thr3ads.net - samba - [Samba] Fwd: GPO incomplete / missing -> samba-tool crash [Jan 2022]

If this information is useful, please help other people find it:
Share via:

Kees van Vloten

2022-Jan-10 17:04 UTC

[Samba] Fwd: GPO incomplete / missing -> samba-tool crash

On 10-01-2022 17:59, David Mulder via samba wrote:> Check in adsi under CN=Policies,CN=System. You probably have the 
> policy listed there in ldap still, which I assume needs to be removed. 
> It'll be called CN={75991237-941B-47B9-AF67-853781EA44B3}Thanks David!

I have no Windows machine at hand, will 'ldb*' do the same?

>
> On 1/10/22 9:53 AM, Kees van Vloten via samba <samba at
lists.samba.org>
> wrote:
>> Hi team,
>>
>> I am running 4.15.3 (from Louis') on Bullseye.
>> I have no clue how I got here, but the question is: how to get it
fixed?
>>
>> It looks like there is a policy defined in LDAP that does not exist 
>> on the filesystem, in any case it makes samba-tool crashing:
>>
>> samba-tool ntacl sysvolcheck
>> ERROR(<class 'TypeError'>): uncaught exception - (2,
'No such file or
>> directory')
>> ?? File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 186, in _run
>> ???? return self.run(*args, **kwargs)
>> ?? File
"/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
>> 443, in run
>> ???? provision.checksysvolacl(samdb, netlogon, sysvol,
>> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1876, in checksysvolacl
>> ???? check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1826, in check_gpos_acl
>> ???? check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1766, in check_dir_acl
>> ???? fsacl = getntacl(lp, path, session_info, 
>> direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
>> ?? File "/usr/lib/python3/dist-packages/samba/ntacls.py",
line 112,
>> in getntacl
>> ???? attribute = samba.xattr_native.wrap_getxattr(file
>>
>> samba-tool ntacl sysvolreset
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> Could not find opname rename, logging all
>> Could not find opname rename, logging all
>> Could not find opname rename, logging all
>> Could not find opname rename, logging all
>> Could not find opname rename, logging all
>> set_nt_acl_conn: init_files_struct failed: 
>> NT_STATUS_OBJECT_NAME_NOT_FOUND
>> ERROR(runtime): uncaught exception - (3221225524, 'The object name
is
>> not found.')
>> ?? File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 186, in _run
>> ???? return self.run(*args, **kwargs)
>> ?? File
"/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
>> 412, in run
>> ???? provision.setsysvolacl(samdb, netlogon, sysvol,
>> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1754, in setsysvolacl
>> ???? set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
>> use_ntvfs, passdb=s4_passdb)
>> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1641, in set_gpos_acl
>> ???? set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
>> line 1604, in set_dir_acl
>> ???? setntacl(lp, path, acl, domsid, session_info, 
>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
>> service=service)
>> ?? File "/usr/lib/python3/dist-packages/samba/ntacls.py",
line 228,
>> in setntacl
>> ???? smbd.set_nt_acl(
>>
>>
>> samba-tool gpo listall
>> GPO????????? : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>> display name : Default Domain Controllers Policy
>> path???????? : 
>>
\\samdom.net\sysvol\samdom.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>
>> dn?????????? : 
>>
CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=net
>>
>> version????? : 0
>> flags??????? : NONE
>>
>> GPO????????? : {75991237-941B-47B9-AF67-853781EA44B3}
>> ERROR(<class 'KeyError'>): uncaught exception - 'No
such element'
>> ?? File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 186, in _run
>> ???? return self.run(*args, **kwargs)
>> ?? File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py",
line
>> 477, in run
>> ???? self.outf.write("display name : %s\n" %
m['displayName'][0])
>>
>> The policy '{75991237-941B-47B9-AF67-853781EA44B3}' is not
available
>> on the filesystem (/var/lib/sysvol/samdom.net/Policies).
>> When I try to remove it, it tells me:
>>
>> samba-tool gpo del '{75991237-941B-47B9-AF67-853781EA44B3}'
>> ERROR: GPO '{75991237-941B-47B9-AF67-853781EA44B3}' does not
exist
>>
>>
>> Strace shows that 'samba-tool ntacl sysvolcheck' also fails on
the
>> same non-existing file:
>>
>> strace samba-tool ntacl sysvolcheck
>> <removed lots of output>
>>
>>
getxattr("/var/lib/samba/sysvol/samdom.net/Policies/{75991237-941B-47B9-AF67-853781EA44B3}",
>> "security.NTACL", NULL, 0) = -1 ENOENT (No such file or
directory)
>> write(2, "ERROR(<class 'TypeError'>): unca"...,
82ERROR(<class
>> 'TypeError'>): uncaught exception - (2, 'No such file or
directory')
>> ) = 82
>>
>> <removed rest of output>
>>
>> How to fix this issue?
>>
>> - Kees
>>
>>
>>
>
>

dmulder at samba.org

2022-Jan-10 17:06 UTC

head link

[Samba] Fwd: GPO incomplete / missing -> samba-tool crash

Also, you could try my admin-tools adsi:
https://appimage.github.io/admin-tools/

Thought I'm not sure what state it's in... I haven't tested it out
recently.

On 1/10/22 10:04 AM, Kees van Vloten via samba <samba at lists.samba.org>
wrote:> On 10-01-2022 17:59, David Mulder via samba wrote:
> > Check in adsi under CN=Policies,CN=System. You probably have the 
> > policy listed there in ldap still, which I assume needs to be removed.
> > It'll be called CN={75991237-941B-47B9-AF67-853781EA44B3}
> Thanks David!
> 
> I have no Windows machine at hand, will 'ldb*' do the same?
> 
> 
> >
> > On 1/10/22 9:53 AM, Kees van Vloten via samba <samba at
lists.samba.org>
> > wrote:
> >> Hi team,
> >>
> >> I am running 4.15.3 (from Louis') on Bullseye.
> >> I have no clue how I got here, but the question is: how to get it
fixed?
> >>
> >> It looks like there is a policy defined in LDAP that does not
exist
> >> on the filesystem, in any case it makes samba-tool crashing:
> >>
> >> samba-tool ntacl sysvolcheck
> >> ERROR(<class 'TypeError'>): uncaught exception - (2,
'No such file or
> >> directory')
> >> ?? File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> >> line 186, in _run
> >> ???? return self.run(*args, **kwargs)
> >> ?? File
"/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> >> 443, in run
> >> ???? provision.checksysvolacl(samdb, netlogon, sysvol,
> >> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1876, in checksysvolacl
> >> ???? check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb,
lp,
> >> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1826, in check_gpos_acl
> >> ???? check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
> >> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1766, in check_dir_acl
> >> ???? fsacl = getntacl(lp, path, session_info, 
> >> direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> >> ?? File
"/usr/lib/python3/dist-packages/samba/ntacls.py", line 112,
> >> in getntacl
> >> ???? attribute = samba.xattr_native.wrap_getxattr(file
> >>
> >> samba-tool ntacl sysvolreset
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> Could not find opname rename, logging all
> >> Could not find opname rename, logging all
> >> Could not find opname rename, logging all
> >> Could not find opname rename, logging all
> >> Could not find opname rename, logging all
> >> set_nt_acl_conn: init_files_struct failed: 
> >> NT_STATUS_OBJECT_NAME_NOT_FOUND
> >> ERROR(runtime): uncaught exception - (3221225524, 'The object
name is
> >> not found.')
> >> ?? File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> >> line 186, in _run
> >> ???? return self.run(*args, **kwargs)
> >> ?? File
"/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> >> 412, in run
> >> ???? provision.setsysvolacl(samdb, netlogon, sysvol,
> >> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1754, in setsysvolacl
> >> ???? set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb,
lp,
> >> use_ntvfs, passdb=s4_passdb)
> >> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1641, in set_gpos_acl
> >> ???? set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
> >> ?? File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> >> line 1604, in set_dir_acl
> >> ???? setntacl(lp, path, acl, domsid, session_info, 
> >> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
> >> service=service)
> >> ?? File
"/usr/lib/python3/dist-packages/samba/ntacls.py", line 228,
> >> in setntacl
> >> ???? smbd.set_nt_acl(
> >>
> >>
> >> samba-tool gpo listall
> >> GPO????????? : {6AC1786C-016F-11D2-945F-00C04FB984F9}
> >> display name : Default Domain Controllers Policy
> >> path???????? : 
> >>
\\samdom.net\sysvol\samdom.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
> >>
> >> dn?????????? : 
> >>
CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=net
> >>
> >> version????? : 0
> >> flags??????? : NONE
> >>
> >> GPO????????? : {75991237-941B-47B9-AF67-853781EA44B3}
> >> ERROR(<class 'KeyError'>): uncaught exception -
'No such element'
> >> ?? File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> >> line 186, in _run
> >> ???? return self.run(*args, **kwargs)
> >> ?? File
"/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
> >> 477, in run
> >> ???? self.outf.write("display name : %s\n" %
m['displayName'][0])
> >>
> >> The policy '{75991237-941B-47B9-AF67-853781EA44B3}' is not
available
> >> on the filesystem (/var/lib/sysvol/samdom.net/Policies).
> >> When I try to remove it, it tells me:
> >>
> >> samba-tool gpo del
'{75991237-941B-47B9-AF67-853781EA44B3}'
> >> ERROR: GPO '{75991237-941B-47B9-AF67-853781EA44B3}' does
not exist
> >>
> >>
> >> Strace shows that 'samba-tool ntacl sysvolcheck' also
fails on the
> >> same non-existing file:
> >>
> >> strace samba-tool ntacl sysvolcheck
> >> <removed lots of output>
> >>
> >>
getxattr("/var/lib/samba/sysvol/samdom.net/Policies/{75991237-941B-47B9-AF67-853781EA44B3}",
> >> "security.NTACL", NULL, 0) = -1 ENOENT (No such file or
directory)
> >> write(2, "ERROR(<class 'TypeError'>):
unca"..., 82ERROR(<class
> >> 'TypeError'>): uncaught exception - (2, 'No such
file or directory')
> >> ) = 82
> >>
> >> <removed rest of output>
> >>
> >> How to fix this issue?
> >>
> >> - Kees
> >>
> >>
> >>
> >
> >
> 
>

Rowland Penny

2022-Jan-10 17:10 UTC

head link

[Samba] Fwd: GPO incomplete / missing -> samba-tool crash

On Mon, 2022-01-10 at 18:04 +0100, Kees van Vloten via samba
wrote:> On 10-01-2022 17:59, David Mulder via samba wrote:
> > Check in adsi under CN=Policies,CN=System. You probably have the 
> > policy listed there in ldap still, which I assume needs to be
> > removed. 
> > It'll be called CN={75991237-941B-47B9-AF67-853781EA44B3}
> Thanks David!
> 
> I have no Windows machine at hand, will 'ldb*' do the same?
Yes it would, but if you have another DC and if it is still there, you
could sync it back.

Rowland

samba - Jan 2022 - Fwd: GPO incomplete / missing -> samba-tool crash

[Samba] Fwd: GPO incomplete / missing -> samba-tool crash

[Samba] Fwd: GPO incomplete / missing -> samba-tool crash

[Samba] Fwd: GPO incomplete / missing -> samba-tool crash