ntacl sysvolreset fails: no such file or directory

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Wed Oct 10 11:01:59 MDT 2012 

In August I wrote on this list that for my organisation, Samba 4 is now
working (see
https://lists.samba.org/archive/samba-technical/2012-August/085972.html).

Unfortunately, it actually turned out later on that there still were
some authentication problems, but since I was busy with other
priorities, I didn't have the time to investigate things further, and
had to simply turn off our Samba 4 box for a while.

However, about the time RC1 was released, I finally found time to try
again, so I upgraded to it, and the authentication problems were
actually gone; authentication is not an issue any more, and our Samba 4
DC has now collected miles without any major interruptions since 27/9.

Alas, there still remains a problem: samba-tool ntacl sysvolreset, the
command that release notes for the RC1 instructed everyone to run after
upgrading, doesn't work; it also seems that the directory structure
required for group policies has never been created. If I run the
command, I'll consistently get the following error:

root at samba4dc:~# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 168, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/ntacl.py",
line 214, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py",
line 1462, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py",
line 1390, in set_gpos_acl
    setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid),
use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/ntacls.py",
line 108, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)

At first I was quite baffled by this as I'd no idea *which* file or
directory was missing, but later on, after I rebooted our W2k3R2 DC, its
DFS calls apparently got directed to Samba 4 DC (finally reboots without
total loss of directory services; thanks Samba!), and I got the
following output to Windows' application event log:

Event ID 1058: Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=site.
The file must be present at the location
<\\mydomain.site\sysvol\mydomain.site\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(The system cannot find the path specified. ). Group Policy processing
aborted.

And subsequently:

Event ID 1030: Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=site.
The file must be present at the location
<\\mydomain.site\sysvol\mydomain.site\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(The system cannot find the path specified. ). Group Policy processing
aborted.

The messages were being repeated every five minutes, and stopped right
away when I stopped Samba 4 for a moment, which obviously forced the
W2kR2 DC to search it's own copy for GPT objects.

After that I realised that the missing file or directory that Samba is
complaining about must be something that should be located under Samba's
sysvol directory. I checked it out, and found out that the only
subdirectory that did exist under var/locks/sysvol/mydomain.site was
scripts. I.e. the Policies directory didn't exist at all. In Windows it
did exist and also had two subdirectories.

I tried to create it manually and re-run sysvolreset, but no avail.
Upgrading RC1 to RC2 didn't help either.

Could anyone give me an idea what should I do to fix the sysvol directory?

In case this is just some kind of a replication problem, I'll post the
following:

root at samba4dc:~# samba-tool drs showrepl
Default-First-Site-Name\SAMBA4DC
DSA Options: 0x00000001
DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
DSA invocationId: 397a9790-2e97-4309-9a33-478df9a26700

==== INBOUND NEIGHBORS ====

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
	Connection name: cf874bd9-81d6-44d1-b37f-08e241718cbd
	Enabled        : TRUE
	Server DNS name : w2k3r2dc.mydomain.site
	Server DN name  : CN=NTDS
Settings,CN=W2K3R2DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site
		TransportType: RPC
		options: 0x00000001
Warning: No NC replicated for Connection!

I have to say that I don't really understand these messages all that
well. But most objects, like users and OUs seem to replicate perfectly well.

If I'll run this with the W2kR2 DC's full name as an argument, it
doesn't succeed completely. I don't know if I should be worried about that:

root at samba4dc:~# samba-tool drs showrepl w2k3r2dc.mydomain.site
Default-First-Site-Name\W2K3R2DC
DSA Options: 0x00000001
DSA object GUID: b3157fd4-db4b-429d-9609-f18d7dba64fc
DSA invocationId: b3157fd4-db4b-429d-9609-f18d7dba64fc

==== INBOUND NEIGHBORS ====

DC=mydomain,DC=site
	Default-First-Site-Name\SAMBA4DC via RPC
		DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
		Last attempt @ Wed Oct 10 18:53:41 2012 EEST was successful
		0 consecutive failure(s).
		Last success @ Wed Oct 10 18:53:41 2012 EEST

CN=Configuration,DC=mydomain,DC=site
	Default-First-Site-Name\SAMBA4DC via RPC
		DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
		Last attempt @ Wed Oct 10 18:53:41 2012 EEST was successful
		0 consecutive failure(s).
		Last success @ Wed Oct 10 18:53:41 2012 EEST

CN=Schema,CN=Configuration,DC=mydomain,DC=site
	Default-First-Site-Name\SAMBA4DC via RPC
		DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
		Last attempt @ Wed Oct 10 18:53:42 2012 EEST was successful
		0 consecutive failure(s).
		Last success @ Wed Oct 10 18:53:42 2012 EEST

==== OUTBOUND NEIGHBORS ====

DC=mydomain,DC=site
	Default-First-Site-Name\SAMBA4DC via RPC
		DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Configuration,DC=mydomain,DC=site
	Default-First-Site-Name\SAMBA4DC via RPC
		DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=mydomain,DC=site
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
'NoneType' object has no attribute 'split'
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 168, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line
158, in run
    self.print_neighbour(n)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line
99, in print_neighbour
    (site, server) = drs_parse_ntds_dn(n.source_dsa_obj_dn)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line
71, in drs_parse_ntds_dn
    a = ntds_dn.split(',')

Thanks for anyone who can help, and hope team finds some use for this
information as well.

Pekka

More information about the samba-technical mailing list