[Samba] GPO incomplete / missing -> samba-tool crash
Rowland Penny
rpenny at samba.org
Mon Jan 10 17:06:58 UTC 2022
On Mon, 2022-01-10 at 17:53 +0100, Kees van Vloten via samba wrote:
> Hi team,
>
> I am running 4.15.3 (from Louis') on Bullseye.
> I have no clue how I got here, but the question is: how to get it
> fixed?
>
> It looks like there is a policy defined in LDAP that does not exist
> on
> the filesystem, in any case it makes samba-tool crashing:
>
> samba-tool ntacl sysvolcheck
> ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file
> or
> directory')
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line
> 186, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> 443, in run
> provision.checksysvolacl(samdb, netlogon, sysvol,
> File "/usr/lib/python3/dist-
> packages/samba/provision/__init__.py",
> line 1876, in checksysvolacl
> check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb,
> lp,
> File "/usr/lib/python3/dist-
> packages/samba/provision/__init__.py",
> line 1826, in check_gpos_acl
> check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
> File "/usr/lib/python3/dist-
> packages/samba/provision/__init__.py",
> line 1766, in check_dir_acl
> fsacl = getntacl(lp, path, session_info,
> direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 112,
> in
> getntacl
> attribute = samba.xattr_native.wrap_getxattr(file
>
> samba-tool ntacl sysvolreset
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> Could not find opname rename, logging all
> Could not find opname rename, logging all
> Could not find opname rename, logging all
> Could not find opname rename, logging all
> Could not find opname rename, logging all
> set_nt_acl_conn: init_files_struct failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> ERROR(runtime): uncaught exception - (3221225524, 'The object name
> is
> not found.')
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line
> 186, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> 412, in run
> provision.setsysvolacl(samdb, netlogon, sysvol,
> File "/usr/lib/python3/dist-
> packages/samba/provision/__init__.py",
> line 1754, in setsysvolacl
> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs, passdb=s4_passdb)
> File "/usr/lib/python3/dist-
> packages/samba/provision/__init__.py",
> line 1641, in set_gpos_acl
> set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
> File "/usr/lib/python3/dist-
> packages/samba/provision/__init__.py",
> line 1604, in set_dir_acl
> setntacl(lp, path, acl, domsid, session_info,
> use_ntvfs=use_ntvfs,
> skip_invalid_chown=True, passdb=passdb, service=service)
> File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 228,
> in
> setntacl
> smbd.set_nt_acl(
>
>
> samba-tool gpo listall
> GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
> display name : Default Domain Controllers Policy
> path :
> \\samdom.net\sysvol\samdom.net\Policies\{6AC1786C-016F-11D2-945F-
> 00C04FB984F9}
> dn :
> CN={6AC1786C-016F-11D2-945F-
> 00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=net
> version : 0
> flags : NONE
>
> GPO : {75991237-941B-47B9-AF67-853781EA44B3}
> ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line
> 186, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
> 477,
> in run
> self.outf.write("display name : %s\n" % m['displayName'][0])
>
> The policy '{75991237-941B-47B9-AF67-853781EA44B3}' is not available
> on
> the filesystem (/var/lib/sysvol/samdom.net/Policies).
> When I try to remove it, it tells me:
>
> samba-tool gpo del '{75991237-941B-47B9-AF67-853781EA44B3}'
> ERROR: GPO '{75991237-941B-47B9-AF67-853781EA44B3}' does not exist
>
>
> Strace shows that 'samba-tool ntacl sysvolcheck' also fails on the
> same
> non-existing file:
>
> strace samba-tool ntacl sysvolcheck
> <removed lots of output>
>
> getxattr("/var/lib/samba/sysvol/samdom.net/Policies/{75991237-941B-
> 47B9-AF67-853781EA44B3}",
> "security.NTACL", NULL, 0) = -1 ENOENT (No such file or directory)
> write(2, "ERROR(<class 'TypeError'>): unca"..., 82ERROR(<class
> 'TypeError'>): uncaught exception - (2, 'No such file or directory')
> ) = 82
>
> <removed rest of output>
>
> How to fix this issue?
GPO's are stored in two places, in AD at
'CN=Policies,CN=System,DC=samdom,DC=net' and in Sysvol
'/var/lib/samba/sysvol/samdom.net/Policies'
It looks like it is still in AD, but has been deleted on disk.
Rowland
More information about the samba
mailing list