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
> line 108, in setntacl
> smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd)
>
> Thinking that without a running samba it is unable to lookup
> names/sids to uids/gids (I have a working nsswitch.conf with winbind
> (I've copied the libnss_winbind.so and libnss_wins.so to /lib/...))
> I've started samba.
> Then samba-tool ntacl sysvolreset yielded:
>
> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
> ERROR(runtime): uncaught exception - (-1073741734,
> 'NT_STATUS_INVALID_OWNER')
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 168, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 214, in run
> lp, use_ntvfs=use_ntvfs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1462, in setsysvolacl
> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1401, in set_gpos_acl
> str(domainsid), use_ntvfs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1368, in set_dir_acl
> setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
> line 108, in setntacl
> smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd)
>
> which seems to be the same.
>
> Sorry for being such a noob, but the ntacl.py is unknown territory for
> me.
>
> Cheers
>
> Geza
After some more trial and error I've decided to delete my idmap.ldb
(already having idmap_ldb:use rfc2307 = yes set by classicupgrade) (and
so I did after stopping samba). As a result the error message changed into:
ERROR(<class 'passdb.error'>): uncaught exception - Unable to get id for sid
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 168, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 201, in run
(LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
Which suggest an incomplete SID to xid translation. Looking at the
sysvol folder with getfacl:
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: adm
# flags: -s-
user::rwx
user:root:rwx
group::rwx
group:adm:rwx
group:3000005:r-x
group:3000007:r-x
group:3000008:rwx
mask::rwx
other::---
My (local) adm group has the same gidnumber as the Domain Admins group,
but don't know the missing group entries correspond to what groups.
samba-tool ntacl get /usr/local/samba/var/locks/sysvol shows:
security_descriptor: struct security_descriptor
revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
type : 0x8004 (32772)
0: SEC_DESC_OWNER_DEFAULTED
0: SEC_DESC_GROUP_DEFAULTED
1: SEC_DESC_DACL_PRESENT
0: SEC_DESC_DACL_DEFAULTED
0: SEC_DESC_SACL_PRESENT
0: SEC_DESC_SACL_DEFAULTED
0: SEC_DESC_DACL_TRUSTED
0: SEC_DESC_SERVER_SECURITY
0: SEC_DESC_DACL_AUTO_INHERIT_REQ
0: SEC_DESC_SACL_AUTO_INHERIT_REQ
0: SEC_DESC_DACL_AUTO_INHERITED
0: SEC_DESC_SACL_AUTO_INHERITED
0: SEC_DESC_DACL_PROTECTED
0: SEC_DESC_SACL_PROTECTED
0: SEC_DESC_RM_CONTROL_VALID
1: SEC_DESC_SELF_RELATIVE
owner_sid : *
owner_sid : S-1-22-1-0
group_sid : *
group_sid :
S-1-5-21-2107120446-224765601-1821260193-512
sacl : NULL
dacl : *
dacl: struct security_acl
revision : SECURITY_ACL_REVISION_NT4 (2)
size : 0x0118 (280)
num_aces : 0x0000000b (11)
aces: ARRAY(11)
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0018 (24)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-22-1-0
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0018 (24)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-22-2-3000008
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0018 (24)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-22-2-3000007
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0018 (24)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-22-2-3000005
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-2107120446-224765601-1821260193-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-2107120446-224765601-1821260193-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0018 (24)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-22-1-0
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00080000 (524288)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-1-0
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001e01ff (1966591)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-3-0
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-3-1
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-1-0
Thank you for any idea!
Cheers
Geza Gemes
More information about the samba-technical
mailing list