Moving from beta/test environment to production

Andrew Bartlett abartlet at samba.org
Wed Jan 2 05:18:27 MST 2013 

On Wed, 2013-01-02 at 13:05 +0100, Dieter Modig wrote:
> ----- Ursprungligt meddelande -----
> 
> > Från: "Andrew Bartlett" <abartlet at samba.org>
> > Till: "Dieter Modig" <dieter.m at inputinterior.se>
> > Kopia: samba-technical at lists.samba.org
> > Skickat: onsdag, 2 jan 2013 11:31:43
> > Ämne: Re: Moving from beta/test environment to production
> 
> > On Wed, 2013-01-02 at 10:46 +0100, Dieter Modig wrote:
> > > Hi!
> > >
> > > I hope you all got a well deserved rest during the holidays! :)
> > >
> > > We decided this would be a good time to upgrade to the official
> > > Samba4
> > > release. Everything but GPOs seem to be working after the upgrade.
> > > We
> > > don't see any difference in the behaviour :( Can't create new GPO
> > > but
> > > can edit the existing ones. Attempt to create a GPO with samba-tool
> > > gave the following error "ERROR(runtime): uncaught exception -
> > > (-1073741565, 'NT_STATUS_NOT_A_DIRECTORY')".
> > >
> > > We gathered from previous responses to this thread that attempting
> > > to
> > > get another DC as master was not likely to succeed. Is there any
> > > way
> > > to revert to default with policies and get a fresh start? We can
> > > export the GPO:s we have today and then scrap them all and reset
> > > all
> > > permissions on files and database. Would that be a viable solution?
> 
> > What happens if you do exactly that with the windows group policy
> > tool?
> 
> Umm... haven't tried that... yet. 
> 
> > Have you already run 'samba-tool ntacl sysvolreset'?
> 
> Hmm... we did do that at an earlier point and just to make sure I
> tried it again and actually ran into something interesting. The
> "samba-tool ntacl sysvolcheck" claims to find problems 
> "ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: DB ACL on GPO
> directory /usr/local/samba/var/locks/sysvol/input.se/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object" 

That's odd, I thought I had the sysvolcheck tool set to ignore the SACL.
Either way, this looks OK, but I guess we don't know if all the later
ACLs are correct.

> but I can't run sysvolreset due to permissions 
> "/usr/local/samba/bin/samba-tool ntacl sysvolreset" returns 
> "set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_ACCESS_DENIED. 
> ERROR(runtime): uncaught exception - (-1073741790, 'Access denied') " 
> 
> I can't find any way to give domain admin access either (-U och
> --username) for the command either. Should there be? 

No, but this tool should run as root.  

> > Is there any more detail in the logs?
> Can't find any more info in any of the logs (associated to this at
> least). 

Set 'log level = 10' (or 5, if 10 is just too much) in the smb.conf and
retry is the only suggestion I have.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list