samba - Oct 2015 - Sysvol acl check failed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

when I check ACLs on my sysvol I got the following errors:

root at DKHHDC1:~# samba-tool gpo aclcheck
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such
element'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
1150, in run
    ds_sd_ndr = m['nTSecurityDescriptor'][0]


root at DKHHDC1:~# samba-tool ntacl sysvolcheck
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2,
'No
such file or directory')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1733, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1684, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
    fsacl = getntacl(lp, path, direct_db_access=direct_db_access,
service=SYSVOL_SERVICE)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in
getntacl
    xattr.XATTR_NTACL_NAME)

Then I tried to fix erros. Doing this, I got the next errors

root at DKHHDC1:~# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
218, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1619, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1524, in set_gpos_acl
    passdb=passdb)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1487, in set_dir_acl
    setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs,
skip_invalid_chown=True, passdb=passdb, service=service)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154,
in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd, service=service)

When I check the database everything is ok.

root at DKHHDC1:~# samba-tool dbcheck
Checking 1185 objects
Checked 1185 objects (0 errors)

Here are the permissions in sysvol:

root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/Policies/
insgesamt 80
drwxrws---+ 6 root    3000000 4096 Jun 25  2014
{08BE834B-49D1-4F47-950E-C0D0CB4D2486}
drwxrws---+ 6 root    3000015 4096 Nov  5  2013
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrws---+ 4 3000015 3000015 4096 Mai 15  2014
{4D8D96AA-C7E4-47F9-A8AF-D1D72CA6CBA1}
drwxrws---+ 4 3000015 3000015 4096 Nov 11  2014
{5C3768B4-E734-4168-A370-E0BB95C00B29}
drwxrws---+ 4 3000015 3000015 4096 Mär  1  2013
{6AC1786C-016F-11D2-945F-00C04FB984F9}
drwxrws---+ 5 3000015 3000015 4096 Jun 11  2014
{6FBD7831-E891-41A4-A5FA-B3BCCEAEA519}
drwxrws---+ 4 3000015 3000015 4096 Mai 26  2014
{8DD38317-E675-4042-84DD-0CF499F8C5F1}
drwxrws---+ 5 3000015 3000015 4096 Mär 23  2015
{9C353A54-854E-4CA5-A038-98B5F935627A}
drwxrws---+ 4 3000015 3000015 4096 Dez  3  2014
{A42F9750-57C8-4E48-8928-EF22B6E27CAE}
drwxrws---+ 5 3000015 3000015 4096 Jun 16  2014
{EE730522-233D-47BB-A05C-058B5D9E10DB}

root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/
insgesamt 24
drwxrws---+ 12 root 3000000 4096 Jan 29  2015 Policies
drwxrws---+  5 root 3000000 4096 Jun 30  2014 scripts
drwxrws---+ 10 root 3000000 4096 Mär 26  2013 StarterGPOs

YES I know .local is not a good choice, but it is as it is  NOT my
choice

All GPOs are working

One more thing. The old DC was a selfcompiled Samba 4 with
/usr/local/samba/sysvol. The new one is running the sernet-packeges
with /var/lib/samba/sysvol als path.

Where should I look next?


Thank you

Stefan
- -- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iEYEARECAAYFAlYb3cMACgkQ2JOGcNAHDTY9cACffa+1P7qhEVKOdNIRM3BR3rs6
C+gAnjsabkpx8TTT47qpPbkoXfqh0/Q9
=GNVV
-----END PGP SIGNATURE-----

On 10/12/2015 12:20 PM, Stefan Kania wrote:
> Hello,
>
> when I check ACLs on my sysvol I got the following errors:
>
> root at DKHHDC1:~# samba-tool gpo aclcheck
> ERROR(<type 'exceptions.KeyError'>): uncaught exception -
'No such
> element'
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py",
line
> 1150, in run
>     ds_sd_ndr = m['nTSecurityDescriptor'][0]
>
>
> root at DKHHDC1:~# samba-tool ntacl sysvolcheck
> ERROR(<type 'exceptions.TypeError'>): uncaught exception -
(2, 'No
> such file or directory')
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line
> 249, in run
>     lp)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1733, in checksysvolacl
>     direct_db_access)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1684, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1628, in check_dir_acl
>     fsacl = getntacl(lp, path, direct_db_access=direct_db_access,
> service=SYSVOL_SERVICE)
>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line
73, in
> getntacl
>     xattr.XATTR_NTACL_NAME)
>
> Then I tried to fix erros. Doing this, I got the next errors
>
> root at DKHHDC1:~# samba-tool ntacl sysvolreset
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined
error')
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line
> 218, in run
>     lp, use_ntvfs=use_ntvfs)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1619, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs, passdb=s4_passdb)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1524, in set_gpos_acl
>     passdb=passdb)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1487, in set_dir_acl
>     setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs,
> skip_invalid_chown=True, passdb=passdb, service=service)
>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line
154,
> in setntacl
>     smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
>
> When I check the database everything is ok.
>
> root at DKHHDC1:~# samba-tool dbcheck
> Checking 1185 objects
> Checked 1185 objects (0 errors)
>
> Here are the permissions in sysvol:
>
> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/Policies/
> insgesamt 80
> drwxrws---+ 6 root    3000000 4096 Jun 25  2014
> {08BE834B-49D1-4F47-950E-C0D0CB4D2486}
> drwxrws---+ 6 root    3000015 4096 Nov  5  2013
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrws---+ 4 3000015 3000015 4096 Mai 15  2014
> {4D8D96AA-C7E4-47F9-A8AF-D1D72CA6CBA1}
> drwxrws---+ 4 3000015 3000015 4096 Nov 11  2014
> {5C3768B4-E734-4168-A370-E0BB95C00B29}
> drwxrws---+ 4 3000015 3000015 4096 Mär  1  2013
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
> drwxrws---+ 5 3000015 3000015 4096 Jun 11  2014
> {6FBD7831-E891-41A4-A5FA-B3BCCEAEA519}
> drwxrws---+ 4 3000015 3000015 4096 Mai 26  2014
> {8DD38317-E675-4042-84DD-0CF499F8C5F1}
> drwxrws---+ 5 3000015 3000015 4096 Mär 23  2015
> {9C353A54-854E-4CA5-A038-98B5F935627A}
> drwxrws---+ 4 3000015 3000015 4096 Dez  3  2014
> {A42F9750-57C8-4E48-8928-EF22B6E27CAE}
> drwxrws---+ 5 3000015 3000015 4096 Jun 16  2014
> {EE730522-233D-47BB-A05C-058B5D9E10DB}
>
> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/
> insgesamt 24
> drwxrws---+ 12 root 3000000 4096 Jan 29  2015 Policies
> drwxrws---+  5 root 3000000 4096 Jun 30  2014 scripts
> drwxrws---+ 10 root 3000000 4096 Mär 26  2013 StarterGPOs
>
> YES I know .local is not a good choice, but it is as it is  NOT my
> choice
>
> All GPOs are working
>
> One more thing. The old DC was a selfcompiled Samba 4 with
> /usr/local/samba/sysvol. The new one is running the sernet-packeges
> with /var/lib/samba/sysvol als path.
>
> Where should I look next?
>
>
> Thank you
>
> Stefan
>
Hello,

    Can you post your smb.conf?

-- 
-James

On 10/12/2015 12:20 PM, Stefan Kania wrote:

Hello,

Can you post your smb.conf?
-- 
-James
Enigmail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 12.10.2015 um 18:47 schrieb James:
> On 10/12/2015 12:20 PM, Stefan Kania wrote:
>> Hello,
>> 
>> when I check ACLs on my sysvol I got the following errors:
>> 
>> root at DKHHDC1:~# samba-tool gpo aclcheck ERROR(<type
>> 'exceptions.KeyError'>): uncaught exception - 'No such
element'
>> File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
>> 175, in _run return self.run(*args, **kwargs) File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 
>> 1150, in run ds_sd_ndr = m['nTSecurityDescriptor'][0]
>> 
>> 
>> root at DKHHDC1:~# samba-tool ntacl sysvolcheck ERROR(<type
>> 'exceptions.TypeError'>): uncaught exception - (2, 'No
such file
>> or directory') File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
>> 175, in _run return self.run(*args, **kwargs) File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line
>> 249, in run lp) File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1733, in checksysvolacl direct_db_access) File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1684, in check_gpos_acl domainsid, direct_db_access) File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1628, in check_dir_acl fsacl = getntacl(lp, path,
>> direct_db_access=direct_db_access, service=SYSVOL_SERVICE) File
>> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73,
in
>> getntacl xattr.XATTR_NTACL_NAME)
>> 
>> Then I tried to fix erros. Doing this, I got the next errors
>> 
>> root at DKHHDC1:~# samba-tool ntacl sysvolreset open: error=2 (No
>> such file or directory) ERROR(runtime): uncaught exception -
>> (-1073741823, 'Undetermined error') File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
>> 175, in _run return self.run(*args, **kwargs) File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line
>> 218, in run lp, use_ntvfs=use_ntvfs) File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1619, in setsysvolacl set_gpos_acl(sysvol, dnsdomain,
>> domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1524, in set_gpos_acl passdb=passdb) File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1487, in set_dir_acl setntacl(lp, path, acl, domsid,
>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
>> service=service) File
>> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154,
in
>> setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | 
>> security.SECINFO_GROUP | security.SECINFO_DACL | 
>> security.SECINFO_SACL, sd, service=service)
>> 
>> When I check the database everything is ok.
>> 
>> root at DKHHDC1:~# samba-tool dbcheck Checking 1185 objects Checked
>> 1185 objects (0 errors)
>> 
>> Here are the permissions in sysvol:
>> 
>> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/Policies/ 
>> insgesamt 80 drwxrws---+ 6 root    3000000 4096 Jun 25  2014 
>> {08BE834B-49D1-4F47-950E-C0D0CB4D2486} drwxrws---+ 6 root
>> 3000015 4096 Nov  5  2013 {31B2F340-016D-11D2-945F-00C04FB984F9} 
>> drwxrws---+ 4 3000015 3000015 4096 Mai 15  2014 
>> {4D8D96AA-C7E4-47F9-A8AF-D1D72CA6CBA1} drwxrws---+ 4 3000015
>> 3000015 4096 Nov 11  2014 {5C3768B4-E734-4168-A370-E0BB95C00B29} 
>> drwxrws---+ 4 3000015 3000015 4096 Mär  1  2013 
>> {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrws---+ 5 3000015
>> 3000015 4096 Jun 11  2014 {6FBD7831-E891-41A4-A5FA-B3BCCEAEA519} 
>> drwxrws---+ 4 3000015 3000015 4096 Mai 26  2014 
>> {8DD38317-E675-4042-84DD-0CF499F8C5F1} drwxrws---+ 5 3000015
>> 3000015 4096 Mär 23  2015 {9C353A54-854E-4CA5-A038-98B5F935627A} 
>> drwxrws---+ 4 3000015 3000015 4096 Dez  3  2014 
>> {A42F9750-57C8-4E48-8928-EF22B6E27CAE} drwxrws---+ 5 3000015
>> 3000015 4096 Jun 16  2014 {EE730522-233D-47BB-A05C-058B5D9E10DB}
>> 
>> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/ insgesamt
>> 24 drwxrws---+ 12 root 3000000 4096 Jan 29  2015 Policies 
>> drwxrws---+  5 root 3000000 4096 Jun 30  2014 scripts drwxrws---+
>> 10 root 3000000 4096 Mär 26  2013 StarterGPOs
>> 
>> YES I know .local is not a good choice, but it is as it is  NOT
>> my choice
>> 
>> All GPOs are working
>> 
>> One more thing. The old DC was a selfcompiled Samba 4 with 
>> /usr/local/samba/sysvol. The new one is running the
>> sernet-packeges with /var/lib/samba/sysvol als path.
>> 
>> Where should I look next?
>> 
>> 
>> Thank you
>> 
>> Stefan
>> 
> Hello,
> 
> Can you post your smb.conf?
> 
Here are the smb.conf
- --------------# Global parameters
[global]
        workgroup = DKHH
        realm = dkhh.local
        netbios name = DKHHDC2
        server role = active directory domain controller
        dns forwarder = 172.16.0.52
        allow dns updates = nonsecure

[netlogon]
        path = /var/lib/samba/sysvol/dkhh.local/scripts
        read only = No
        write ok = Yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        write ok = Yes



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlYczOQACgkQ2JOGcNAHDTZ2TQCfWc+u/IytXLsB4+EJw8xVULpC
q5IAnjAZ4zxi4PLmWZPAgvQw2e+DVRcn
=7cAX
-----END PGP SIGNATURE-----