[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'

Rowland Penny rpenny at samba.org
Mon Jul 23 14:59:46 UTC 2018


On Mon, 23 Jul 2018 16:30:11 +0200
"Ing. Claudio Nicora via samba" <samba at lists.samba.org> wrote:

> When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC
> I get the error:
> 
> ---
> ERROR(runtime): uncaught exception - (-1073741823, '{Operation
> Failed} The requested operation was unsuccessful.')
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
> line 239, in run
>      lp, use_ntvfs=use_ntvfs)
>    File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>    File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE)
>    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
> in setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> ---
> 
> AFAIK this error is thrown when the script tries to set an NT
> permission on a missing file;
> it usually happens when a new GPO is created on the primary DC and
> it's not yet replicated to other DCs, since sysvolreset uses AD to
> find defined GPO items.

When you join another DC, you get virtually nothing in sysvol, you need
to sync it manually, but when a GPO is added it is not only stored in
sysvol, it is also stored in AD. When you use sysvolreset, it is the
GPO's stored in AD that are found first and then these are used to
'walk' sysvol, so if they exist in AD and not in sysvol, you get an
error.

There are several lines in the output I do not understand, so can you
post your smb.conf.
I would also double check just what is in sysvol on both machines.

Rowland
 
> That said, I've cleaned up the whole sysvol folder on secondary DC, 
> rsync'ed all its content from primary DC then rerun sysvolreset: same
> error. I've also run sysvolreset on the primary DC as well, and again
> I've got the same error.
> 
> So now I suppose there's something wrong in AD, like an "orphaned"
> GPO. How do I know which GPO file is causing the error? (running
> samba-tool with "-d 10" parameter gives no clue.
> 
> Full output (same on both DCs):
> -------------------------------
> 
> # samba-tool ntacl sysvolreset -d 10
> INFO: Current debug levels:
>    all: 10
>    tdb: 10
>    printdrivers: 10
>    lanman: 10
>    smb: 10
>    rpc_parse: 10
>    rpc_srv: 10
>    rpc_cli: 10
>    passdb: 10
>    sam: 10
>    auth: 10
>    winbind: 10
>    vfs: 10
>    idmap: 10
>    quota: 10
>    acls: 10
>    locking: 10
>    msdfs: 10
>    dmapi: 10
>    registry: 10
>    scavenger: 10
>    dns: 10
>    ldb: 10
>    tevent: 10
>    auth_audit: 10
>    auth_json_audit: 10
>    kerberos: 10
>    drs_repl: 10
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> Security token SIDs (1):
>    SID[  0]: S-1-5-18
>   Privileges (0xFFFFFFFFFFFFFFFF):
>    Privilege[  0]: SeMachineAccountPrivilege
>    Privilege[  1]: SeTakeOwnershipPrivilege
>    Privilege[  2]: SeBackupPrivilege
>    Privilege[  3]: SeRestorePrivilege
>    Privilege[  4]: SeRemoteShutdownPrivilege
>    Privilege[  5]: SePrintOperatorPrivilege
>    Privilege[  6]: SeAddUsersPrivilege
>    Privilege[  7]: SeDiskOperatorPrivilege
>    Privilege[  8]: SeSecurityPrivilege
>    Privilege[  9]: SeSystemtimePrivilege
>    Privilege[ 10]: SeShutdownPrivilege
>    Privilege[ 11]: SeDebugPrivilege
>    Privilege[ 12]: SeSystemEnvironmentPrivilege
>    Privilege[ 13]: SeSystemProfilePrivilege
>    Privilege[ 14]: SeProfileSingleProcessPrivilege
>    Privilege[ 15]: SeIncreaseBasePriorityPrivilege
>    Privilege[ 16]: SeLoadDriverPrivilege
>    Privilege[ 17]: SeCreatePagefilePrivilege
>    Privilege[ 18]: SeIncreaseQuotaPrivilege
>    Privilege[ 19]: SeChangeNotifyPrivilege
>    Privilege[ 20]: SeUndockPrivilege
>    Privilege[ 21]: SeManageVolumePrivilege
>    Privilege[ 22]: SeImpersonatePrivilege
>    Privilege[ 23]: SeCreateGlobalPrivilege
>    Privilege[ 24]: SeEnableDelegationPrivilege
>   Rights (0x               0):
> lpcfg_servicenumber: couldn't find ldb
> Initial schema load needed, as we have no existing schema, seq_num: 1
> schema_fsmo_init: we are master[no] updates allowed[no]
> Initial schema load needed, as we have no existing schema, seq_num: 1
> schema_fsmo_init: we are master[no] updates allowed[no]
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[global]"
> doing parameter bind interfaces only = Yes
> doing parameter interfaces = lo eth_lan
> doing parameter netbios name = SRVSAMBA2
> doing parameter realm = SAMDOM.LOCAL
> doing parameter server role = active directory domain controller
> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> doing parameter workgroup = SAMDOM
> doing parameter ldap server require strong auth = no
> doing parameter client ldap sasl wrapping = plain
> doing parameter log level = 2 vfs:1
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> *****
> ***** huge lot of these lines...
> *****
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, '{Operation
> Failed} The requested operation was unsuccessful.')
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
> line 239, in run
>      lp, use_ntvfs=use_ntvfs)
>    File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>    File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE)
>    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
> in setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> 
> 




More information about the samba mailing list