[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
Ing. Claudio Nicora
claudio.nicora at gmail.com
Mon Jul 23 14:30:11 UTC 2018
When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC I
get the error:
---
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
The requested operation was unsuccessful.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
239, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
sd, service=service)
---
AFAIK this error is thrown when the script tries to set an NT permission
on a missing file;
it usually happens when a new GPO is created on the primary DC and it's
not yet replicated to other DCs, since sysvolreset uses AD to find
defined GPO items.
That said, I've cleaned up the whole sysvol folder on secondary DC,
rsync'ed all its content from primary DC then rerun sysvolreset: same error.
I've also run sysvolreset on the primary DC as well, and again I've got
the same error.
So now I suppose there's something wrong in AD, like an "orphaned" GPO.
How do I know which GPO file is causing the error? (running samba-tool
with "-d 10" parameter gives no clue.
Full output (same on both DCs):
-------------------------------
# samba-tool ntacl sysvolreset -d 10
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
Security token SIDs (1):
SID[ 0]: S-1-5-18
Privileges (0xFFFFFFFFFFFFFFFF):
Privilege[ 0]: SeMachineAccountPrivilege
Privilege[ 1]: SeTakeOwnershipPrivilege
Privilege[ 2]: SeBackupPrivilege
Privilege[ 3]: SeRestorePrivilege
Privilege[ 4]: SeRemoteShutdownPrivilege
Privilege[ 5]: SePrintOperatorPrivilege
Privilege[ 6]: SeAddUsersPrivilege
Privilege[ 7]: SeDiskOperatorPrivilege
Privilege[ 8]: SeSecurityPrivilege
Privilege[ 9]: SeSystemtimePrivilege
Privilege[ 10]: SeShutdownPrivilege
Privilege[ 11]: SeDebugPrivilege
Privilege[ 12]: SeSystemEnvironmentPrivilege
Privilege[ 13]: SeSystemProfilePrivilege
Privilege[ 14]: SeProfileSingleProcessPrivilege
Privilege[ 15]: SeIncreaseBasePriorityPrivilege
Privilege[ 16]: SeLoadDriverPrivilege
Privilege[ 17]: SeCreatePagefilePrivilege
Privilege[ 18]: SeIncreaseQuotaPrivilege
Privilege[ 19]: SeChangeNotifyPrivilege
Privilege[ 20]: SeUndockPrivilege
Privilege[ 21]: SeManageVolumePrivilege
Privilege[ 22]: SeImpersonatePrivilege
Privilege[ 23]: SeCreateGlobalPrivilege
Privilege[ 24]: SeEnableDelegationPrivilege
Rights (0x 0):
lpcfg_servicenumber: couldn't find ldb
Initial schema load needed, as we have no existing schema, seq_num: 1
schema_fsmo_init: we are master[no] updates allowed[no]
Initial schema load needed, as we have no existing schema, seq_num: 1
schema_fsmo_init: we are master[no] updates allowed[no]
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
doing parameter bind interfaces only = Yes
doing parameter interfaces = lo eth_lan
doing parameter netbios name = SRVSAMBA2
doing parameter realm = SAMDOM.LOCAL
doing parameter server role = active directory domain controller
doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
doing parameter workgroup = SAMDOM
doing parameter ldap server require strong auth = no
doing parameter client ldap sasl wrapping = plain
doing parameter log level = 2 vfs:1
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[sysvol]"
idmap range not specified for domain '*'
idmap range not specified for domain '*'
*****
***** huge lot of these lines...
*****
idmap range not specified for domain '*'
idmap range not specified for domain '*'
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
The requested operation was unsuccessful.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
239, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
sd, service=service)
More information about the samba
mailing list