[Samba] Sysvol acl check failed (solved)

Stefan Kania stefan at kania-online.de
Tue Oct 13 10:43:59 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 13.10.2015 um 11:20 schrieb Stefan Kania:
> Am 12.10.2015 um 18:47 schrieb James:
>> On 10/12/2015 12:20 PM, Stefan Kania wrote:
>>> Hello,
>>> 
>>> when I check ACLs on my sysvol I got the following errors:
>>> 
>>> root at DKHHDC1:~# samba-tool gpo aclcheck ERROR(<type 
>>> 'exceptions.KeyError'>): uncaught exception - 'No such element'
>>>  File 
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run return self.run(*args, **kwargs) File 
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 
>>> 1150, in run ds_sd_ndr = m['nTSecurityDescriptor'][0]
>>> 
>>> 
>>> root at DKHHDC1:~# samba-tool ntacl sysvolcheck ERROR(<type 
>>> 'exceptions.TypeError'>): uncaught exception - (2, 'No such
>>> file or directory') File 
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run return self.run(*args, **kwargs) File 
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>>>  249, in run lp) File 
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>>  line 1733, in checksysvolacl direct_db_access) File 
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>>  line 1684, in check_gpos_acl domainsid, direct_db_access)
>>> File 
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>>  line 1628, in check_dir_acl fsacl = getntacl(lp, path, 
>>> direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
>>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line
>>> 73, in getntacl xattr.XATTR_NTACL_NAME)
>>> 
>>> Then I tried to fix erros. Doing this, I got the next errors
>>> 
>>> root at DKHHDC1:~# samba-tool ntacl sysvolreset open: error=2 (No 
>>> such file or directory) ERROR(runtime): uncaught exception - 
>>> (-1073741823, 'Undetermined error') File 
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run return self.run(*args, **kwargs) File 
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>>>  218, in run lp, use_ntvfs=use_ntvfs) File 
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>>  line 1619, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, 
>>> domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>>> File 
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>>  line 1524, in set_gpos_acl passdb=passdb) File 
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>>  line 1487, in set_dir_acl setntacl(lp, path, acl, domsid, 
>>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
>>> service=service) File 
>>> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154,
>>> in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | 
>>> security.SECINFO_GROUP | security.SECINFO_DACL | 
>>> security.SECINFO_SACL, sd, service=service)
>>> 
>>> When I check the database everything is ok.
>>> 
>>> root at DKHHDC1:~# samba-tool dbcheck Checking 1185 objects
>>> Checked 1185 objects (0 errors)
>>> 
>>> Here are the permissions in sysvol:
>>> 
>>> root at DKHHDC1:~# ls -l
>>> /var/lib/samba/sysvol/dkhh.local/Policies/ insgesamt 80
>>> drwxrws---+ 6 root    3000000 4096 Jun 25  2014 
>>> {08BE834B-49D1-4F47-950E-C0D0CB4D2486} drwxrws---+ 6 root 
>>> 3000015 4096 Nov  5  2013
>>> {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrws---+ 4 3000015
>>> 3000015 4096 Mai 15  2014 
>>> {4D8D96AA-C7E4-47F9-A8AF-D1D72CA6CBA1} drwxrws---+ 4 3000015 
>>> 3000015 4096 Nov 11  2014
>>> {5C3768B4-E734-4168-A370-E0BB95C00B29} drwxrws---+ 4 3000015
>>> 3000015 4096 Mär  1  2013 
>>> {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrws---+ 5 3000015 
>>> 3000015 4096 Jun 11  2014
>>> {6FBD7831-E891-41A4-A5FA-B3BCCEAEA519} drwxrws---+ 4 3000015
>>> 3000015 4096 Mai 26  2014 
>>> {8DD38317-E675-4042-84DD-0CF499F8C5F1} drwxrws---+ 5 3000015 
>>> 3000015 4096 Mär 23  2015
>>> {9C353A54-854E-4CA5-A038-98B5F935627A} drwxrws---+ 4 3000015
>>> 3000015 4096 Dez  3  2014 
>>> {A42F9750-57C8-4E48-8928-EF22B6E27CAE} drwxrws---+ 5 3000015 
>>> 3000015 4096 Jun 16  2014
>>> {EE730522-233D-47BB-A05C-058B5D9E10DB}
>>> 
>>> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/
>>> insgesamt 24 drwxrws---+ 12 root 3000000 4096 Jan 29  2015
>>> Policies drwxrws---+  5 root 3000000 4096 Jun 30  2014 scripts
>>> drwxrws---+ 10 root 3000000 4096 Mär 26  2013 StarterGPOs
>>> 
>>> YES I know .local is not a good choice, but it is as it is
>>> NOT my choice
>>> 
>>> All GPOs are working
>>> 
>>> One more thing. The old DC was a selfcompiled Samba 4 with 
>>> /usr/local/samba/sysvol. The new one is running the 
>>> sernet-packeges with /var/lib/samba/sysvol als path.
>>> 
>>> Where should I look next?
>>> 
>>> 
>>> Thank you
>>> 
>>> Stefan
>>> 
>> Hello,
> 
>> Can you post your smb.conf?
> 
> Here are the smb.conf --------------# Global parameters [global] 
> workgroup = DKHH realm = dkhh.local netbios name = DKHHDC2 server
> role = active directory domain controller dns forwarder =
> 172.16.0.52 allow dns updates = nonsecure
> 
> [netlogon] path = /var/lib/samba/sysvol/dkhh.local/scripts read
> only = No write ok = Yes
> 
> [sysvol] path = /var/lib/samba/sysvol read only = No write ok =
> Yes
> 
> 
> 
> 

During the migration from old samba4 self-compiled to new samba4
Sernet-Packages one of the GPO-Entries in
/var/lib/samba/sysvol/Policies/ was not copied. After reinstalling the
missing GPO everything works fine.

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlYc4G8ACgkQ2JOGcNAHDTYpGgCfdxJfdlNG5aLZV2TkImN7wCYN
t+kAnAtatHZEhX/04Pt2pEvo3yzuMHOC
=BilN
-----END PGP SIGNATURE-----

More information about the samba mailing list