[Samba] NT_STATUS_OBJECT_NAME_NOT_FOUND

Carlos carlos.hollow at gmail.com
Tue May 25 12:55:39 UTC 2021


HI

"I am unsure, have you given all the AD groups a gidNumber ?" I dont 
understand.....


Afters minutes(1 or 2), i recevived erro:

samba-tool ntacl sysvolreset

...

...

idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is 
not found.')
   File 
"/usr/local/samba/lib/python3.8/site-packages/samba/netcmd/__init__.py", 
line 186, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python3.8/site-packages/samba/netcmd/ntacl.py", 
line 412, in run
     provision.setsysvolacl(samdb, netlogon, sysvol,
   File 
"/usr/local/samba/lib/python3.8/site-packages/samba/provision/__init__.py", 
line 1754, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File 
"/usr/local/samba/lib/python3.8/site-packages/samba/provision/__init__.py", 
line 1641, in set_gpos_acl
     set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
   File 
"/usr/local/samba/lib/python3.8/site-packages/samba/provision/__init__.py", 
line 1604, in set_dir_acl
     setntacl(lp, path, acl, domsid, session_info, use_ntvfs=use_ntvfs, 
skip_invalid_chown=True, passdb=passdb, service=service)
   File "/usr/local/samba/lib/python3.8/site-packages/samba/ntacls.py", 
line 230, in setntacl
     smbd.set_nt_acl(


----


More INFO(now):


DC 1

getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\\administrators
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:BUILTIN\\server\040operators:r-x
user:NT\040AUTHORITY\\system:rwx
user:NT\040AUTHORITY\\authenticated\040users:r-x
group::rwx
group:BUILTIN\\administrators:rwx
group:BUILTIN\\server\040operators:r-x
group:NT\040AUTHORITY\\system:rwx
group:NT\040AUTHORITY\\authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040AUTHORITY\\system:rwx
default:user:NT\040AUTHORITY\\authenticated\040users:r-x
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040AUTHORITY\\system:rwx
default:group:NT\040AUTHORITY\\authenticated\040users:r-x
default:mask::rwx
default:other::---


DC 2

getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\\administrators
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:BUILTIN\\server\040operators:r-x
user:NT\040AUTHORITY\\system:rwx
user:NT\040AUTHORITY\\authenticated\040users:r-x
group::rwx
group:BUILTIN\\administrators:rwx
group:BUILTIN\\server\040operators:r-x
group:NT\040AUTHORITY\\system:rwx
group:NT\040AUTHORITY\\authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040AUTHORITY\\system:rwx
default:user:NT\040AUTHORITY\\authenticated\040users:r-x
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040AUTHORITY\\system:rwx
default:group:NT\040AUTHORITY\\authenticated\040users:r-x
default:mask::rwx
default:other::---


------


GPO with erro Now:


DC1

getfacl 
/usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/\{149AD731-C29D-41E7-B1D4-1DECA7DBED58\}/GPT.INI 

getfacl: Removing leading '/' from absolute path names
# file: 
usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/{149AD731-C29D-41E7-B1D4-1DECA7DBED58}/GPT.INI
# owner: BUILTIN\\administrators
# group: users
user::rwx
user:NT\040AUTHORITY\\system:rwx
user:XXXX\\enterprise\040admins:rwx
user:XXXX\\domain\040admins:rwx
user:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x
user:XXXX\\domain\040computers:r-x
user:XXXX\\mercado_xxxx:r-x
group::---
group:users:---
group:BUILTIN\\administrators:rwx
group:NT\040AUTHORITY\\system:rwx
group:XXXX\\enterprise\040admins:rwx
group:XXXX\\domain\040admins:rwx
group:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x
group:XXXX\\domain\040computers:r-x
group:XXXX\\mercado_xxxx:r-x
mask::rwx
other::---


DC 2

getfacl 
/usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/\{149AD731-C29D-41E7-B1D4-1DECA7DBED58\}/GPT.INI 

getfacl: Removing leading '/' from absolute path names
# file: 
usr/local/samba/var/locks/sysvol/xxxx.xxxx.com.br/Policies/{149AD731-C29D-41E7-B1D4-1DECA7DBED58}/GPT.INI
# owner: BUILTIN\\administrators
# group: users
user::rwx
user:NT\040AUTHORITY\\system:rwx
user:XXXX\\enterprise\040admins:rwx
user:XXXX\\domain\040admins:rwx
user:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x
user:XXXX\\domain\040computers:r-x
user:XXXX\\mercado_xxxx:r-x
group::---
group:users:---
group:BUILTIN\\administrators:rwx
group:NT\040AUTHORITY\\system:rwx
group:XXXX\\enterprise\040admins:rwx
group:XXXX\\domain\040admins:rwx
group:NT\040AUTHORITY\\enterprise\040domain\040controllers:r-x
group:XXXX\\domain\040computers:r-x
group:XXXX\\mercado_xxxx:r-x
mask::rwx
other::---


----


DC1

getent passwd Administrator
XXXX\administrator:*:0:100::/home/XXXX/administrator:/bin/false


DC2

getent passwd Administrator
XXXX\administrator:*:0:100::/home/XXXX/administrator:/bin/false


Regards;


Em 25/05/2021 09:44, Rowland penny via samba escreveu:
> On 25/05/2021 13:16, Carlos via samba wrote:
>> HI!
>>
>> Good morning Louis :-D
>>
>> In Samba ADDC I did not configure (I understood that I didn’t need) 
>> the nsswitch part, but I did it now in DC 1 and DC2, it seems to me 
>> that it solved, even before the ids being the same in DC1 and DC2, 
>> now it remains the same with names, but gpupdate no longer gave an 
>> error and successfully loaded the police \ o /
>>
>> But the samba-tool ntacl sysvolreset gave a different error, it was 
>> in a loop with this message "idmap range not specified for domain 
>> '*'", but im smb.conf of an ADDC if the idmap is not configured as I 
>> remember, at least I I never did it and I didn't even see it in the 
>> documentation.
>>
>> Is something else wrong now?
>
>
> Yes and no 😁
>
> You are getting that message because of a bug, you cannot use 'idmap 
> config' lines in a DC smb.conf, but there is a default line and that 
> is being picked up. You could normally ignore the error, but why 
> sysvolreset is looping around the error, I am unsure, have you given 
> all the AD groups a gidNumber ?
>
> Rowland
>
>
>



More information about the samba mailing list