[Samba] Fwd: GPO incomplete / missing -> samba-tool crash
Kees van Vloten
keesvanvloten at gmail.com
Mon Jan 10 17:53:21 UTC 2022
On 10-01-2022 18:32, Rowland Penny via samba wrote:
> On Mon, 2022-01-10 at 18:23 +0100, Kees van Vloten via samba wrote:
>> On 10-01-2022 18:10, Rowland Penny via samba wrote:
>>> On Mon, 2022-01-10 at 18:04 +0100, Kees van Vloten via samba wrote:
>>>> On 10-01-2022 17:59, David Mulder via samba wrote:
>>>>> Check in adsi under CN=Policies,CN=System. You probably have
>>>>> the
>>>>> policy listed there in ldap still, which I assume needs to be
>>>>> removed.
>>>>> It'll be called CN={75991237-941B-47B9-AF67-853781EA44B3}
>>>> Thanks David!
>>>>
>>>> I have no Windows machine at hand, will 'ldb*' do the same?
>>> Yes it would, but if you have another DC and if it is still there,
>>> you
>>> could sync it back.
>>>
>>> Rowland
>>>
>>>
>>>
>> I have 2 DCs and it is gone on both. I guess the automatic sync did
>> what
>> it is supposed to do :-) .
>> I am using the osync solution from wiki:
>> https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_based_SysVol_replication_workaround.
>>
>> Since I have the default policies only at the moment, I am a bit
>> puzzled
>> what happened, since there are still 2 policies on the filesystem
>> but
>> indeed 3 in LDAP in 'CN=Policies,CN=System,DC=samdom,DC=net'.
>>
>> Would there be any way to find a clue what the 3rd was?
> Possibly, if it is using a standard GUID, but this unlikely.
>
> You are going to have to remove it from AD, not entirely sure how.
> Do you have a backup you could obtain it from ?
>
> Rowland
>
Nope, there is not backup yet, as I am still busy setting up these systems.
That implies that there is no serious harm done, it just should not have
happened. I will try to remove the entries with ldbdel and then run the
sysvolcheck and sysvolreset again.
I do have a feature request: samba-tool does not react nicely on this
situation. Either it crashes hard without a descent error message or (on
delete) it tells me the policy does not exist (which is only partially
true). Would be nice to have better error handling and in the case of
the delete to just remove the remaining parts of the the policy. What
would be the best way to address this? Create a bug?
- Kees
More information about the samba
mailing list