[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'

L.P.H. van Belle belle at bazuin.nl
Mon Jul 23 14:45:03 UTC 2018


Hai, 

Check these. 
https://www.google.nl/search?biw=1680&bih=888&ei=0-hVW7zQMqzkkgWIjqawDA&q=site%3Asamba.org+sysvol+permission&oq=site%3Asamba.org+sysvol+permission&gs_l=psy-ab.3...5368.10525.0.11916.17.14.3.0.0.0.72.580.14.14.0....0...1c.1.64.psy-ab..0.0.0....0.Ot64q9CRMN8 

https://www.google.nl/search?biw=1680&bih=888&ei=4OhVW4_xH5L5kwXizI7YCQ&q=site%3Asamba.org+sysvol+reset&oq=site%3Asamba.org+sysvol+reset&gs_l=psy-ab.3...14561.18658.0.19243.13.8.5.0.0.0.47.336.8.8.0....0...1c.1.64.psy-ab..0.0.0....0.fIvwA6AUPAo 

The answer and workarounds are there. 
This is discussed so much. (sorry). 

Short version. 
Dont run sysvolreset and has an bug. 
Get the correct settings from my script. 
https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh 

And if you want to apply them, change in the script: 
APPLY_CHANGES_DIRECT="no" to yes. 


> ***** huge lot of these lines...
> *****
> idmap range not specified for domain '*'

And i suggest, you post your smb.conf. 



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ing. 
> Claudio Nicora via samba
> Verzonden: maandag 23 juli 2018 16:30
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] sysvolreset error '{Operation Failed} The 
> requested operation was unsuccessful.'
> 
> When I run samba-tool ntacl sysvolreset on my "secondary" 
> Samba AD DC I 
> get the error:
> 
> ---
> ERROR(runtime): uncaught exception - (-1073741823, 
> '{Operation Failed} 
> The requested operation was unsuccessful.')
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
> 239, in run
>      lp, use_ntvfs=use_ntvfs)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1609, in setsysvolacl
>      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
> use_ntvfs, passdb=s4_passdb)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1502, in set_gpos_acl
>      use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
> service=SYSVOL_SERVICE)
>    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
> line 162, in 
> setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL | 
> security.SECINFO_SACL, 
> sd, service=service)
> ---
> 
> AFAIK this error is thrown when the script tries to set an NT 
> permission 
> on a missing file;
> it usually happens when a new GPO is created on the primary 
> DC and it's 
> not yet replicated to other DCs, since sysvolreset uses AD to find 
> defined GPO items.
> That said, I've cleaned up the whole sysvol folder on secondary DC, 
> rsync'ed all its content from primary DC then rerun 
> sysvolreset: same error.
> I've also run sysvolreset on the primary DC as well, and 
> again I've got 
> the same error.
> 
> So now I suppose there's something wrong in AD, like an 
> "orphaned" GPO.
> How do I know which GPO file is causing the error? (running 
> samba-tool 
> with "-d 10" parameter gives no clue.
> 
> Full output (same on both DCs):
> -------------------------------
> 
> # samba-tool ntacl sysvolreset -d 10
> INFO: Current debug levels:
>    all: 10
>    tdb: 10
>    printdrivers: 10
>    lanman: 10
>    smb: 10
>    rpc_parse: 10
>    rpc_srv: 10
>    rpc_cli: 10
>    passdb: 10
>    sam: 10
>    auth: 10
>    winbind: 10
>    vfs: 10
>    idmap: 10
>    quota: 10
>    acls: 10
>    locking: 10
>    msdfs: 10
>    dmapi: 10
>    registry: 10
>    scavenger: 10
>    dns: 10
>    ldb: 10
>    tevent: 10
>    auth_audit: 10
>    auth_json_audit: 10
>    kerberos: 10
>    drs_repl: 10
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> Security token SIDs (1):
>    SID[  0]: S-1-5-18
>   Privileges (0xFFFFFFFFFFFFFFFF):
>    Privilege[  0]: SeMachineAccountPrivilege
>    Privilege[  1]: SeTakeOwnershipPrivilege
>    Privilege[  2]: SeBackupPrivilege
>    Privilege[  3]: SeRestorePrivilege
>    Privilege[  4]: SeRemoteShutdownPrivilege
>    Privilege[  5]: SePrintOperatorPrivilege
>    Privilege[  6]: SeAddUsersPrivilege
>    Privilege[  7]: SeDiskOperatorPrivilege
>    Privilege[  8]: SeSecurityPrivilege
>    Privilege[  9]: SeSystemtimePrivilege
>    Privilege[ 10]: SeShutdownPrivilege
>    Privilege[ 11]: SeDebugPrivilege
>    Privilege[ 12]: SeSystemEnvironmentPrivilege
>    Privilege[ 13]: SeSystemProfilePrivilege
>    Privilege[ 14]: SeProfileSingleProcessPrivilege
>    Privilege[ 15]: SeIncreaseBasePriorityPrivilege
>    Privilege[ 16]: SeLoadDriverPrivilege
>    Privilege[ 17]: SeCreatePagefilePrivilege
>    Privilege[ 18]: SeIncreaseQuotaPrivilege
>    Privilege[ 19]: SeChangeNotifyPrivilege
>    Privilege[ 20]: SeUndockPrivilege
>    Privilege[ 21]: SeManageVolumePrivilege
>    Privilege[ 22]: SeImpersonatePrivilege
>    Privilege[ 23]: SeCreateGlobalPrivilege
>    Privilege[ 24]: SeEnableDelegationPrivilege
>   Rights (0x               0):
> lpcfg_servicenumber: couldn't find ldb
> Initial schema load needed, as we have no existing schema, seq_num: 1
> schema_fsmo_init: we are master[no] updates allowed[no]
> Initial schema load needed, as we have no existing schema, seq_num: 1
> schema_fsmo_init: we are master[no] updates allowed[no]
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows 
> limit (16384)
> Processing section "[global]"
> doing parameter bind interfaces only = Yes
> doing parameter interfaces = lo eth_lan
> doing parameter netbios name = SRVSAMBA2
> doing parameter realm = SAMDOM.LOCAL
> doing parameter server role = active directory domain controller
> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> doing parameter workgroup = SAMDOM
> doing parameter ldap server require strong auth = no
> doing parameter client ldap sasl wrapping = plain
> doing parameter log level = 2 vfs:1
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> *****
> ***** huge lot of these lines...
> *****
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 
> '{Operation Failed} 
> The requested operation was unsuccessful.')
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
> 239, in run
>      lp, use_ntvfs=use_ntvfs)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1609, in setsysvolacl
>      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
> use_ntvfs, passdb=s4_passdb)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1502, in set_gpos_acl
>      use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
> service=SYSVOL_SERVICE)
>    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
> line 162, in 
> setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL | 
> security.SECINFO_SACL, 
> sd, service=service)
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list