RC2 error on samba-tool ntacl sysvolreset
Gémes Géza
geza at kzsdabas.hu
Tue Oct 2 15:53:58 MDT 2012
2012-10-02 23:30 keltezéssel, Matthieu Patou írta:
> On 10/02/2012 11:36 AM, Gémes Géza wrote:
>> Hi,
>>> Hi,
>>>
>>> Today I've upgraded our schools (production) Samba4 DC from
>>> BETA6_GIT_4631723 (already s3fs) to RC2
>>> As stated in the whatsnew I run samba-tool ntacl sysvolreset
>>> (Previously I had some windows error messages about incorrect
>>> ownership of GPOs)
>>> First I tried while samba was still stopped which gave:
>>>
>>> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
>>> ERROR(runtime): uncaught exception - (-1073741734,
>>> 'NT_STATUS_INVALID_OWNER')
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>> line 168, in _run
>>> return self.run(*args, **kwargs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
>>> 214, in run
>>> lp, use_ntvfs=use_ntvfs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1462, in setsysvolacl
>>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>>> use_ntvfs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1401, in set_gpos_acl
>>> str(domainsid), use_ntvfs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1368, in set_dir_acl
>>> setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
>>> 108, in setntacl
>>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
>>> security.SECINFO_GROUP | security.SECINFO_DACL |
>>> security.SECINFO_SACL, sd)
>>>
>>> Thinking that without a running samba it is unable to lookup
>>> names/sids to uids/gids (I have a working nsswitch.conf with winbind
>>> (I've copied the libnss_winbind.so and libnss_wins.so to /lib/...))
>>> I've started samba.
>>> Then samba-tool ntacl sysvolreset yielded:
>>>
>>> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
>>> ERROR(runtime): uncaught exception - (-1073741734,
>>> 'NT_STATUS_INVALID_OWNER')
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>> line 168, in _run
>>> return self.run(*args, **kwargs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
>>> 214, in run
>>> lp, use_ntvfs=use_ntvfs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1462, in setsysvolacl
>>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>>> use_ntvfs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1401, in set_gpos_acl
>>> str(domainsid), use_ntvfs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1368, in set_dir_acl
>>> setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line
>>> 108, in setntacl
>>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
>>> security.SECINFO_GROUP | security.SECINFO_DACL |
>>> security.SECINFO_SACL, sd)
>>>
>>> which seems to be the same.
> I think it goes to the same database for id mapping running or not
> running.
>>>
>>> Sorry for being such a noob, but the ntacl.py is unknown territory
>>> for me.
>>>
>>> Cheers
>>>
>>> Geza
>> After some more trial and error I've decided to delete my idmap.ldb
>> (already having idmap_ldb:use rfc2307 = yes set by classicupgrade)
>> (and so I did after stopping samba). As a result the error message
>> changed into:
>> ERROR(<class 'passdb.error'>): uncaught exception - Unable to get id
>> for sid
> can you alter the script so that we have the idea of which SID is
> causing the problem ?
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 168, in _run
>> return self.run(*args, **kwargs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 201, in run
>> (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
>> Which suggest an incomplete SID to xid translation. Looking at the
>> sysvol folder with getfacl:
>> # file: usr/local/samba/var/locks/sysvol
>> # owner: root
>> # group: adm
>> # flags: -s-
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:adm:rwx
>> group:3000005:r-x
>> group:3000007:r-x
>> group:3000008:rwx
>> mask::rwx
>> other::---
>>
>> My (local) adm group has the same gidnumber as the Domain Admins
>> group, but don't know the missing group entries correspond to what
>> groups.
>> samba-tool ntacl get /usr/local/samba/var/locks/sysvol shows:
>> security_descriptor: struct security_descriptor
>> revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
>> type : 0x8004 (32772)
>> 0: SEC_DESC_OWNER_DEFAULTED
>> 0: SEC_DESC_GROUP_DEFAULTED
>> 1: SEC_DESC_DACL_PRESENT
>> 0: SEC_DESC_DACL_DEFAULTED
>> 0: SEC_DESC_SACL_PRESENT
>> 0: SEC_DESC_SACL_DEFAULTED
>> 0: SEC_DESC_DACL_TRUSTED
>> 0: SEC_DESC_SERVER_SECURITY
>> 0: SEC_DESC_DACL_AUTO_INHERIT_REQ
>> 0: SEC_DESC_SACL_AUTO_INHERIT_REQ
>> 0: SEC_DESC_DACL_AUTO_INHERITED
>> 0: SEC_DESC_SACL_AUTO_INHERITED
>> 0: SEC_DESC_DACL_PROTECTED
>> 0: SEC_DESC_SACL_PROTECTED
>> 0: SEC_DESC_RM_CONTROL_VALID
>> 1: SEC_DESC_SELF_RELATIVE
>> owner_sid : *
>> owner_sid : S-1-22-1-0
>> group_sid : *
>> group_sid :
>> S-1-5-21-2107120446-224765601-1821260193-512
>> sacl : NULL
>> dacl : *
>> dacl: struct security_acl
>> revision : SECURITY_ACL_REVISION_NT4 (2)
>> size : 0x0118 (280)
>> num_aces : 0x0000000b (11)
>> aces: ARRAY(11)
>> aces: struct security_ace
>> type :
>> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>> flags : 0x00 (0)
>> 0: SEC_ACE_FLAG_OBJECT_INHERIT
>> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
>> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>> 0: SEC_ACE_FLAG_INHERIT_ONLY
>> 0: SEC_ACE_FLAG_INHERITED_ACE
>> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
>> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>> 0: SEC_ACE_FLAG_FAILED_ACCESS
>> size : 0x0018 (24)
>> access_mask : 0x001f01ff (2032127)
>> object : union
>> security_ace_object_ctr(case 0)
>> trustee : S-1-22-1-0
>> aces: struct security_ace
>> type :
>> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>> flags : 0x00 (0)
>> 0: SEC_ACE_FLAG_OBJECT_INHERIT
>> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
>> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>> 0: SEC_ACE_FLAG_INHERIT_ONLY
>> 0: SEC_ACE_FLAG_INHERITED_ACE
>> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
>> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>> 0: SEC_ACE_FLAG_FAILED_ACCESS
>> size : 0x0018 (24)
>> access_mask : 0x001f01ff (2032127)
>> object : union
>> security_ace_object_ctr(case 0)
>> trustee : S-1-22-2-3000008
>> aces: struct security_ace
>> type :
>> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>> flags : 0x00 (0)
>> 0: SEC_ACE_FLAG_OBJECT_INHERIT
>> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
>> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>> 0: SEC_ACE_FLAG_INHERIT_ONLY
>> 0: SEC_ACE_FLAG_INHERITED_ACE
>> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
>> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>> 0: SEC_ACE_FLAG_FAILED_ACCESS
>> size : 0x0018 (24)
>> access_mask : 0x001200a9 (1179817)
>> object : union
>> security_ace_object_ctr(case 0)
>> trustee : S-1-22-2-3000007
>> aces: struct security_ace
>> type :
>> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>> flags : 0x00 (0)
>> 0: SEC_ACE_FLAG_OBJECT_INHERIT
>> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
>> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>> 0: SEC_ACE_FLAG_INHERIT_ONLY
>> 0: SEC_ACE_FLAG_INHERITED_ACE
>> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
>> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>> 0: SEC_ACE_FLAG_FAILED_ACCESS
>> size : 0x0018 (24)
>> access_mask : 0x001200a9 (1179817)
>> object : union
>> security_ace_object_ctr(case 0)
>> trustee : S-1-22-2-3000005
>> aces: struct security_ace
>> type :
>> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>> flags : 0x00 (0)
>> 0: SEC_ACE_FLAG_OBJECT_INHERIT
>> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
>> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>> 0: SEC_ACE_FLAG_INHERIT_ONLY
>> 0: SEC_ACE_FLAG_INHERITED_ACE
>> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
>> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>> 0: SEC_ACE_FLAG_FAILED_ACCESS
>> size : 0x0024 (36)
>> access_mask : 0x001f01ff (2032127)
>> object : union
>> security_ace_object_ctr(case 0)
>> trustee :
>> S-1-5-21-2107120446-224765601-1821260193-512
>> aces: struct security_ace
>> type :
>> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>> flags : 0x00 (0)
>> 0: SEC_ACE_FLAG_OBJECT_INHERIT
>> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
>> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>> 0: SEC_ACE_FLAG_INHERIT_ONLY
>> 0: SEC_ACE_FLAG_INHERITED_ACE
>> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
>> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>> 0: SEC_ACE_FLAG_FAILED_ACCESS
>> size : 0x0024 (36)
>> access_mask : 0x001f01ff (2032127)
>> object : union
>> security_ace_object_ctr(case 0)
>> trustee :
>> S-1-5-21-2107120446-224765601-1821260193-512
>> aces: struct security_ace
>> type :
>> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>> flags : 0x00 (0)
>> 0: SEC_ACE_FLAG_OBJECT_INHERIT
>> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
>> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>> 0: SEC_ACE_FLAG_INHERIT_ONLY
>> 0: SEC_ACE_FLAG_INHERITED_ACE
>> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
>> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>> 0: SEC_ACE_FLAG_FAILED_ACCESS
>> size : 0x0018 (24)
>> access_mask : 0x001f01ff (2032127)
>> object : union
>> security_ace_object_ctr(case 0)
>> trustee : S-1-22-1-0
>> aces: struct security_ace
>> type :
>> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>> flags : 0x00 (0)
>> 0: SEC_ACE_FLAG_OBJECT_INHERIT
>> 0: SEC_ACE_FLAG_CONTAINER_INHERIT
>> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>> 0: SEC_ACE_FLAG_INHERIT_ONLY
>> 0: SEC_ACE_FLAG_INHERITED_ACE
>> 0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
>> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>> 0: SEC_ACE_FLAG_FAILED_ACCESS
>> size : 0x0014 (20)
>> access_mask : 0x00080000 (524288)
>> object : union
>> security_ace_object_ctr(case 0)
>> trustee : S-1-1-0
>> aces: struct security_ace
>> type :
>> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>> flags : 0x0b (11)
>> 1: SEC_ACE_FLAG_OBJECT_INHERIT
>> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
>> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>> 1: SEC_ACE_FLAG_INHERIT_ONLY
>> 0: SEC_ACE_FLAG_INHERITED_ACE
>> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
>> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>> 0: SEC_ACE_FLAG_FAILED_ACCESS
>> size : 0x0014 (20)
>> access_mask : 0x001e01ff (1966591)
>> object : union
>> security_ace_object_ctr(case 0)
>> trustee : S-1-3-0
>> aces: struct security_ace
>> type :
>> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>> flags : 0x0b (11)
>> 1: SEC_ACE_FLAG_OBJECT_INHERIT
>> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
>> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>> 1: SEC_ACE_FLAG_INHERIT_ONLY
>> 0: SEC_ACE_FLAG_INHERITED_ACE
>> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
>> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>> 0: SEC_ACE_FLAG_FAILED_ACCESS
>> size : 0x0014 (20)
>> access_mask : 0x001200a9 (1179817)
>> object : union
>> security_ace_object_ctr(case 0)
>> trustee : S-1-3-1
>> aces: struct security_ace
>> type :
>> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
>> flags : 0x0b (11)
>> 1: SEC_ACE_FLAG_OBJECT_INHERIT
>> 1: SEC_ACE_FLAG_CONTAINER_INHERIT
>> 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
>> 1: SEC_ACE_FLAG_INHERIT_ONLY
>> 0: SEC_ACE_FLAG_INHERITED_ACE
>> 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
>> 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
>> 0: SEC_ACE_FLAG_FAILED_ACCESS
>> size : 0x0014 (20)
>> access_mask : 0x001200a9 (1179817)
>> object : union
>> security_ace_object_ctr(case 0)
>> trustee : S-1-1-0
>>
>> Thank you for any idea!
> That's pretty weird, can you do the same command but with the
> --as-sddl option ?
>
> Matthieu.
>
Here is the output:
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Module 'acl_xattr' loaded
Initialising custom vfs hooks from [dfs_samba4]
ldb_wrap open of idmap.ldb
unix_mode(/usr/local/samba/var/locks/sysvol) returning 0755
unix_mode(/usr/local/samba/var/locks/sysvol) returning 0744
O:S-1-22-1-0G:DAD:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-22-2-3000008)(A;;0x001200a9;;;S-1-22-2-3000007)(A;;0x001200a9;;;S-1-22-2-3000005)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001200a9;;;WD)(A;OICIIO;0x001e01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)
Cheers
Geza Gemes
More information about the samba-technical
mailing list