[Samba] Online backup results using 4.10.2

Tim Beale timbeale at catalyst.net.nz
Fri Apr 12 05:51:11 UTC 2019 

Hi James,

I'm glad you managed to work past this problem.

In general, I've been thinking that the backup tool should really be
updated to:
- clearly log what sysvol file is causing it problems, and
- have an option for skipping any files it doesn't have permissions for.

That would make this sort of problem much easier to deal with. But it's
just a matter of finding the time to implement this.

Thanks,
Tim

On 12/04/19 5:52 AM, James Atwell via samba wrote:
> Hello,
>
>     I would like to share some info on how I was able to successfully
> run an online backup after several failed attempts. I would constantly
> get the following error when attempting to run an online backup.
>
> ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A
> process has requested access to an object but has not been granted
> those access rights.')
>
> Looking through the list, I seen  a post by Tim that led me to resolve
> the issue.
>
> https://lists.samba.org/archive/samba/2019-January/220361.html
>
>  He indicated the issue was due to ACL rights on a sysvol object. 
> Running samba-tool sysvolreset did not resolve the issue.  I decided
> to increase the log level per Tim to 3.
>
> I opened two SSH connections to my DC and tailed the samba log(tail -f
> /usr/local/samba/var/log.samba) on one. The other I ran the online
> backup command with log level 5( -d5)
>
> I could see on the SSH I was tailing, the GPO of the unique ID
> throwing the error as soon as the online backup command failed.
> Logging into Group Policy Management(RSAT) I was able to identify the
> GPO  in the details pane by verifying the unique ID.  The GPO was
> created years ago. I wanted to try and set(samba-tool ntacl set) the
> ACL on this object, but didn't know what the default should be. I
> decided to delete the GPO seeing as it was no longer in use and not
> needed.
>
> Deleting the GPO allowed for the online backup to succeed without
> error. It would be nice if someone could post what the default ACL
> should be, in hopes of  resolving this issue in the future where I may
> actually need to keep the GPO.
>
> I did decide to get the ACL on the offending GPO in hopes someone with
> more knowledge then I could possibly spot the issue. See below.
>
>
> root at pfdc1:~# samba-tool ntacl get
> /usr/local/samba/var/locks/sysvol/domain.local/Policies/{AB0F05DC-D6EB-44B3-BED1-3E2F19F9A9AC}
>
> lp_load_ex: refreshing parameters
>
> Initialising global parameters
>
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>
> Processing section "[global]"
>
> Processing section "[netlogon]"
>
> Processing section "[sysvol]"
>
> Processing section "[backup$]"
>
> Initialising default vfs hooks
>
> Initialising custom vfs hooks from [/[Default VFS]/]
>
> Initialising custom vfs hooks from [acl_xattr]
>
> load_module_absolute_path: Module
> '/usr/local/samba/lib/vfs/acl_xattr.so' loaded
>
> Initialising custom vfs hooks from [dfs_samba4]
>
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service Unknown Service (snum
> == -1)
>
> security_descriptor: struct security_descriptor
>
> revision: SECURITY_DESCRIPTOR_REVISION_1 (1)
>
> type: 0x9114 (37140)
>
> 0: SEC_DESC_OWNER_DEFAULTED
>
> 0: SEC_DESC_GROUP_DEFAULTED
>
> 1: SEC_DESC_DACL_PRESENT
>
> 0: SEC_DESC_DACL_DEFAULTED
>
> 1: SEC_DESC_SACL_PRESENT
>
> 0: SEC_DESC_SACL_DEFAULTED
>
> 0: SEC_DESC_DACL_TRUSTED
>
> 0: SEC_DESC_SERVER_SECURITY
>
> 1: SEC_DESC_DACL_AUTO_INHERIT_REQ
>
> 0: SEC_DESC_SACL_AUTO_INHERIT_REQ
>
> 0: SEC_DESC_DACL_AUTO_INHERITED
>
> 0: SEC_DESC_SACL_AUTO_INHERITED
>
> 1: SEC_DESC_DACL_PROTECTED
>
> 0: SEC_DESC_SACL_PROTECTED
>
> 0: SEC_DESC_RM_CONTROL_VALID
>
> 1: SEC_DESC_SELF_RELATIVE
>
> owner_sid: *
>
> owner_sid: S-1-5-21-940051827-2291820289-3341758437-512
>
> group_sid: *
>
> group_sid: S-1-5-21-940051827-2291820289-3341758437-512
>
> sacl: NULL
>
> dacl: *
>
> dacl: struct security_acl
>
> revision: SECURITY_ACL_REVISION_ADS (4)
>
> size: 0x00c4 (196)
>
> num_aces: 0x00000007 (7)
>
> aces: ARRAY(7)
>
> aces: struct security_ace
>
> type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>
> flags: 0x03 (3)
>
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
>
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
>
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>
> 0: SEC_ACE_FLAG_INHERIT_ONLY
>
> 0: SEC_ACE_FLAG_INHERITED_ACE
>
> 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
>
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>
> 0: SEC_ACE_FLAG_FAILED_ACCESS
>
> size: 0x0024 (36)
>
> access_mask: 0x001f01ff (2032127)
>
> object: union security_ace_object_ctr(case 0)
>
> trustee: S-1-5-21-940051827-2291820289-3341758437-512
>
> aces: struct security_ace
>
> type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>
> flags: 0x03 (3)
>
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
>
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
>
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>
> 0: SEC_ACE_FLAG_INHERIT_ONLY
>
> 0: SEC_ACE_FLAG_INHERITED_ACE
>
> 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
>
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>
> 0: SEC_ACE_FLAG_FAILED_ACCESS
>
> size: 0x0024 (36)
>
> access_mask: 0x001f01ff (2032127)
>
> object: union security_ace_object_ctr(case 0)
>
> trustee: S-1-5-21-940051827-2291820289-3341758437-519
>
> aces: struct security_ace
>
> type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>
> flags: 0x0b (11)
>
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
>
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
>
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>
> 1: SEC_ACE_FLAG_INHERIT_ONLY
>
> 0: SEC_ACE_FLAG_INHERITED_ACE
>
> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
>
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>
> 0: SEC_ACE_FLAG_FAILED_ACCESS
>
> size: 0x0014 (20)
>
> access_mask: 0x001f01ff (2032127)
>
> object: union security_ace_object_ctr(case 0)
>
> trustee: S-1-3-0
>
> aces: struct security_ace
>
> type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>
> flags: 0x03 (3)
>
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
>
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
>
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>
> 0: SEC_ACE_FLAG_INHERIT_ONLY
>
> 0: SEC_ACE_FLAG_INHERITED_ACE
>
> 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
>
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>
> 0: SEC_ACE_FLAG_FAILED_ACCESS
>
> size: 0x0024 (36)
>
> access_mask: 0x001f01ff (2032127)
>
> object: union security_ace_object_ctr(case 0)
>
> trustee: S-1-5-21-940051827-2291820289-3341758437-512
>
> aces: struct security_ace
>
> type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>
> flags: 0x03 (3)
>
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
>
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
>
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>
> 0: SEC_ACE_FLAG_INHERIT_ONLY
>
> 0: SEC_ACE_FLAG_INHERITED_ACE
>
> 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
>
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>
> 0: SEC_ACE_FLAG_FAILED_ACCESS
>
> size: 0x0014 (20)
>
> access_mask: 0x001f01ff (2032127)
>
> object: union security_ace_object_ctr(case 0)
>
> trustee: S-1-5-18
>
> aces: struct security_ace
>
> type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>
> flags: 0x03 (3)
>
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
>
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
>
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>
> 0: SEC_ACE_FLAG_INHERIT_ONLY
>
> 0: SEC_ACE_FLAG_INHERITED_ACE
>
> 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
>
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>
> 0: SEC_ACE_FLAG_FAILED_ACCESS
>
> size: 0x0014 (20)
>
> access_mask: 0x001200a9 (1179817)
>
> object: union security_ace_object_ctr(case 0)
>
> trustee: S-1-5-9
>
> aces: struct security_ace
>
> type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>
> flags: 0x03 (3)
>
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
>
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
>
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>
> 0: SEC_ACE_FLAG_INHERIT_ONLY
>
> 0: SEC_ACE_FLAG_INHERITED_ACE
>
> 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
>
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>
> 0: SEC_ACE_FLAG_FAILED_ACCESS
>
> size: 0x0014 (20)
>
> access_mask: 0x001200a9 (1179817)
>
> object: union security_ace_object_ctr(case 0)
>
> trustee: S-1-5-11
>
>
>
> --James
>

More information about the samba mailing list