[Samba] Migrate GPO policies does not work properly.

Csorba Róbert csorbarobert at darabanth.com
Wed Jul 22 08:54:00 UTC 2020 

Hi!

Sorry my late answer. I did run the sysvolcheck/reset commands and 
everything seems fine.

On my server I use the following rpm packages, installed from the 
tranquil.it repository.

ldb-tools.x86_64 2.0.10-1.el7                   @samba_custom
libldb.x86_64                       2.0.10-1.el7 @samba_custom
libldb-devel.x86_64                 2.0.10-1.el7 @samba_custom
libsmbclient.x86_64                 4.11.9-3.el7 @samba_custom
libtalloc.x86_64                    2.2.0-1.el7 @samba_custom
libtalloc-devel.x86_64              2.2.0-1.el7 @samba_custom
libtdb.x86_64                       1.4.2-2.el7 @samba_custom
libtdb-devel.x86_64                 1.4.2-2.el7 @samba_custom
libtevent.x86_64                    0.10.0-1.el7 @samba_custom
libtevent-devel.x86_64              0.10.0-1.el7 @samba_custom
libwbclient.x86_64                  4.11.9-3.el7 @samba_custom
python3-ldb.x86_64                  2.0.10-1.el7 @samba_custom
python3-samba.x86_64                4.11.9-3.el7 @samba_custom
python3-samba-dc.x86_64             4.11.9-3.el7 @samba_custom
python3-talloc.x86_64               2.2.0-1.el7 @samba_custom
python3-tdb.x86_64                  1.4.2-2.el7 @samba_custom
python3-tevent.x86_64               0.10.0-1.el7 @samba_custom
samba.x86_64                        4.11.9-3.el7 @samba_custom
samba-client.x86_64                 4.11.9-3.el7 @samba_custom
samba-client-libs.x86_64            4.11.9-3.el7 @samba_custom
samba-common.noarch                 4.11.9-3.el7 @samba_custom
samba-common-libs.x86_64            4.11.9-3.el7 @samba_custom
samba-common-tools.x86_64           4.11.9-3.el7 @samba_custom
samba-dc.x86_64                     4.11.9-3.el7 @samba_custom
samba-dc-libs.x86_64                4.11.9-3.el7 @samba_custom
samba-libs.x86_64                   4.11.9-3.el7 @samba_custom
samba-winbind.x86_64                4.11.9-3.el7 @samba_custom
samba-winbind-clients.x86_64        4.11.9-3.el7 @samba_custom
samba-winbind-modules.x86_64        4.11.9-3.el7 @samba_custom
tdb-tools.x86_64                    1.4.2-2.el7 @samba_custom

I use the following comand to migrate my GPO policies.

samba-tool gpo restore /BACKUP_PATH  -U Administrator --password 
PASSWORD --tmpdir=/TMP_DIR -d 4

A got some warnings in a  few policies.

Traceback (most recent call last):
   File "/usr/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 
1362, in restore_from_backup_to_local_dir
     parser.load_xml(ET.fromstring(dtd_header + data))
   File "/usr/lib64/python3.6/site-packages/samba/gp_parse/gp_pol.py", 
line 80, in load_xml
     entry.data = (u'\x00'.join(values) + u'\x00\x00').encode('utf-16le')
TypeError: sequence item 0: expected str instance, NoneType found
WARNING: Error during parsing for 
/var/tmp/samba_gpo_backup/policy/Windows8-10_Global_Policy/Machine/Registry.pol.xml
WARNING: Falling back to simple copy-restore.
WARNING: No such parser for comment.cmtx
WARNING: Falling back to simple copy-restore.
WARNING: No such parser for Services.xml
WARNING: Falling back to simple copy-restore.
WARNING: No such parser for Registry.xml
WARNING: Falling back to simple copy-restore.

Traceback (most recent call last):
   File "/usr/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 
1362, in restore_from_backup_to_local_dir
     parser.load_xml(ET.fromstring(dtd_header + data))
   File "/usr/lib64/python3.6/xml/etree/ElementTree.py", line 1314, in XML
     parser.feed(text)
   File "<string>", line None
xml.etree.ElementTree.ParseError: undefined entity: line 16, column 21
WARNING: Error during parsing for 
/var/tmp/samba_gpo_backup/policy/msgReceiverDefault_Policy/Machine/Microsoft/Windows 
NT/SecEdit/GptTmpl.inf.xml
WARNING: Falling back to simple copy-restore.

But most of them, are successfully imported.

How can I add gplink?

Best,

Robert

2020. 07. 20. 15:16 keltezéssel, Denis Cardon írta:
> Hi Robert,
>
> Le 20/07/2020 à 13:28, Csorba Róbert via samba a écrit :
>> Hi,
>>
>> I migrated from my the main domain controller.I use Centos 7 server 
>> with tranquilrepository.
>>
>> The destination server is a test enviorement with different domain 
>> name but the same system specifications.
>>
>> I can browse the sysvol network share without any problem.
>>
>> If i want to check the sam.ldb file on the test server I got these 
>> errors.
>>
>> WARNING:Module [samba_dsdb] not found - do you need to set 
>> LDB_MODULES_PATH?
>> Unable to load modules for /var/lib/samba/private/sam.ldb:(null)
>> Failed to connect to /var/lib/samba/private/sam.ldb - (null)
>
> you can add this export to your .bashrc file:
>
> export LDB_MODULES_PATH=/usr/lib64/samba/ldb
>
> What are you trying to check?
>
> Did you add the gplink after migration? Did you run a ntacl 
> sysvolcheck/reset?
>
> Denis
>
>
>>
>> Best,
>>
>> Robert
>>
>> 2020. 07. 17. 15:11 keltezéssel, Rowland penny via samba írta:
>>> On 17/07/2020 14:00, Csorba Róbert via samba wrote:
>>>> Hi,
>>>>
>>>> I successfully migrated my GPO policies in a new installation of 
>>>> domain controller.
>>> Where did you migrate them from and to where ?
>>>>
>>>> After I joined a Windows 10 machine to the domain the gpupdate 
>>>> /force command printed this errors all of my policies.
>>>>
>>>> filtering not applied (empty)
>>> Sounds like a permission problem
>>>>
>>>> On the server side everything looks fine. I checked the tdb files 
>>>> under the /var/lib/samba/private/sam.ldb.d/ folder.
>>>
>>> Please do not do that, if you want to check the database, only check 
>>> /var/lib/samba/private/sam.ldb
>>>
>>> Rowland
>>>
>>>
>>>
>>>
>>>

More information about the samba mailing list