Moving from beta/test environment to production
Dieter Modig
dieter.m at inputinterior.se
Wed Jan 2 05:05:05 MST 2013
----- Ursprungligt meddelande -----
> Från: "Andrew Bartlett" <abartlet at samba.org>
> Till: "Dieter Modig" <dieter.m at inputinterior.se>
> Kopia: samba-technical at lists.samba.org
> Skickat: onsdag, 2 jan 2013 11:31:43
> Ämne: Re: Moving from beta/test environment to production
> On Wed, 2013-01-02 at 10:46 +0100, Dieter Modig wrote:
> > Hi!
> >
> > I hope you all got a well deserved rest during the holidays! :)
> >
> > We decided this would be a good time to upgrade to the official
> > Samba4
> > release. Everything but GPOs seem to be working after the upgrade.
> > We
> > don't see any difference in the behaviour :( Can't create new GPO
> > but
> > can edit the existing ones. Attempt to create a GPO with samba-tool
> > gave the following error "ERROR(runtime): uncaught exception -
> > (-1073741565, 'NT_STATUS_NOT_A_DIRECTORY')".
> >
> > We gathered from previous responses to this thread that attempting
> > to
> > get another DC as master was not likely to succeed. Is there any
> > way
> > to revert to default with policies and get a fresh start? We can
> > export the GPO:s we have today and then scrap them all and reset
> > all
> > permissions on files and database. Would that be a viable solution?
> What happens if you do exactly that with the windows group policy
> tool?
Umm... haven't tried that... yet.
> Have you already run 'samba-tool ntacl sysvolreset'?
Hmm... we did do that at an earlier point and just to make sure I tried it again and actually ran into something interesting. The "samba-tool ntacl sysvolcheck" claims to find problems
"ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/input.se/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object"
but I can't run sysvolreset due to permissions
"/usr/local/samba/bin/samba-tool ntacl sysvolreset" returns
"set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_ACCESS_DENIED.
ERROR(runtime): uncaught exception - (-1073741790, 'Access denied') "
I can't find any way to give domain admin access either (-U och --username) for the command either. Should there be?
> Is there any more detail in the logs?
Can't find any more info in any of the logs (associated to this at least).
/Dieter
More information about the samba-technical
mailing list