[Samba] FreeBSD problems with sysvol and share Acls

Cesar DiMartino cesardimartino at gmail.com
Wed Jul 16 08:06:55 MDT 2014


Having lots of problems with a restored from backup installation of Samba
4.1.9 on FreeBsd cannot use windows tools to assign permissions to shares,
and now when a problem creating a Gpo. with log level 10 this is the
output:


root at BSD:/home # samba-tool gpo create testgpo
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[bkp]"
Processing section "[home]"
pm_process() returned Yes
ldb: ldb_trace_request: SEARCH
 dn: @MODULES
 scope: base
 expr: (@LIST=*)
 attr: @LIST
 control: <NONE>

ldb: ldb_trace_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0x81c1c520

ldb: Added timed event "ltdb_timeout": 0x81c1c5e0

ldb: Running timer event 0x81c1c520 "ltdb_callback"

ldb: ldb_trace_response: ENTRY
dn: @MODULES
@LIST: samba_secrets



ldb: Destroying timer event 0x81c1c5e0 "ltdb_timeout"

ldb: Ending timer event 0x81c1c520 "ltdb_callback"

ldb: ldb_trace_request: REGISTER_CONTROL
1.2.840.113556.1.4.1413
 control: <NONE>

ldb: ldb_asprintf/set_errstring: unable to find module or backend to handle
operation: request
ldb: ldb_trace_request: SEARCH
 dn: <rootDSE>
 scope: base
 expr: (objectClass=*)
 attr: rootDomainNamingContext
 attr: configurationNamingContext
 attr: schemaNamingContext
 attr: defaultNamingContext
 control: <NONE>

ldb: ldb_trace_request: (rdn_name)->search
ldb: ldb_trace_next_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0x81c1c8e0

ldb: Added timed event "ltdb_timeout": 0x81c1c9a0

ldb: Running timer event 0x81c1c8e0 "ltdb_callback"

ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search
ldb: Destroying timer event 0x81c1c9a0 "ltdb_timeout"

ldb: Ending timer event 0x81c1c8e0 "ltdb_callback"

ldb_wrap open of secrets.ldb
ldb: ldb_trace_request: SEARCH
 dn: cn=Primary Domains
 scope: sub
 expr: (&(flatname=DONNET)(objectclass=primaryDomain))
 attr: <ALL>
 control: <NONE>

ldb: ldb_trace_request: (rdn_name)->search
ldb: ldb_trace_next_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0x81c1cd60

ldb: Added timed event "ltdb_timeout": 0x81c1ce20

ldb: Running timer event 0x81c1cd60 "ltdb_callback"

ldb: ldb_trace_response: ENTRY
dn: flatname=DONNET,cn=Primary Domains
msDS-KeyVersionNumber: 1
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-1-5-21-2560341170-2029613188-788714530
privateKeytab: secrets.keytab
realm: donnet.lan
saltPrincipal: host/bsd.donnet.lan at DONNET.LAN
samAccountName: BSD$
secret: =zie4p?hma-teLVIcSDZIX!KrQG<nnL<?qd-
secureChannelType: 6
servicePrincipalName: HOST/bsd
servicePrincipalName: HOST/bsd.donnet.lan
objectGUID: a2af7782-c2eb-4c80-9556-75b9ac8f1265
whenCreated: 20130913125340.0Z
whenChanged: 20130913125340.0Z
uSNCreated: 7
uSNChanged: 7
name: DONNET
flatname: DONNET
distinguishedName: flatname=DONNET,cn=Primary Domains



ldb: Destroying timer event 0x81c1ce20 "ltdb_timeout"

ldb: Ending timer event 0x81c1cd60 "ltdb_callback"

GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface re0 ip=10.0.10.10 bcast=10.0.255.255 netmask=255.255.0.0
added interface re0 ip=10.0.10.10 bcast=10.0.255.255 netmask=255.255.0.0
added interface re0 ip=10.0.10.10 bcast=10.0.255.255 netmask=255.255.0.0
added interface re0 ip=10.0.10.10 bcast=10.0.255.255 netmask=255.255.0.0
finddcs: searching for a DC by DNS domain DONNET.LAN
finddcs: looking for SRV records for _ldap._tcp.DONNET.LAN
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed bsd.donnet.lan [0, 100, 389]
finddcs: DNS SRV response 0 at '10.0.10.10'
finddcs: DNS SRV response 1 at '190.57.234.178'
finddcs: performing CLDAP query on 10.0.10.10
     &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
        command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
        sbz                      : 0x0000 (0)
        server_type              : 0x0000137d (4989)
               1: NBT_SERVER_PDC
               1: NBT_SERVER_GC
               1: NBT_SERVER_LDAP
               1: NBT_SERVER_DS
               1: NBT_SERVER_KDC
               1: NBT_SERVER_TIMESERV
               0: NBT_SERVER_CLOSEST
               1: NBT_SERVER_WRITABLE
               1: NBT_SERVER_GOOD_TIMESERV
               0: NBT_SERVER_NDNC
               0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
               1: NBT_SERVER_FULL_SECRET_DOMAIN_6
               0: NBT_SERVER_ADS_WEB_SERVICE
               0: NBT_SERVER_HAS_DNS_NAME
               0: NBT_SERVER_IS_DEFAULT_NC
               0: NBT_SERVER_FOREST_ROOT
        domain_uuid              : b69d24d0-a284-42ee-8e4b-0f71d92e4d69
        forest                   : 'donnet.lan'
        dns_domain               : 'donnet.lan'
        pdc_dns_name             : 'bsd.donnet.lan'
        domain_name              : 'DONNET'
        pdc_name                 : 'BSD'
        user_name                : ''
        server_site              : 'Default-First-Site-Name'
        client_site              : ''
        sockaddr_size            : 0x00 (0)
        sockaddr: struct nbt_sockaddr
            sockaddr_family          : 0x00000000 (0)
            pdc_ip                   : (null)
            remaining                : DATA_BLOB length=0
        next_closest_site        : NULL
        nt_version               : 0x00000005 (5)
               1: NETLOGON_NT_VERSION_1
               0: NETLOGON_NT_VERSION_5
               1: NETLOGON_NT_VERSION_5EX
               0: NETLOGON_NT_VERSION_5EX_WITH_IP
               0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
               0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
               0: NETLOGON_NT_VERSION_PDC
               0: NETLOGON_NT_VERSION_IP
               0: NETLOGON_NT_VERSION_LOCAL
               0: NETLOGON_NT_VERSION_GC
        lmnt_token               : 0xffff (65535)
        lm20_token               : 0xffff (65535)
finddcs: Found matching DC 10.0.10.10 with server_type=0x0000137d
Security token SIDs (1):
  SID[  0]: S-1-5-18
 Privileges (0xFFFFFFFFFFFFFFFF):
  Privilege[  0]: SeMachineAccountPrivilege
  Privilege[  1]: SeTakeOwnershipPrivilege
  Privilege[  2]: SeBackupPrivilege
  Privilege[  3]: SeRestorePrivilege
  Privilege[  4]: SeRemoteShutdownPrivilege
  Privilege[  5]: SePrintOperatorPrivilege
  Privilege[  6]: SeAddUsersPrivilege
  Privilege[  7]: SeDiskOperatorPrivilege
  Privilege[  8]: SeSecurityPrivilege
  Privilege[  9]: SeSystemtimePrivilege
  Privilege[ 10]: SeShutdownPrivilege
  Privilege[ 11]: SeDebugPrivilege
  Privilege[ 12]: SeSystemEnvironmentPrivilege
  Privilege[ 13]: SeSystemProfilePrivilege
  Privilege[ 14]: SeProfileSingleProcessPrivilege
  Privilege[ 15]: SeIncreaseBasePriorityPrivilege
  Privilege[ 16]: SeLoadDriverPrivilege
  Privilege[ 17]: SeCreatePagefilePrivilege
  Privilege[ 18]: SeIncreaseQuotaPrivilege
  Privilege[ 19]: SeChangeNotifyPrivilege
  Privilege[ 20]: SeUndockPrivilege
  Privilege[ 21]: SeManageVolumePrivilege
  Privilege[ 22]: SeImpersonatePrivilege
  Privilege[ 23]: SeCreateGlobalPrivilege
  Privilege[ 24]: SeEnableDelegationPrivilege
 Rights (0x               0):
lpcfg_servicenumber: couldn't find ldb
added interface re0 ip=10.0.10.10 bcast=10.0.255.255 netmask=255.255.0.0
added interface re0 ip=10.0.10.10 bcast=10.0.255.255 netmask=255.255.0.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 251
Received smb_krb5 packet of length 1201
Received smb_krb5 packet of length 1238
Received smb_krb5 packet of length 1234
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection
added interface re0 ip=10.0.10.10 bcast=10.0.255.255 netmask=255.255.0.0
added interface re0 ip=10.0.10.10 bcast=10.0.255.255 netmask=255.255.0.0
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
 TCP_NODELAY = 4
Could not test socket option TCP_KEEPCNT.
Could not test socket option TCP_KEEPIDLE.
 Could not test socket option TCP_KEEPINTVL.
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
 SO_REUSEPORT = 0
SO_SNDBUF = 48996
SO_RCVBUF = 81660
 SO_SNDLOWAT = 2048
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
 SO_RCVTIMEO = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for BSD$@DONNET.LAN will expire in 36000 secs
Received smb_krb5 packet of length 1238
Received smb_krb5 packet of length 1234
smb_signing_sign_pdu: sent SMB signature of
[0000] 42 53 52 53 50 59 4C 20                            BSRSPYL
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection
smb_signing_activate: user_session_key
[0000] 82 2D 65 A1 33 4D FA B2   9F DF D5 41 74 C5 2D A6   .-e.3M.. ...At.-.
[0010] 12 3E AF 24 05 34 AE DA   DD 87 75 05 82 EB 71 69   .>.$.4.. ..u...qi
smb_signing_activate: NULL response_data
smb_signing_md5: sequence number 1
smb_signing_check_pdu: seq 1: got good SMB signature of
[0000] 77 62 2A 0A DF ED 27 01                            wb*...'.
smb_signing_md5: sequence number 2
smb_signing_sign_pdu: sent SMB signature of
[0000] 2D 30 41 F1 F0 3B 6B CA                            -0A..;k.
smb_signing_md5: sequence number 3
smb_signing_check_pdu: seq 3: got good SMB signature of
[0000] 6B 1C E0 C1 36 07 41 0D                            k...6.A.
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on
CN=Policies,CN=System,DC=donnet,DC=lan> <>
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/gpo.py", line
965, in run
    self.samdb.add(m)


Seems a cal related problem but cannot figure it out, any help will be
apreciated!

-- 
*César DiMartino*


More information about the samba mailing list