[Samba] Missing Policies folder after failure; how to recreate

"Gergely, Kaszás" cheese at caesar.elte.hu
Fri Jan 16 09:41:05 MST 2015

2015.01.14. 15:48 keltezéssel, Marc Muehlfeld írta:
> Am 14.01.2015 um 11:18 schrieb "Gergely, Kaszás":
>>> If you just lost your sysvol folder content, restore the files from
>>> your backup or copy them from an additional DC in the domain + run
>>> 'samba-tool ntacl sysvolreset'.
>> Yes if the site would have backups or a second DC this wouldn't be a
>> problem.
>> But unfortunately this isn't the case. The admin of this site didn't
>> make backups and there is no other DC in the domain.
> As I already said: If you don't give more information about the
> situation and details, we can't help.

Forgive me for being vauge;
There is only a single active DC in this domain that was recovered after 
a hardware failure caused by an unplaned outage.
This DC is mostly used for radius authentication and for a simple 
library lab with 5 computers.
The domain has around ~400 users.
The real name of the domain is not "domain.of", I just masked it.

*Listing of the sysvol folder gives*
sysvol # find .

The DC is a *4.1.6 ubuntu* packaged samba

Trying to *delete one of the gpo*-s gives:
ERROR(ldb): uncaught exception - LDAP error 50 
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on 
CN={MASKED},CN=Policies,CN=System,DC=domain,DC=of> <>
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 
1083, in run
     self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)))

*samba-tool ntacl sysvolcheck*
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such 
file or directory')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
249, in run
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1695, in checksysvolacl
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1631, in check_gpos_acl
     direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in 

*samba-tool ntacl sysvolreset*
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
218, in run
     lp, use_ntvfs=use_ntvfs)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1581, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1499, in set_gpos_acl
     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154, in 
     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, 
sd, service=service)

the *smb.conf*
         workgroup = DOMAINOF
         realm = domain.of
         netbios name = DC
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate
         nt acl support = yes
         inherit acls = yes
         wins support = yes
         #security = ads
         winbind nss info = rfc2307
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind refresh tickets = true
         kerberos method = secrets and keytab
         socket options = TCP_NODELAY

         idmap config *:backend = tdb
         idmap config *:range = 30001-40000
         idmap config DOMAINOF:backend = ad
         idmap config DOMAINOF:schema_mode = rfc2307
         idmap config DOMAINOF:range = 1000-20000
         idmap_ldb:use rfc2307 = yes

         load printers = no
         printcap name = /dev/null
         template shell = /bin/bash

         # ca.pem - /etc/ssl/certs/sambaca.pem, cert.pem 
         tls enabled  = yes
         tls keyfile  = /var/lib/samba/private/tls/dc.domain.of.key.pem
         tls certfile = /var/lib/samba/private/tls/dc.domain.of.cert.pem
         tls cafile   = /var/lib/samba/private/tls/dc.domain.of.chain.pem

         path = /var/lib/samba/sysvol/domain.of/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No

>>> If the security stuff inside the AD is messed up, too, I have no
>>> idea, if you don't give more information and if we aren't allowed to
>>> ask to find out what happened and what exactly is broken. ;-)
> Regards,
> Marc

More information about the samba mailing list