[Samba] Missing Policies folder after failure; how to recreate
"Gergely, Kaszás"
cheese at caesar.elte.hu
Fri Jan 16 09:41:05 MST 2015
2015.01.14. 15:48 keltezéssel, Marc Muehlfeld írta:
> Am 14.01.2015 um 11:18 schrieb "Gergely, Kaszás":
>>> If you just lost your sysvol folder content, restore the files from
>>> your backup or copy them from an additional DC in the domain + run
>>> 'samba-tool ntacl sysvolreset'.
>> Yes if the site would have backups or a second DC this wouldn't be a
>> problem.
>> But unfortunately this isn't the case. The admin of this site didn't
>> make backups and there is no other DC in the domain.
> As I already said: If you don't give more information about the
> situation and details, we can't help.
Forgive me for being vauge;
There is only a single active DC in this domain that was recovered after
a hardware failure caused by an unplaned outage.
This DC is mostly used for radius authentication and for a simple
library lab with 5 computers.
The domain has around ~400 users.
The real name of the domain is not "domain.of", I just masked it.
*Listing of the sysvol folder gives*
sysvol # find .
.
./domain.of/
./domain.of/scripts
The DC is a *4.1.6 ubuntu* packaged samba
Trying to *delete one of the gpo*-s gives:
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on
CN={MASKED},CN=Policies,CN=System,DC=domain,DC=of> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
1083, in run
self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)))
*samba-tool ntacl sysvolcheck*
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such
file or directory')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1695, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1631, in check_gpos_acl
direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in
getntacl
xattr.XATTR_NTACL_NAME)
*samba-tool ntacl sysvolreset*
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
218, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1581, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1499, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154, in
setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
sd, service=service)
the *smb.conf*
[global]
workgroup = DOMAINOF
realm = domain.of
netbios name = DC
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
nt acl support = yes
inherit acls = yes
wins support = yes
#security = ads
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = true
kerberos method = secrets and keytab
socket options = TCP_NODELAY
idmap config *:backend = tdb
idmap config *:range = 30001-40000
idmap config DOMAINOF:backend = ad
idmap config DOMAINOF:schema_mode = rfc2307
idmap config DOMAINOF:range = 1000-20000
idmap_ldb:use rfc2307 = yes
load printers = no
printcap name = /dev/null
template shell = /bin/bash
# ca.pem - /etc/ssl/certs/sambaca.pem, cert.pem
/etc/ssl/certs/samba.pem
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/dc.domain.of.key.pem
tls certfile = /var/lib/samba/private/tls/dc.domain.of.cert.pem
tls cafile = /var/lib/samba/private/tls/dc.domain.of.chain.pem
[netlogon]
path = /var/lib/samba/sysvol/domain.of/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
>>> If the security stuff inside the AD is messed up, too, I have no
>>> idea, if you don't give more information and if we aren't allowed to
>>> ask to find out what happened and what exactly is broken. ;-)
>
>
> Regards,
> Marc
More information about the samba
mailing list