ntacl sysvolreset fails: no such file or directory

Daniele Dario d.dario76 at gmail.com
Thu Oct 11 02:36:06 MDT 2012 

Hi Pekka,

On Wed, 2012-10-10 at 20:01 +0300, Pekka L.J. Jalkanen wrote:
> In August I wrote on this list that for my organisation, Samba 4 is now
> working (see
> https://lists.samba.org/archive/samba-technical/2012-August/085972.html).
> 
> Unfortunately, it actually turned out later on that there still were
> some authentication problems, but since I was busy with other
> priorities, I didn't have the time to investigate things further, and
> had to simply turn off our Samba 4 box for a while.
> 
> However, about the time RC1 was released, I finally found time to try
> again, so I upgraded to it, and the authentication problems were
> actually gone; authentication is not an issue any more, and our Samba 4
> DC has now collected miles without any major interruptions since 27/9.
> 
> Alas, there still remains a problem: samba-tool ntacl sysvolreset, the
> command that release notes for the RC1 instructed everyone to run after
> upgrading, doesn't work; it also seems that the directory structure
> required for group policies has never been created. If I run the
> command, I'll consistently get the following error:
> 
> root at samba4dc:~# samba-tool ntacl sysvolreset
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> line 168, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/ntacl.py",
> line 214, in run
>     lp, use_ntvfs=use_ntvfs)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py",
> line 1462, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py",
> line 1390, in set_gpos_acl
>     setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid),
> use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib/python2.6/site-packages/samba/ntacls.py",
> line 108, in setntacl
>     smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)
> 
> At first I was quite baffled by this as I'd no idea *which* file or
> directory was missing, but later on, after I rebooted our W2k3R2 DC, its
> DFS calls apparently got directed to Samba 4 DC (finally reboots without
> total loss of directory services; thanks Samba!), and I got the
> following output to Windows' application event log:
> 
> Event ID 1058: Windows cannot access the file gpt.ini for GPO
> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=site.
> The file must be present at the location
> <\\mydomain.site\sysvol\mydomain.site\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
> (The system cannot find the path specified. ). Group Policy processing
> aborted.
> 
> And subsequently:
> 
> Event ID 1030: Windows cannot access the file gpt.ini for GPO
> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=site.
> The file must be present at the location
> <\\mydomain.site\sysvol\mydomain.site\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
> (The system cannot find the path specified. ). Group Policy processing
> aborted.
> 
> The messages were being repeated every five minutes, and stopped right
> away when I stopped Samba 4 for a moment, which obviously forced the
> W2kR2 DC to search it's own copy for GPT objects.
> 
> After that I realised that the missing file or directory that Samba is
> complaining about must be something that should be located under Samba's
> sysvol directory. I checked it out, and found out that the only
> subdirectory that did exist under var/locks/sysvol/mydomain.site was
> scripts. I.e. the Policies directory didn't exist at all. In Windows it
> did exist and also had two subdirectories.
> 
> I tried to create it manually and re-run sysvolreset, but no avail.
> Upgrading RC1 to RC2 didn't help either.
> 
> Could anyone give me an idea what should I do to fix the sysvol directory?
> 
> In case this is just some kind of a replication problem, I'll post the
> following:
> 
> root at samba4dc:~# samba-tool drs showrepl
> Default-First-Site-Name\SAMBA4DC
> DSA Options: 0x00000001
> DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
> DSA invocationId: 397a9790-2e97-4309-9a33-478df9a26700
> 
> ==== INBOUND NEIGHBORS ====
> 
> ==== OUTBOUND NEIGHBORS ====
> 
> ==== KCC CONNECTION OBJECTS ====
> 
> Connection --
> 	Connection name: cf874bd9-81d6-44d1-b37f-08e241718cbd
> 	Enabled        : TRUE
> 	Server DNS name : w2k3r2dc.mydomain.site
> 	Server DN name  : CN=NTDS
> Settings,CN=W2K3R2DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site
> 		TransportType: RPC
> 		options: 0x00000001
> Warning: No NC replicated for Connection!
> 
> I have to say that I don't really understand these messages all that
> well. But most objects, like users and OUs seem to replicate perfectly well.
> 
> If I'll run this with the W2kR2 DC's full name as an argument, it
> doesn't succeed completely. I don't know if I should be worried about that:
> 
> root at samba4dc:~# samba-tool drs showrepl w2k3r2dc.mydomain.site
> Default-First-Site-Name\W2K3R2DC
> DSA Options: 0x00000001
> DSA object GUID: b3157fd4-db4b-429d-9609-f18d7dba64fc
> DSA invocationId: b3157fd4-db4b-429d-9609-f18d7dba64fc
> 
> ==== INBOUND NEIGHBORS ====
> 
> DC=mydomain,DC=site
> 	Default-First-Site-Name\SAMBA4DC via RPC
> 		DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
> 		Last attempt @ Wed Oct 10 18:53:41 2012 EEST was successful
> 		0 consecutive failure(s).
> 		Last success @ Wed Oct 10 18:53:41 2012 EEST
> 
> CN=Configuration,DC=mydomain,DC=site
> 	Default-First-Site-Name\SAMBA4DC via RPC
> 		DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
> 		Last attempt @ Wed Oct 10 18:53:41 2012 EEST was successful
> 		0 consecutive failure(s).
> 		Last success @ Wed Oct 10 18:53:41 2012 EEST
> 
> CN=Schema,CN=Configuration,DC=mydomain,DC=site
> 	Default-First-Site-Name\SAMBA4DC via RPC
> 		DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
> 		Last attempt @ Wed Oct 10 18:53:42 2012 EEST was successful
> 		0 consecutive failure(s).
> 		Last success @ Wed Oct 10 18:53:42 2012 EEST
> 
> ==== OUTBOUND NEIGHBORS ====
> 
> DC=mydomain,DC=site
> 	Default-First-Site-Name\SAMBA4DC via RPC
> 		DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
> 		Last attempt @ NTTIME(0) was successful
> 		0 consecutive failure(s).
> 		Last success @ NTTIME(0)
> 
> CN=Configuration,DC=mydomain,DC=site
> 	Default-First-Site-Name\SAMBA4DC via RPC
> 		DSA object GUID: 06dfbcf0-1efe-4613-9fbc-4329abd5de54
> 		Last attempt @ NTTIME(0) was successful
> 		0 consecutive failure(s).
> 		Last success @ NTTIME(0)
> 
> CN=Schema,CN=Configuration,DC=mydomain,DC=site
> ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
> 'NoneType' object has no attribute 'split'
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> line 168, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line
> 158, in run
>     self.print_neighbour(n)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line
> 99, in print_neighbour
>     (site, server) = drs_parse_ntds_dn(n.source_dsa_obj_dn)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line
> 71, in drs_parse_ntds_dn
>     a = ntds_dn.split(',')
> 
> Thanks for anyone who can help, and hope team finds some use for this
> information as well.
> 
> Pekka

from what I know, sysvol replication is not present neither in rc1 nor
rc2.

Having a look into the python scripts involved in ntacl sysvolreset
command you can see that it calls set_gpo_acl (look into
samba4/samba-master/source4/scripting/python/samba/provision/__init__.py) which expects the presence of the Policy folder (and subfolders).

During a join (not on the provisioned DC) it seems that the Policies
folder is not created.
Missing the sysvol replication implies that also Policies branch is
missing and the script would fail.

The workaround I've found was to copy the sysvol content from the
primary DC to the joined one (using rsync or other way). Than samba-tool
ntacl sysvolreset didn't fail.

You can also try creating only the Policies folder and see if it's
enough.

HTH,
Daniele.

More information about the samba-technical mailing list