[Samba] Sysvol acl check failed (solved)
Stefan Kania
stefan at kania-online.de
Tue Oct 13 10:43:59 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 13.10.2015 um 11:20 schrieb Stefan Kania:
> Am 12.10.2015 um 18:47 schrieb James:
>> On 10/12/2015 12:20 PM, Stefan Kania wrote:
>>> Hello,
>>>
>>> when I check ACLs on my sysvol I got the following errors:
>>>
>>> root at DKHHDC1:~# samba-tool gpo aclcheck ERROR(<type
>>> 'exceptions.KeyError'>): uncaught exception - 'No such element'
>>> File
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run return self.run(*args, **kwargs) File
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
>>> 1150, in run ds_sd_ndr = m['nTSecurityDescriptor'][0]
>>>
>>>
>>> root at DKHHDC1:~# samba-tool ntacl sysvolcheck ERROR(<type
>>> 'exceptions.TypeError'>): uncaught exception - (2, 'No such
>>> file or directory') File
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run return self.run(*args, **kwargs) File
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>>> 249, in run lp) File
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1733, in checksysvolacl direct_db_access) File
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1684, in check_gpos_acl domainsid, direct_db_access)
>>> File
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1628, in check_dir_acl fsacl = getntacl(lp, path,
>>> direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
>>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line
>>> 73, in getntacl xattr.XATTR_NTACL_NAME)
>>>
>>> Then I tried to fix erros. Doing this, I got the next errors
>>>
>>> root at DKHHDC1:~# samba-tool ntacl sysvolreset open: error=2 (No
>>> such file or directory) ERROR(runtime): uncaught exception -
>>> (-1073741823, 'Undetermined error') File
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run return self.run(*args, **kwargs) File
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>>> 218, in run lp, use_ntvfs=use_ntvfs) File
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1619, in setsysvolacl set_gpos_acl(sysvol, dnsdomain,
>>> domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>>> File
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1524, in set_gpos_acl passdb=passdb) File
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1487, in set_dir_acl setntacl(lp, path, acl, domsid,
>>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
>>> service=service) File
>>> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154,
>>> in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
>>> security.SECINFO_GROUP | security.SECINFO_DACL |
>>> security.SECINFO_SACL, sd, service=service)
>>>
>>> When I check the database everything is ok.
>>>
>>> root at DKHHDC1:~# samba-tool dbcheck Checking 1185 objects
>>> Checked 1185 objects (0 errors)
>>>
>>> Here are the permissions in sysvol:
>>>
>>> root at DKHHDC1:~# ls -l
>>> /var/lib/samba/sysvol/dkhh.local/Policies/ insgesamt 80
>>> drwxrws---+ 6 root 3000000 4096 Jun 25 2014
>>> {08BE834B-49D1-4F47-950E-C0D0CB4D2486} drwxrws---+ 6 root
>>> 3000015 4096 Nov 5 2013
>>> {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrws---+ 4 3000015
>>> 3000015 4096 Mai 15 2014
>>> {4D8D96AA-C7E4-47F9-A8AF-D1D72CA6CBA1} drwxrws---+ 4 3000015
>>> 3000015 4096 Nov 11 2014
>>> {5C3768B4-E734-4168-A370-E0BB95C00B29} drwxrws---+ 4 3000015
>>> 3000015 4096 Mär 1 2013
>>> {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrws---+ 5 3000015
>>> 3000015 4096 Jun 11 2014
>>> {6FBD7831-E891-41A4-A5FA-B3BCCEAEA519} drwxrws---+ 4 3000015
>>> 3000015 4096 Mai 26 2014
>>> {8DD38317-E675-4042-84DD-0CF499F8C5F1} drwxrws---+ 5 3000015
>>> 3000015 4096 Mär 23 2015
>>> {9C353A54-854E-4CA5-A038-98B5F935627A} drwxrws---+ 4 3000015
>>> 3000015 4096 Dez 3 2014
>>> {A42F9750-57C8-4E48-8928-EF22B6E27CAE} drwxrws---+ 5 3000015
>>> 3000015 4096 Jun 16 2014
>>> {EE730522-233D-47BB-A05C-058B5D9E10DB}
>>>
>>> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/
>>> insgesamt 24 drwxrws---+ 12 root 3000000 4096 Jan 29 2015
>>> Policies drwxrws---+ 5 root 3000000 4096 Jun 30 2014 scripts
>>> drwxrws---+ 10 root 3000000 4096 Mär 26 2013 StarterGPOs
>>>
>>> YES I know .local is not a good choice, but it is as it is
>>> NOT my choice
>>>
>>> All GPOs are working
>>>
>>> One more thing. The old DC was a selfcompiled Samba 4 with
>>> /usr/local/samba/sysvol. The new one is running the
>>> sernet-packeges with /var/lib/samba/sysvol als path.
>>>
>>> Where should I look next?
>>>
>>>
>>> Thank you
>>>
>>> Stefan
>>>
>> Hello,
>
>> Can you post your smb.conf?
>
> Here are the smb.conf --------------# Global parameters [global]
> workgroup = DKHH realm = dkhh.local netbios name = DKHHDC2 server
> role = active directory domain controller dns forwarder =
> 172.16.0.52 allow dns updates = nonsecure
>
> [netlogon] path = /var/lib/samba/sysvol/dkhh.local/scripts read
> only = No write ok = Yes
>
> [sysvol] path = /var/lib/samba/sysvol read only = No write ok =
> Yes
>
>
>
>
During the migration from old samba4 self-compiled to new samba4
Sernet-Packages one of the GPO-Entries in
/var/lib/samba/sysvol/Policies/ was not copied. After reinstalling the
missing GPO everything works fine.
Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlYc4G8ACgkQ2JOGcNAHDTYpGgCfdxJfdlNG5aLZV2TkImN7wCYN
t+kAnAtatHZEhX/04Pt2pEvo3yzuMHOC
=BilN
-----END PGP SIGNATURE-----
More information about the samba
mailing list