samba - Jan 2015 - Missing Policies folder after failure; how to recreate

Dear Samba List!

Long story short and please just don't ask; if it were up to me this 
would have not happened:

I need to recreate the default GPO-s (as in the 
\SysVol\domain.of\Policies\ folder and subfolders) of my domain.
Trying to delete the old GPO-s I run into errors, both in the windows 
mmc and on the dc with runing samba-tools as root.
ERROR(ldb): uncaught exception - LDAP error 50 
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on 
CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of 
 > <>
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run

Reprovisioning is not an option; since this is an active, "in use" 
system with lots of accounts.
The moment this is solved I swear to make a second DC with sysvol 
replication.

Thank you!

Have you tried to reset the permissions?

samba-tool ntacl sysvolreset


On 1/13/2015 3:09 PM, "Gergely, Kasz?s" wrote:
> Dear Samba List!
>
> Long story short and please just don't ask; if it were up to me this 
> would have not happened:
>
> I need to recreate the default GPO-s (as in the 
> \SysVol\domain.of\Policies\ folder and subfolders) of my domain.
> Trying to delete the old GPO-s I run into errors, both in the windows 
> mmc and on the dc with runing samba-tools as root.
> ERROR(ldb): uncaught exception - LDAP error 50 
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed 
> on 
>
CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of
> > <>
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
>
> Reprovisioning is not an option; since this is an active, "in
use"
> system with lots of accounts.
> The moment this is solved I swear to make a second DC with sysvol 
> replication.
>
> Thank you!
-- 
-James

Am 13.01.2015 um 21:50 schrieb James:
> Have you tried to reset the permissions?
>
> samba-tool ntacl sysvolreset
If he lost folders, as he said, sysvolreset won't help. This command
wont recreate the sysvol content.


> On 1/13/2015 3:09 PM, "Gergely, Kasz?s" wrote:
>> I need to recreate the default GPO-s (as in the
>> \SysVol\domain.of\Policies\ folder and subfolders) of my domain.
>> Trying to delete the old GPO-s I run into errors, both in the windows
>> mmc and on the dc with runing samba-tools as root.
>> ERROR(ldb): uncaught exception - LDAP error 50
>> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed
>> on
>>
CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of
>> > <>
>>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 175, in _run
If you just lost your sysvol folder content, restore the files from your
backup or copy them from an additional DC in the domain + run
'samba-tool ntacl sysvolreset'.

If the security stuff inside the AD is messed up, too, I have no idea,
if you don't give more information and if we aren't allowed to ask to
find out what happened and what exactly is broken. ;-)


Regards,
Marc

When you only need the default gpos than we possibly can send you the folders
and its content. When I'm not completely wrong, these folders are empty as
long nothing has been set.
With samba the default gpos are empty - no settings at all.
Possibly it is important to know your functional level? I don't know.

The two default domain policies have well known SIDs so it's not hard to
find them.

I will have a look at it tomorrow at work if you like.

Possibly you just create these folders and run samba-tool ntacl sysvolreset.

There is a technet article about these well known SIDs. But I can't find it
again.


Am 13. Januar 2015 21:09:07 MEZ, schrieb "Gergely, Kasz?s" <cheese
at caesar.elte.hu>:
>Dear Samba List!
>
>Long story short and please just don't ask; if it were up to me this 
>would have not happened:
>
>I need to recreate the default GPO-s (as in the 
>\SysVol\domain.of\Policies\ folder and subfolders) of my domain.
>Trying to delete the old GPO-s I run into errors, both in the windows 
>mmc and on the dc with runing samba-tools as root.
>ERROR(ldb): uncaught exception - LDAP error 50 
>LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on
>
>CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of
>
> > <>
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>line 175, in _run
>
>Reprovisioning is not an option; since this is an active, "in use"
>system with lots of accounts.
>The moment this is solved I swear to make a second DC with sysvol 
>replication.
>
>Thank you!
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

Quick solution can be copy the contents of the attached zipfile to:  /usr
/local/samba/var/locks/sysvol/domain.of/
Run the command: samba-tool ntacl sysvolreset

You will end up without any GPO's and look at https://wiki.samba.org/index.
php/Backup_and_Recovery to get backups of your Samba installation!!

Regards, Marcel


2015-01-13 21:09 GMT+01:00 "Gergely, Kasz?s" <cheese at
caesar.elte.hu>:
> Dear Samba List!
>
> Long story short and please just don't ask; if it were up to me this
would
> have not happened:
>
> I need to recreate the default GPO-s (as in the
> \SysVol\domain.of\Policies\ folder and subfolders) of my domain.
> Trying to delete the old GPO-s I run into errors, both in the windows mmc
> and on the dc with runing samba-tools as root.
> ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS
> -  <dsdb_access: Access check failed on CN={97A64DB0-B51D-4A70-80A3-
> 7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of > <>
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>
> Reprovisioning is not an option; since this is an active, "in
use" system
> with lots of accounts.
> The moment this is solved I swear to make a second DC with sysvol
> replication.
>
> Thank you!
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>