[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'

Ing. Claudio Nicora claudio.nicora at gmail.com
Mon Jul 23 14:30:11 UTC 2018


When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC I 
get the error:

---
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} 
The requested operation was unsuccessful.')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
239, in run
     lp, use_ntvfs=use_ntvfs)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1609, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1502, in set_gpos_acl
     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
service=SYSVOL_SERVICE)
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in 
setntacl
     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, 
sd, service=service)
---

AFAIK this error is thrown when the script tries to set an NT permission 
on a missing file;
it usually happens when a new GPO is created on the primary DC and it's 
not yet replicated to other DCs, since sysvolreset uses AD to find 
defined GPO items.
That said, I've cleaned up the whole sysvol folder on secondary DC, 
rsync'ed all its content from primary DC then rerun sysvolreset: same error.
I've also run sysvolreset on the primary DC as well, and again I've got 
the same error.

So now I suppose there's something wrong in AD, like an "orphaned" GPO.
How do I know which GPO file is causing the error? (running samba-tool 
with "-d 10" parameter gives no clue.

Full output (same on both DCs):
-------------------------------

# samba-tool ntacl sysvolreset -d 10
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
   scavenger: 10
   dns: 10
   ldb: 10
   tevent: 10
   auth_audit: 10
   auth_json_audit: 10
   kerberos: 10
   drs_repl: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
Security token SIDs (1):
   SID[  0]: S-1-5-18
  Privileges (0xFFFFFFFFFFFFFFFF):
   Privilege[  0]: SeMachineAccountPrivilege
   Privilege[  1]: SeTakeOwnershipPrivilege
   Privilege[  2]: SeBackupPrivilege
   Privilege[  3]: SeRestorePrivilege
   Privilege[  4]: SeRemoteShutdownPrivilege
   Privilege[  5]: SePrintOperatorPrivilege
   Privilege[  6]: SeAddUsersPrivilege
   Privilege[  7]: SeDiskOperatorPrivilege
   Privilege[  8]: SeSecurityPrivilege
   Privilege[  9]: SeSystemtimePrivilege
   Privilege[ 10]: SeShutdownPrivilege
   Privilege[ 11]: SeDebugPrivilege
   Privilege[ 12]: SeSystemEnvironmentPrivilege
   Privilege[ 13]: SeSystemProfilePrivilege
   Privilege[ 14]: SeProfileSingleProcessPrivilege
   Privilege[ 15]: SeIncreaseBasePriorityPrivilege
   Privilege[ 16]: SeLoadDriverPrivilege
   Privilege[ 17]: SeCreatePagefilePrivilege
   Privilege[ 18]: SeIncreaseQuotaPrivilege
   Privilege[ 19]: SeChangeNotifyPrivilege
   Privilege[ 20]: SeUndockPrivilege
   Privilege[ 21]: SeManageVolumePrivilege
   Privilege[ 22]: SeImpersonatePrivilege
   Privilege[ 23]: SeCreateGlobalPrivilege
   Privilege[ 24]: SeEnableDelegationPrivilege
  Rights (0x               0):
lpcfg_servicenumber: couldn't find ldb
Initial schema load needed, as we have no existing schema, seq_num: 1
schema_fsmo_init: we are master[no] updates allowed[no]
Initial schema load needed, as we have no existing schema, seq_num: 1
schema_fsmo_init: we are master[no] updates allowed[no]
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
doing parameter bind interfaces only = Yes
doing parameter interfaces = lo eth_lan
doing parameter netbios name = SRVSAMBA2
doing parameter realm = SAMDOM.LOCAL
doing parameter server role = active directory domain controller
doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
doing parameter workgroup = SAMDOM
doing parameter ldap server require strong auth = no
doing parameter client ldap sasl wrapping = plain
doing parameter log level = 2 vfs:1
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[sysvol]"
idmap range not specified for domain '*'
idmap range not specified for domain '*'
*****
***** huge lot of these lines...
*****
idmap range not specified for domain '*'
idmap range not specified for domain '*'
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} 
The requested operation was unsuccessful.')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
239, in run
     lp, use_ntvfs=use_ntvfs)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1609, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1502, in set_gpos_acl
     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
service=SYSVOL_SERVICE)
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in 
setntacl
     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, 
sd, service=service)




More information about the samba mailing list