RC2 error on samba-tool ntacl sysvolreset
Matthieu Patou
mat at samba.org
Tue Oct 2 15:30:14 MDT 2012
On 10/02/2012 11:36 AM, Gémes Géza wrote:
> Hi,
>> Hi,
>>
>> Today I've upgraded our schools (production) Samba4 DC from
>> BETA6_GIT_4631723 (already s3fs) to RC2
>> As stated in the whatsnew I run samba-tool ntacl sysvolreset
>> (Previously I had some windows error messages about incorrect
>> ownership of GPOs)
>> First I tried while samba was still stopped which gave:
>>
>> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
>> ERROR(runtime): uncaught exception - (-1073741734,
>> 'NT_STATUS_INVALID_OWNER')
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 168, in _run
>> return self.run(*args, **kwargs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 214, in run
>> lp, use_ntvfs=use_ntvfs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1462, in setsysvolacl
>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>> use_ntvfs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1401, in set_gpos_acl
>> str(domainsid), use_ntvfs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1368, in set_dir_acl
>> setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
>> 108, in setntacl
>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd)
>>
>> Thinking that without a running samba it is unable to lookup
>> names/sids to uids/gids (I have a working nsswitch.conf with winbind
>> (I've copied the libnss_winbind.so and libnss_wins.so to /lib/...))
>> I've started samba.
>> Then samba-tool ntacl sysvolreset yielded:
>>
>> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
>> ERROR(runtime): uncaught exception - (-1073741734,
>> 'NT_STATUS_INVALID_OWNER')
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 168, in _run
>> return self.run(*args, **kwargs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 214, in run
>> lp, use_ntvfs=use_ntvfs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1462, in setsysvolacl
>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>> use_ntvfs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1401, in set_gpos_acl
>> str(domainsid), use_ntvfs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1368, in set_dir_acl
>> setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
>> 108, in setntacl
>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd)
>>
>> which seems to be the same.
I think it goes to the same database for id mapping running or not running.
>>
>> Sorry for being such a noob, but the ntacl.py is unknown territory
>> for me.
>>
>> Cheers
>>
>> Geza
> After some more trial and error I've decided to delete my idmap.ldb
> (already having idmap_ldb:use rfc2307 = yes set by classicupgrade)
> (and so I did after stopping samba). As a result the error message
> changed into:
> ERROR(<class 'passdb.error'>): uncaught exception - Unable to get id
> for sid
can you alter the script so that we have the idea of which SID is
causing the problem ?
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 168, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 201, in run
> (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
> Which suggest an incomplete SID to xid translation. Looking at the
> sysvol folder with getfacl:
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: adm
> # flags: -s-
> user::rwx
> user:root:rwx
> group::rwx
> group:adm:rwx
> group:3000005:r-x
> group:3000007:r-x
> group:3000008:rwx
> mask::rwx
> other::---
>
> My (local) adm group has the same gidnumber as the Domain Admins
> group, but don't know the missing group entries correspond to what
> groups.
> samba-tool ntacl get /usr/local/samba/var/locks/sysvol shows:
> security_descriptor: struct security_descriptor
> revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
> type : 0x8004 (32772)
> 0: SEC_DESC_OWNER_DEFAULTED
> 0: SEC_DESC_GROUP_DEFAULTED
> 1: SEC_DESC_DACL_PRESENT
> 0: SEC_DESC_DACL_DEFAULTED
> 0: SEC_DESC_SACL_PRESENT
> 0: SEC_DESC_SACL_DEFAULTED
> 0: SEC_DESC_DACL_TRUSTED
> 0: SEC_DESC_SERVER_SECURITY
> 0: SEC_DESC_DACL_AUTO_INHERIT_REQ
> 0: SEC_DESC_SACL_AUTO_INHERIT_REQ
> 0: SEC_DESC_DACL_AUTO_INHERITED
> 0: SEC_DESC_SACL_AUTO_INHERITED
> 0: SEC_DESC_DACL_PROTECTED
> 0: SEC_DESC_SACL_PROTECTED
> 0: SEC_DESC_RM_CONTROL_VALID
> 1: SEC_DESC_SELF_RELATIVE
> owner_sid : *
> owner_sid : S-1-22-1-0
> group_sid : *
> group_sid :
> S-1-5-21-2107120446-224765601-1821260193-512
> sacl : NULL
> dacl : *
> dacl: struct security_acl
> revision : SECURITY_ACL_REVISION_NT4 (2)
> size : 0x0118 (280)
> num_aces : 0x0000000b (11)
> aces: ARRAY(11)
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0018 (24)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-22-1-0
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0018 (24)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-22-2-3000008
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0018 (24)
> access_mask : 0x001200a9 (1179817)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-22-2-3000007
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0018 (24)
> access_mask : 0x001200a9 (1179817)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-22-2-3000005
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0024 (36)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee :
> S-1-5-21-2107120446-224765601-1821260193-512
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0024 (36)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee :
> S-1-5-21-2107120446-224765601-1821260193-512
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0018 (24)
> access_mask : 0x001f01ff (2032127)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-22-1-0
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0: SEC_ACE_FLAG_OBJECT_INHERIT
> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x00080000 (524288)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-1-0
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x0b (11)
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 1: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x001e01ff (1966591)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-3-0
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x0b (11)
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 1: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x001200a9 (1179817)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-3-1
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x0b (11)
> 1: SEC_ACE_FLAG_OBJECT_INHERIT
> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 1: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x001200a9 (1179817)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-1-0
>
> Thank you for any idea!
That's pretty weird, can you do the same command but with the --as-sddl
option ?
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba-technical
mailing list