[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
Ing. Claudio Nicora
claudio.nicora at gmail.com
Mon Jul 23 15:05:52 UTC 2018
I'm not a Python guru but I've tried added a "print" just before the
smbd.set_nt_acl() call in file
/usr/lib/python2.7/dist-packages/samba/ntacls.py.
This way I've found the GUID of the orphaned GPO and removed it with
RSAT: error disappeared ;)
It was only a test GPO so I won't go further investigating about why its
files were lost...
Still having lot of "idmap range not specified for domain '*'" lines,
maybe causing sysvolreset take forever to run.
Here you are my smb.conf file; hope you can find something wrong:
---
# cat /etc/samba/smb.conf
[global]
bind interfaces only = Yes
interfaces = lo eth_lan
netbios name = SRVSAMBA2
realm = SAMDOM.LOCAL
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = SAMDOM
ldap server require strong auth = no
client ldap sasl wrapping = plain
log level = 2 vfs:1
log file = /var/log/samba/log.samba
max log size = 10000
[netlogon]
path = /var/lib/samba/sysvol/samdom.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
---
Thanks
Claudio
Il 23/07/2018 16:45, L.P.H. van Belle via samba ha scritto:
> Hai,
>
> Check these.
> https://www.google.nl/search?biw=1680&bih=888&ei=0-hVW7zQMqzkkgWIjqawDA&q=site%3Asamba.org+sysvol+permission&oq=site%3Asamba.org+sysvol+permission&gs_l=psy-ab.3...5368.10525.0.11916.17.14.3.0.0.0.72.580.14.14.0....0...1c.1.64.psy-ab..0.0.0....0.Ot64q9CRMN8
>
> https://www.google.nl/search?biw=1680&bih=888&ei=4OhVW4_xH5L5kwXizI7YCQ&q=site%3Asamba.org+sysvol+reset&oq=site%3Asamba.org+sysvol+reset&gs_l=psy-ab.3...14561.18658.0.19243.13.8.5.0.0.0.47.336.8.8.0....0...1c.1.64.psy-ab..0.0.0....0.fIvwA6AUPAo
>
> The answer and workarounds are there.
> This is discussed so much. (sorry).
>
> Short version.
> Dont run sysvolreset and has an bug.
> Get the correct settings from my script.
> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh
>
> And if you want to apply them, change in the script:
> APPLY_CHANGES_DIRECT="no" to yes.
>
>
>> ***** huge lot of these lines...
>> *****
>> idmap range not specified for domain '*'
> And i suggest, you post your smb.conf.
>
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ing.
>> Claudio Nicora via samba
>> Verzonden: maandag 23 juli 2018 16:30
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] sysvolreset error '{Operation Failed} The
>> requested operation was unsuccessful.'
>>
>> When I run samba-tool ntacl sysvolreset on my "secondary"
>> Samba AD DC I
>> get the error:
>>
>> ---
>> ERROR(runtime): uncaught exception - (-1073741823,
>> '{Operation Failed}
>> The requested operation was unsuccessful.')
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>> return self.run(*args, **kwargs)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>> 239, in run
>> lp, use_ntvfs=use_ntvfs)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1609, in setsysvolacl
>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>> use_ntvfs, passdb=s4_passdb)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1502, in set_gpos_acl
>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
>> service=SYSVOL_SERVICE)
>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
>> line 162, in
>> setntacl
>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL,
>> sd, service=service)
>> ---
>>
>> AFAIK this error is thrown when the script tries to set an NT
>> permission
>> on a missing file;
>> it usually happens when a new GPO is created on the primary
>> DC and it's
>> not yet replicated to other DCs, since sysvolreset uses AD to find
>> defined GPO items.
>> That said, I've cleaned up the whole sysvol folder on secondary DC,
>> rsync'ed all its content from primary DC then rerun
>> sysvolreset: same error.
>> I've also run sysvolreset on the primary DC as well, and
>> again I've got
>> the same error.
>>
>> So now I suppose there's something wrong in AD, like an
>> "orphaned" GPO.
>> How do I know which GPO file is causing the error? (running
>> samba-tool
>> with "-d 10" parameter gives no clue.
>>
>> Full output (same on both DCs):
>> -------------------------------
>>
>> # samba-tool ntacl sysvolreset -d 10
>> INFO: Current debug levels:
>> all: 10
>> tdb: 10
>> printdrivers: 10
>> lanman: 10
>> smb: 10
>> rpc_parse: 10
>> rpc_srv: 10
>> rpc_cli: 10
>> passdb: 10
>> sam: 10
>> auth: 10
>> winbind: 10
>> vfs: 10
>> idmap: 10
>> quota: 10
>> acls: 10
>> locking: 10
>> msdfs: 10
>> dmapi: 10
>> registry: 10
>> scavenger: 10
>> dns: 10
>> ldb: 10
>> tevent: 10
>> auth_audit: 10
>> auth_json_audit: 10
>> kerberos: 10
>> drs_repl: 10
>> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> pm_process() returned Yes
>> Security token SIDs (1):
>> SID[ 0]: S-1-5-18
>> Privileges (0xFFFFFFFFFFFFFFFF):
>> Privilege[ 0]: SeMachineAccountPrivilege
>> Privilege[ 1]: SeTakeOwnershipPrivilege
>> Privilege[ 2]: SeBackupPrivilege
>> Privilege[ 3]: SeRestorePrivilege
>> Privilege[ 4]: SeRemoteShutdownPrivilege
>> Privilege[ 5]: SePrintOperatorPrivilege
>> Privilege[ 6]: SeAddUsersPrivilege
>> Privilege[ 7]: SeDiskOperatorPrivilege
>> Privilege[ 8]: SeSecurityPrivilege
>> Privilege[ 9]: SeSystemtimePrivilege
>> Privilege[ 10]: SeShutdownPrivilege
>> Privilege[ 11]: SeDebugPrivilege
>> Privilege[ 12]: SeSystemEnvironmentPrivilege
>> Privilege[ 13]: SeSystemProfilePrivilege
>> Privilege[ 14]: SeProfileSingleProcessPrivilege
>> Privilege[ 15]: SeIncreaseBasePriorityPrivilege
>> Privilege[ 16]: SeLoadDriverPrivilege
>> Privilege[ 17]: SeCreatePagefilePrivilege
>> Privilege[ 18]: SeIncreaseQuotaPrivilege
>> Privilege[ 19]: SeChangeNotifyPrivilege
>> Privilege[ 20]: SeUndockPrivilege
>> Privilege[ 21]: SeManageVolumePrivilege
>> Privilege[ 22]: SeImpersonatePrivilege
>> Privilege[ 23]: SeCreateGlobalPrivilege
>> Privilege[ 24]: SeEnableDelegationPrivilege
>> Rights (0x 0):
>> lpcfg_servicenumber: couldn't find ldb
>> Initial schema load needed, as we have no existing schema, seq_num: 1
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> Initial schema load needed, as we have no existing schema, seq_num: 1
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows
>> limit (16384)
>> Processing section "[global]"
>> doing parameter bind interfaces only = Yes
>> doing parameter interfaces = lo eth_lan
>> doing parameter netbios name = SRVSAMBA2
>> doing parameter realm = SAMDOM.LOCAL
>> doing parameter server role = active directory domain controller
>> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>> doing parameter workgroup = SAMDOM
>> doing parameter ldap server require strong auth = no
>> doing parameter client ldap sasl wrapping = plain
>> doing parameter log level = 2 vfs:1
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> *****
>> ***** huge lot of these lines...
>> *****
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> open: error=2 (No such file or directory)
>> ERROR(runtime): uncaught exception - (-1073741823,
>> '{Operation Failed}
>> The requested operation was unsuccessful.')
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>> return self.run(*args, **kwargs)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>> 239, in run
>> lp, use_ntvfs=use_ntvfs)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1609, in setsysvolacl
>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>> use_ntvfs, passdb=s4_passdb)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1502, in set_gpos_acl
>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
>> service=SYSVOL_SERVICE)
>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
>> line 162, in
>> setntacl
>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL,
>> sd, service=service)
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
More information about the samba
mailing list