[Samba] GPO incomplete / missing -> samba-tool crash

Kees van Vloten keesvanvloten at gmail.com
Mon Jan 10 16:53:37 UTC 2022


Hi team,

I am running 4.15.3 (from Louis') on Bullseye.
I have no clue how I got here, but the question is: how to get it fixed?

It looks like there is a policy defined in LDAP that does not exist on 
the filesystem, in any case it makes samba-tool crashing:

samba-tool ntacl sysvolcheck
ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or 
directory')
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
443, in run
     provision.checksysvolacl(samdb, netlogon, sysvol,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1876, in checksysvolacl
     check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1826, in check_gpos_acl
     check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1766, in check_dir_acl
     fsacl = getntacl(lp, path, session_info, 
direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
   File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 112, in 
getntacl
     attribute = samba.xattr_native.wrap_getxattr(file

samba-tool ntacl sysvolreset
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is 
not found.')
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
412, in run
     provision.setsysvolacl(samdb, netlogon, sysvol,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1754, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1641, in set_gpos_acl
     set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1604, in set_dir_acl
     setntacl(lp, path, acl, domsid, session_info, use_ntvfs=use_ntvfs, 
skip_invalid_chown=True, passdb=passdb, service=service)
   File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 228, in 
setntacl
     smbd.set_nt_acl(


samba-tool gpo listall
GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path         : 
\\samdom.net\sysvol\samdom.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn           : 
CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=net
version      : 0
flags        : NONE

GPO          : {75991237-941B-47B9-AF67-853781EA44B3}
ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 477, 
in run
     self.outf.write("display name : %s\n" % m['displayName'][0])

The policy '{75991237-941B-47B9-AF67-853781EA44B3}' is not available on 
the filesystem (/var/lib/sysvol/samdom.net/Policies).
When I try to remove it, it tells me:

samba-tool gpo del '{75991237-941B-47B9-AF67-853781EA44B3}'
ERROR: GPO '{75991237-941B-47B9-AF67-853781EA44B3}' does not exist


Strace shows that 'samba-tool ntacl sysvolcheck' also fails on the same 
non-existing file:

strace samba-tool ntacl sysvolcheck
<removed lots of output>

getxattr("/var/lib/samba/sysvol/samdom.net/Policies/{75991237-941B-47B9-AF67-853781EA44B3}", 
"security.NTACL", NULL, 0) = -1 ENOENT (No such file or directory)
write(2, "ERROR(<class 'TypeError'>): unca"..., 82ERROR(<class 
'TypeError'>): uncaught exception - (2, 'No such file or directory')
) = 82

<removed rest of output>

How to fix this issue?

- Kees




More information about the samba mailing list