Moving from beta/test environment to production

Dieter Modig dieter.m at inputinterior.se
Wed Jan 2 08:14:46 MST 2013 

----- Ursprungligt meddelande -----

> Från: "Andrew Bartlett" <abartlet at samba.org>
> Till: "Dieter Modig" <dieter.m at inputinterior.se>
> Kopia: samba-technical at lists.samba.org
> Skickat: onsdag, 2 jan 2013 13:18:27
> Ämne: Re: Moving from beta/test environment to production

> On Wed, 2013-01-02 at 13:05 +0100, Dieter Modig wrote:
> > ----- Ursprungligt meddelande -----
> >
> > > Från: "Andrew Bartlett" <abartlet at samba.org>
> > > Till: "Dieter Modig" <dieter.m at inputinterior.se>
> > > Kopia: samba-technical at lists.samba.org
> > > Skickat: onsdag, 2 jan 2013 11:31:43
> > > Ämne: Re: Moving from beta/test environment to production
> >
> > > On Wed, 2013-01-02 at 10:46 +0100, Dieter Modig wrote:
> > > > Hi!
> > > >
> > > > I hope you all got a well deserved rest during the holidays! :)
> > > >
> > > > We decided this would be a good time to upgrade to the official
> > > > Samba4
> > > > release. Everything but GPOs seem to be working after the
> > > > upgrade.
> > > > We
> > > > don't see any difference in the behaviour :( Can't create new
> > > > GPO
> > > > but
> > > > can edit the existing ones. Attempt to create a GPO with
> > > > samba-tool
> > > > gave the following error "ERROR(runtime): uncaught exception -
> > > > (-1073741565, 'NT_STATUS_NOT_A_DIRECTORY')".
> > > >
> > > > We gathered from previous responses to this thread that
> > > > attempting
> > > > to
> > > > get another DC as master was not likely to succeed. Is there
> > > > any
> > > > way
> > > > to revert to default with policies and get a fresh start? We
> > > > can
> > > > export the GPO:s we have today and then scrap them all and
> > > > reset
> > > > all
> > > > permissions on files and database. Would that be a viable
> > > > solution?
> >
> > > What happens if you do exactly that with the windows group policy
> > > tool?
> >
> > Umm... haven't tried that... yet.
> >
> > > Have you already run 'samba-tool ntacl sysvolreset'?
> >
> > Hmm... we did do that at an earlier point and just to make sure I
> > tried it again and actually ran into something interesting. The
> > "samba-tool ntacl sysvolcheck" claims to find problems
> > "ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> > exception - ProvisioningError: DB ACL on GPO
> > directory
> > /usr/local/samba/var/locks/sysvol/input.se/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> > O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> > does not match expected value
> > O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > from GPO object"

> That's odd, I thought I had the sysvolcheck tool set to ignore the
> SACL.
> Either way, this looks OK, but I guess we don't know if all the later
> ACLs are correct.

> > but I can't run sysvolreset due to permissions
> > "/usr/local/samba/bin/samba-tool ntacl sysvolreset" returns
> > "set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_ACCESS_DENIED.
> > ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
> > "
> >
> > I can't find any way to give domain admin access either (-U och
> > --username) for the command either. Should there be?

> No, but this tool should run as root.

> > > Is there any more detail in the logs?
> > Can't find any more info in any of the logs (associated to this at
> > least).

> Set 'log level = 10' (or 5, if 10 is just too much) in the smb.conf
> and
> retry is the only suggestion I have.

Log level 5 gives some potential clues: 
I get several attempts like this one: 
Finding user Administrator 
Trying _Get_Pwnam(), username as lowercase is administrator 
Trying _Get_Pwnam(), username as given is Administrator 
Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR 
Checking combinations of 0 uppercase letters in administrator 
Get_Pwnam_internals didn't find user [Administrator]! 

ending in the following: 
set_canon_ace_list: sys_acl_set_file type file failed for file /usr/local/samba/var/locks/sysvol (Operation not supported). 
convert_canon_ace_to_posix_perms: Too many ACE entries for file /usr/local/samba/var/locks/sysvol to convert to posix perms. 
set_nt_acl: failed to convert file acl to posix permissions for file /usr/local/samba/var/locks/sysvol. 
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_ACCESS_DENIED. 
ERROR(runtime): uncaught exception - (-1073741790, 'Access denied') 

I hesitate to post the entire log entry here since it's rather big but that the above line seem related to the problems. 

We do however have an "Administrator" account so it's strange it does not find it. 

/Dieter

More information about the samba-technical mailing list