[Samba] Fwd: GPO incomplete / missing -> samba-tool crash
Kees van Vloten
keesvanvloten at gmail.com
Mon Jan 10 17:04:42 UTC 2022
On 10-01-2022 17:59, David Mulder via samba wrote:
> Check in adsi under CN=Policies,CN=System. You probably have the
> policy listed there in ldap still, which I assume needs to be removed.
> It'll be called CN={75991237-941B-47B9-AF67-853781EA44B3}
Thanks David!
I have no Windows machine at hand, will 'ldb*' do the same?
>
> On 1/10/22 9:53 AM, Kees van Vloten via samba <samba at lists.samba.org>
> wrote:
>> Hi team,
>>
>> I am running 4.15.3 (from Louis') on Bullseye.
>> I have no clue how I got here, but the question is: how to get it fixed?
>>
>> It looks like there is a policy defined in LDAP that does not exist
>> on the filesystem, in any case it makes samba-tool crashing:
>>
>> samba-tool ntacl sysvolcheck
>> ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or
>> directory')
>> � File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 186, in _run
>> ��� return self.run(*args, **kwargs)
>> � File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
>> 443, in run
>> ��� provision.checksysvolacl(samdb, netlogon, sysvol,
>> � File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1876, in checksysvolacl
>> ��� check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>> � File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1826, in check_gpos_acl
>> ��� check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>> � File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1766, in check_dir_acl
>> ��� fsacl = getntacl(lp, path, session_info,
>> direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
>> � File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 112,
>> in getntacl
>> ��� attribute = samba.xattr_native.wrap_getxattr(file
>>
>> samba-tool ntacl sysvolreset
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> Could not find opname rename, logging all
>> Could not find opname rename, logging all
>> Could not find opname rename, logging all
>> Could not find opname rename, logging all
>> set_nt_acl_conn: init_files_struct failed:
>> NT_STATUS_OBJECT_NAME_NOT_FOUND
>> ERROR(runtime): uncaught exception - (3221225524, 'The object name is
>> not found.')
>> � File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 186, in _run
>> ��� return self.run(*args, **kwargs)
>> � File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
>> 412, in run
>> ��� provision.setsysvolacl(samdb, netlogon, sysvol,
>> � File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1754, in setsysvolacl
>> ��� set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>> use_ntvfs, passdb=s4_passdb)
>> � File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1641, in set_gpos_acl
>> ��� set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>> � File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1604, in set_dir_acl
>> ��� setntacl(lp, path, acl, domsid, session_info,
>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
>> service=service)
>> � File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 228,
>> in setntacl
>> ��� smbd.set_nt_acl(
>>
>>
>> samba-tool gpo listall
>> GPO��������� : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>> display name : Default Domain Controllers Policy
>> path�������� :
>> \\samdom.net\sysvol\samdom.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>
>> dn���������� :
>> CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=net
>>
>> version����� : 0
>> flags������� : NONE
>>
>> GPO��������� : {75991237-941B-47B9-AF67-853781EA44B3}
>> ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
>> � File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 186, in _run
>> ��� return self.run(*args, **kwargs)
>> � File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
>> 477, in run
>> ��� self.outf.write("display name : %s\n" % m['displayName'][0])
>>
>> The policy '{75991237-941B-47B9-AF67-853781EA44B3}' is not available
>> on the filesystem (/var/lib/sysvol/samdom.net/Policies).
>> When I try to remove it, it tells me:
>>
>> samba-tool gpo del '{75991237-941B-47B9-AF67-853781EA44B3}'
>> ERROR: GPO '{75991237-941B-47B9-AF67-853781EA44B3}' does not exist
>>
>>
>> Strace shows that 'samba-tool ntacl sysvolcheck' also fails on the
>> same non-existing file:
>>
>> strace samba-tool ntacl sysvolcheck
>> <removed lots of output>
>>
>> getxattr("/var/lib/samba/sysvol/samdom.net/Policies/{75991237-941B-47B9-AF67-853781EA44B3}",
>> "security.NTACL", NULL, 0) = -1 ENOENT (No such file or directory)
>> write(2, "ERROR(<class 'TypeError'>): unca"..., 82ERROR(<class
>> 'TypeError'>): uncaught exception - (2, 'No such file or directory')
>> ) = 82
>>
>> <removed rest of output>
>>
>> How to fix this issue?
>>
>> - Kees
>>
>>
>>
>
>
More information about the samba
mailing list