[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
Ing. Claudio Nicora
claudio.nicora at gmail.com
Mon Jul 23 15:17:07 UTC 2018
I've added a "print" in file
"/usr/lib/python2.7/dist-packages/samba/ntacls.py" just before the line
raising the error to log the (missing) file causing the error.
I've found I had an orphaned GPO: it was shown in RSAT but didn't have
any file in sysvol folder on both DCs.
Just removed it from AD (it was only a test GPO) and the error disappeared.
I've posted my smb.conf in a reply to Louis Van Belle, hope you can see
what's causing the lot of "idmap range not specified for domain '*'" lines.
Thanks
Claudio
Il 23/07/2018 16:59, Rowland Penny via samba ha scritto:
> On Mon, 23 Jul 2018 16:30:11 +0200
> "Ing. Claudio Nicora via samba" <samba at lists.samba.org> wrote:
>
>> When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC
>> I get the error:
>>
>> ---
>> ERROR(runtime): uncaught exception - (-1073741823, '{Operation
>> Failed} The requested operation was unsuccessful.')
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
>> line 239, in run
>> lp, use_ntvfs=use_ntvfs)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
>> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
>> passdb=passdb, service=SYSVOL_SERVICE)
>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
>> in setntacl
>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd, service=service)
>> ---
>>
>> AFAIK this error is thrown when the script tries to set an NT
>> permission on a missing file;
>> it usually happens when a new GPO is created on the primary DC and
>> it's not yet replicated to other DCs, since sysvolreset uses AD to
>> find defined GPO items.
> When you join another DC, you get virtually nothing in sysvol, you need
> to sync it manually, but when a GPO is added it is not only stored in
> sysvol, it is also stored in AD. When you use sysvolreset, it is the
> GPO's stored in AD that are found first and then these are used to
> 'walk' sysvol, so if they exist in AD and not in sysvol, you get an
> error.
>
> There are several lines in the output I do not understand, so can you
> post your smb.conf.
> I would also double check just what is in sysvol on both machines.
>
> Rowland
>
>> That said, I've cleaned up the whole sysvol folder on secondary DC,
>> rsync'ed all its content from primary DC then rerun sysvolreset: same
>> error. I've also run sysvolreset on the primary DC as well, and again
>> I've got the same error.
>>
>> So now I suppose there's something wrong in AD, like an "orphaned"
>> GPO. How do I know which GPO file is causing the error? (running
>> samba-tool with "-d 10" parameter gives no clue.
>>
>> Full output (same on both DCs):
>> -------------------------------
>>
>> # samba-tool ntacl sysvolreset -d 10
>> INFO: Current debug levels:
>> all: 10
>> tdb: 10
>> printdrivers: 10
>> lanman: 10
>> smb: 10
>> rpc_parse: 10
>> rpc_srv: 10
>> rpc_cli: 10
>> passdb: 10
>> sam: 10
>> auth: 10
>> winbind: 10
>> vfs: 10
>> idmap: 10
>> quota: 10
>> acls: 10
>> locking: 10
>> msdfs: 10
>> dmapi: 10
>> registry: 10
>> scavenger: 10
>> dns: 10
>> ldb: 10
>> tevent: 10
>> auth_audit: 10
>> auth_json_audit: 10
>> kerberos: 10
>> drs_repl: 10
>> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> pm_process() returned Yes
>> Security token SIDs (1):
>> SID[ 0]: S-1-5-18
>> Privileges (0xFFFFFFFFFFFFFFFF):
>> Privilege[ 0]: SeMachineAccountPrivilege
>> Privilege[ 1]: SeTakeOwnershipPrivilege
>> Privilege[ 2]: SeBackupPrivilege
>> Privilege[ 3]: SeRestorePrivilege
>> Privilege[ 4]: SeRemoteShutdownPrivilege
>> Privilege[ 5]: SePrintOperatorPrivilege
>> Privilege[ 6]: SeAddUsersPrivilege
>> Privilege[ 7]: SeDiskOperatorPrivilege
>> Privilege[ 8]: SeSecurityPrivilege
>> Privilege[ 9]: SeSystemtimePrivilege
>> Privilege[ 10]: SeShutdownPrivilege
>> Privilege[ 11]: SeDebugPrivilege
>> Privilege[ 12]: SeSystemEnvironmentPrivilege
>> Privilege[ 13]: SeSystemProfilePrivilege
>> Privilege[ 14]: SeProfileSingleProcessPrivilege
>> Privilege[ 15]: SeIncreaseBasePriorityPrivilege
>> Privilege[ 16]: SeLoadDriverPrivilege
>> Privilege[ 17]: SeCreatePagefilePrivilege
>> Privilege[ 18]: SeIncreaseQuotaPrivilege
>> Privilege[ 19]: SeChangeNotifyPrivilege
>> Privilege[ 20]: SeUndockPrivilege
>> Privilege[ 21]: SeManageVolumePrivilege
>> Privilege[ 22]: SeImpersonatePrivilege
>> Privilege[ 23]: SeCreateGlobalPrivilege
>> Privilege[ 24]: SeEnableDelegationPrivilege
>> Rights (0x 0):
>> lpcfg_servicenumber: couldn't find ldb
>> Initial schema load needed, as we have no existing schema, seq_num: 1
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> Initial schema load needed, as we have no existing schema, seq_num: 1
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384) Processing section "[global]"
>> doing parameter bind interfaces only = Yes
>> doing parameter interfaces = lo eth_lan
>> doing parameter netbios name = SRVSAMBA2
>> doing parameter realm = SAMDOM.LOCAL
>> doing parameter server role = active directory domain controller
>> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>> doing parameter workgroup = SAMDOM
>> doing parameter ldap server require strong auth = no
>> doing parameter client ldap sasl wrapping = plain
>> doing parameter log level = 2 vfs:1
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> *****
>> ***** huge lot of these lines...
>> *****
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> open: error=2 (No such file or directory)
>> ERROR(runtime): uncaught exception - (-1073741823, '{Operation
>> Failed} The requested operation was unsuccessful.')
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
>> line 239, in run
>> lp, use_ntvfs=use_ntvfs)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
>> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
>> passdb=passdb, service=SYSVOL_SERVICE)
>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
>> in setntacl
>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd, service=service)
>>
>>
>
More information about the samba
mailing list