Marc Muehlfeld
2015-Jan-13 21:13 UTC
[Samba] Missing Policies folder after failure; how to recreate
Am 13.01.2015 um 21:50 schrieb James:> Have you tried to reset the permissions? > > samba-tool ntacl sysvolresetIf he lost folders, as he said, sysvolreset won't help. This command wont recreate the sysvol content.> On 1/13/2015 3:09 PM, "Gergely, Kasz?s" wrote: >> I need to recreate the default GPO-s (as in the >> \SysVol\domain.of\Policies\ folder and subfolders) of my domain. >> Trying to delete the old GPO-s I run into errors, both in the windows >> mmc and on the dc with runing samba-tools as root. >> ERROR(ldb): uncaught exception - LDAP error 50 >> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed >> on >> CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of >> > <> >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 175, in _runIf you just lost your sysvol folder content, restore the files from your backup or copy them from an additional DC in the domain + run 'samba-tool ntacl sysvolreset'. If the security stuff inside the AD is messed up, too, I have no idea, if you don't give more information and if we aren't allowed to ask to find out what happened and what exactly is broken. ;-) Regards, Marc
Marc Muehlfeld
2015-Jan-14 14:48 UTC
[Samba] Missing Policies folder after failure; how to recreate
Am 14.01.2015 um 11:18 schrieb "Gergely, Kasz?s":>> If you just lost your sysvol folder content, restore the files from >> your backup or copy them from an additional DC in the domain + run >> 'samba-tool ntacl sysvolreset'. > Yes if the site would have backups or a second DC this wouldn't be a > problem. > But unfortunately this isn't the case. The admin of this site didn't > make backups and there is no other DC in the domain.As I already said: If you don't give more information about the situation and details, we can't help.>> If the security stuff inside the AD is messed up, too, I have no >> idea, if you don't give more information and if we aren't allowed to >> ask to find out what happened and what exactly is broken. ;-)Regards, Marc
"Gergely, Kaszás"
2015-Jan-16 16:41 UTC
[Samba] Missing Policies folder after failure; how to recreate
2015.01.14. 15:48 keltez?ssel, Marc Muehlfeld ?rta:> Am 14.01.2015 um 11:18 schrieb "Gergely, Kasz?s": >>> If you just lost your sysvol folder content, restore the files from >>> your backup or copy them from an additional DC in the domain + run >>> 'samba-tool ntacl sysvolreset'. >> Yes if the site would have backups or a second DC this wouldn't be a >> problem. >> But unfortunately this isn't the case. The admin of this site didn't >> make backups and there is no other DC in the domain. > As I already said: If you don't give more information about the > situation and details, we can't help.Forgive me for being vauge; There is only a single active DC in this domain that was recovered after a hardware failure caused by an unplaned outage. This DC is mostly used for radius authentication and for a simple library lab with 5 computers. The domain has around ~400 users. The real name of the domain is not "domain.of", I just masked it. *Listing of the sysvol folder gives* sysvol # find . . ./domain.of/ ./domain.of/scripts The DC is a *4.1.6 ubuntu* packaged samba Trying to *delete one of the gpo*-s gives: ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on CN={MASKED},CN=Policies,CN=System,DC=domain,DC=of> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1083, in run self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn))) *samba-tool ntacl sysvolcheck* ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1695, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1631, in check_gpos_acl direct_db_access=direct_db_access, service=SYSVOL_SERVICE) File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in getntacl xattr.XATTR_NTACL_NAME) *samba-tool ntacl sysvolreset* open: error=2 (No such file or directory) ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 218, in run lp, use_ntvfs=use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1581, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1499, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) the *smb.conf* [global] workgroup = DOMAINOF realm = domain.of netbios name = DC server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate nt acl support = yes inherit acls = yes wins support = yes #security = ads winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind refresh tickets = true kerberos method = secrets and keytab socket options = TCP_NODELAY idmap config *:backend = tdb idmap config *:range = 30001-40000 idmap config DOMAINOF:backend = ad idmap config DOMAINOF:schema_mode = rfc2307 idmap config DOMAINOF:range = 1000-20000 idmap_ldb:use rfc2307 = yes load printers = no printcap name = /dev/null template shell = /bin/bash # ca.pem - /etc/ssl/certs/sambaca.pem, cert.pem /etc/ssl/certs/samba.pem tls enabled = yes tls keyfile = /var/lib/samba/private/tls/dc.domain.of.key.pem tls certfile = /var/lib/samba/private/tls/dc.domain.of.cert.pem tls cafile = /var/lib/samba/private/tls/dc.domain.of.chain.pem [netlogon] path = /var/lib/samba/sysvol/domain.of/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No>>> If the security stuff inside the AD is messed up, too, I have no >>> idea, if you don't give more information and if we aren't allowed to >>> ask to find out what happened and what exactly is broken. ;-) > > > Regards, > Marc