[Samba] Fwd: GPO incomplete / missing -> samba-tool crash
dmulder at samba.org
dmulder at samba.org
Mon Jan 10 17:06:25 UTC 2022
Also, you could try my admin-tools adsi:
https://appimage.github.io/admin-tools/
Thought I'm not sure what state it's in... I haven't tested it out recently.
On 1/10/22 10:04 AM, Kees van Vloten via samba <samba at lists.samba.org> wrote:
> On 10-01-2022 17:59, David Mulder via samba wrote:
> > Check in adsi under CN=Policies,CN=System. You probably have the
> > policy listed there in ldap still, which I assume needs to be removed.
> > It'll be called CN={75991237-941B-47B9-AF67-853781EA44B3}
> Thanks David!
>
> I have no Windows machine at hand, will 'ldb*' do the same?
>
>
> >
> > On 1/10/22 9:53 AM, Kees van Vloten via samba <samba at lists.samba.org>
> > wrote:
> >> Hi team,
> >>
> >> I am running 4.15.3 (from Louis') on Bullseye.
> >> I have no clue how I got here, but the question is: how to get it fixed?
> >>
> >> It looks like there is a policy defined in LDAP that does not exist
> >> on the filesystem, in any case it makes samba-tool crashing:
> >>
> >> samba-tool ntacl sysvolcheck
> >> ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or
> >> directory')
> >> ý File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> >> line 186, in _run
> >> ýýý return self.run(*args, **kwargs)
> >> ý File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> >> 443, in run
> >> ýýý provision.checksysvolacl(samdb, netlogon, sysvol,
> >> ý File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1876, in checksysvolacl
> >> ýýý check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> >> ý File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1826, in check_gpos_acl
> >> ýýý check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
> >> ý File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1766, in check_dir_acl
> >> ýýý fsacl = getntacl(lp, path, session_info,
> >> direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> >> ý File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 112,
> >> in getntacl
> >> ýýý attribute = samba.xattr_native.wrap_getxattr(file
> >>
> >> samba-tool ntacl sysvolreset
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> Could not find opname rename, logging all
> >> Could not find opname rename, logging all
> >> Could not find opname rename, logging all
> >> Could not find opname rename, logging all
> >> set_nt_acl_conn: init_files_struct failed:
> >> NT_STATUS_OBJECT_NAME_NOT_FOUND
> >> ERROR(runtime): uncaught exception - (3221225524, 'The object name is
> >> not found.')
> >> ý File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> >> line 186, in _run
> >> ýýý return self.run(*args, **kwargs)
> >> ý File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> >> 412, in run
> >> ýýý provision.setsysvolacl(samdb, netlogon, sysvol,
> >> ý File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1754, in setsysvolacl
> >> ýýý set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> >> use_ntvfs, passdb=s4_passdb)
> >> ý File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1641, in set_gpos_acl
> >> ýýý set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
> >> ý File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1604, in set_dir_acl
> >> ýýý setntacl(lp, path, acl, domsid, session_info,
> >> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> >> service=service)
> >> ý File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 228,
> >> in setntacl
> >> ýýý smbd.set_nt_acl(
> >>
> >>
> >> samba-tool gpo listall
> >> GPOýýýýýýýýý : {6AC1786C-016F-11D2-945F-00C04FB984F9}
> >> display name : Default Domain Controllers Policy
> >> pathýýýýýýýý :
> >> \\samdom.net\sysvol\samdom.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
> >>
> >> dnýýýýýýýýýý :
> >> CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=net
> >>
> >> versionýýýýý : 0
> >> flagsýýýýýýý : NONE
> >>
> >> GPOýýýýýýýýý : {75991237-941B-47B9-AF67-853781EA44B3}
> >> ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
> >> ý File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> >> line 186, in _run
> >> ýýý return self.run(*args, **kwargs)
> >> ý File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
> >> 477, in run
> >> ýýý self.outf.write("display name : %s\n" % m['displayName'][0])
> >>
> >> The policy '{75991237-941B-47B9-AF67-853781EA44B3}' is not available
> >> on the filesystem (/var/lib/sysvol/samdom.net/Policies).
> >> When I try to remove it, it tells me:
> >>
> >> samba-tool gpo del '{75991237-941B-47B9-AF67-853781EA44B3}'
> >> ERROR: GPO '{75991237-941B-47B9-AF67-853781EA44B3}' does not exist
> >>
> >>
> >> Strace shows that 'samba-tool ntacl sysvolcheck' also fails on the
> >> same non-existing file:
> >>
> >> strace samba-tool ntacl sysvolcheck
> >> <removed lots of output>
> >>
> >> getxattr("/var/lib/samba/sysvol/samdom.net/Policies/{75991237-941B-47B9-AF67-853781EA44B3}",
> >> "security.NTACL", NULL, 0) = -1 ENOENT (No such file or directory)
> >> write(2, "ERROR(<class 'TypeError'>): unca"..., 82ERROR(<class
> >> 'TypeError'>): uncaught exception - (2, 'No such file or directory')
> >> ) = 82
> >>
> >> <removed rest of output>
> >>
> >> How to fix this issue?
> >>
> >> - Kees
> >>
> >>
> >>
> >
> >
>
>
More information about the samba
mailing list