samba - Jan 2015 - Missing Policies folder after failure; how to recreate

Am 13.01.2015 um 21:50 schrieb James:
> Have you tried to reset the permissions?
>
> samba-tool ntacl sysvolreset
If he lost folders, as he said, sysvolreset won't help. This command
wont recreate the sysvol content.


> On 1/13/2015 3:09 PM, "Gergely, Kasz?s" wrote:
>> I need to recreate the default GPO-s (as in the
>> \SysVol\domain.of\Policies\ folder and subfolders) of my domain.
>> Trying to delete the old GPO-s I run into errors, both in the windows
>> mmc and on the dc with runing samba-tools as root.
>> ERROR(ldb): uncaught exception - LDAP error 50
>> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed
>> on
>>
CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of
>> > <>
>>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 175, in _run
If you just lost your sysvol folder content, restore the files from your
backup or copy them from an additional DC in the domain + run
'samba-tool ntacl sysvolreset'.

If the security stuff inside the AD is messed up, too, I have no idea,
if you don't give more information and if we aren't allowed to ask to
find out what happened and what exactly is broken. ;-)


Regards,
Marc

Am 14.01.2015 um 11:18 schrieb "Gergely,
Kasz?s":
>> If you just lost your sysvol folder content, restore the files from
>> your backup or copy them from an additional DC in the domain + run
>> 'samba-tool ntacl sysvolreset'.
> Yes if the site would have backups or a second DC this wouldn't be a
> problem.
> But unfortunately this isn't the case. The admin of this site
didn't
> make backups and there is no other DC in the domain.
As I already said: If you don't give more information about the
situation and details, we can't help.


>> If the security stuff inside the AD is messed up, too, I have no
>> idea, if you don't give more information and if we aren't
allowed to
>> ask to find out what happened and what exactly is broken. ;-)


Regards,
Marc

2015.01.14. 15:48 keltez?ssel, Marc Muehlfeld ?rta:
> Am 14.01.2015 um 11:18 schrieb "Gergely, Kasz?s":
>>> If you just lost your sysvol folder content, restore the files from
>>> your backup or copy them from an additional DC in the domain + run
>>> 'samba-tool ntacl sysvolreset'.
>> Yes if the site would have backups or a second DC this wouldn't be
a
>> problem.
>> But unfortunately this isn't the case. The admin of this site
didn't
>> make backups and there is no other DC in the domain.
> As I already said: If you don't give more information about the
> situation and details, we can't help.
Forgive me for being vauge;
There is only a single active DC in this domain that was recovered after 
a hardware failure caused by an unplaned outage.
This DC is mostly used for radius authentication and for a simple 
library lab with 5 computers.
The domain has around ~400 users.
The real name of the domain is not "domain.of", I just masked it.

*Listing of the sysvol folder gives*
sysvol # find .
.
./domain.of/
./domain.of/scripts

The DC is a *4.1.6 ubuntu* packaged samba

Trying to *delete one of the gpo*-s gives:
ERROR(ldb): uncaught exception - LDAP error 50 
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on 
CN={MASKED},CN=Policies,CN=System,DC=domain,DC=of> <>
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 
1083, in run
     self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)))

*samba-tool ntacl sysvolcheck*
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2,
'No such
file or directory')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
     lp)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1695, in checksysvolacl
     direct_db_access)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1631, in check_gpos_acl
     direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73,
in
getntacl
     xattr.XATTR_NTACL_NAME)

*samba-tool ntacl sysvolreset*
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
218, in run
     lp, use_ntvfs=use_ntvfs)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1581, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1499, in set_gpos_acl
     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
service=SYSVOL_SERVICE)
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154,
in
setntacl
     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, 
sd, service=service)

the *smb.conf*
[global]
         workgroup = DOMAINOF
         realm = domain.of
         netbios name = DC
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate
         nt acl support = yes
         inherit acls = yes
         wins support = yes
         #security = ads
         winbind nss info = rfc2307
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind refresh tickets = true
         kerberos method = secrets and keytab
         socket options = TCP_NODELAY

         idmap config *:backend = tdb
         idmap config *:range = 30001-40000
         idmap config DOMAINOF:backend = ad
         idmap config DOMAINOF:schema_mode = rfc2307
         idmap config DOMAINOF:range = 1000-20000
         idmap_ldb:use rfc2307 = yes

         load printers = no
         printcap name = /dev/null
         template shell = /bin/bash

         # ca.pem - /etc/ssl/certs/sambaca.pem, cert.pem 
/etc/ssl/certs/samba.pem
         tls enabled  = yes
         tls keyfile  = /var/lib/samba/private/tls/dc.domain.of.key.pem
         tls certfile = /var/lib/samba/private/tls/dc.domain.of.cert.pem
         tls cafile   = /var/lib/samba/private/tls/dc.domain.of.chain.pem

[netlogon]
         path = /var/lib/samba/sysvol/domain.of/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
>>> If the security stuff inside the AD is messed up, too, I have no
>>> idea, if you don't give more information and if we aren't
allowed to
>>> ask to find out what happened and what exactly is broken. ;-)
>
>
> Regards,
> Marc