-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 12.10.2015 um 18:47 schrieb James:> On 10/12/2015 12:20 PM, Stefan Kania wrote: >> Hello, >> >> when I check ACLs on my sysvol I got the following errors: >> >> root at DKHHDC1:~# samba-tool gpo aclcheck ERROR(<type >> 'exceptions.KeyError'>): uncaught exception - 'No such element' >> File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >> 175, in _run return self.run(*args, **kwargs) File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line >> 1150, in run ds_sd_ndr = m['nTSecurityDescriptor'][0] >> >> >> root at DKHHDC1:~# samba-tool ntacl sysvolcheck ERROR(<type >> 'exceptions.TypeError'>): uncaught exception - (2, 'No such file >> or directory') File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >> 175, in _run return self.run(*args, **kwargs) File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line >> 249, in run lp) File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1733, in checksysvolacl direct_db_access) File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1684, in check_gpos_acl domainsid, direct_db_access) File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1628, in check_dir_acl fsacl = getntacl(lp, path, >> direct_db_access=direct_db_access, service=SYSVOL_SERVICE) File >> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in >> getntacl xattr.XATTR_NTACL_NAME) >> >> Then I tried to fix erros. Doing this, I got the next errors >> >> root at DKHHDC1:~# samba-tool ntacl sysvolreset open: error=2 (No >> such file or directory) ERROR(runtime): uncaught exception - >> (-1073741823, 'Undetermined error') File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >> 175, in _run return self.run(*args, **kwargs) File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line >> 218, in run lp, use_ntvfs=use_ntvfs) File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1619, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, >> domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1524, in set_gpos_acl passdb=passdb) File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1487, in set_dir_acl setntacl(lp, path, acl, domsid, >> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, >> service=service) File >> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154, in >> setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, sd, service=service) >> >> When I check the database everything is ok. >> >> root at DKHHDC1:~# samba-tool dbcheck Checking 1185 objects Checked >> 1185 objects (0 errors) >> >> Here are the permissions in sysvol: >> >> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/Policies/ >> insgesamt 80 drwxrws---+ 6 root 3000000 4096 Jun 25 2014 >> {08BE834B-49D1-4F47-950E-C0D0CB4D2486} drwxrws---+ 6 root >> 3000015 4096 Nov 5 2013 {31B2F340-016D-11D2-945F-00C04FB984F9} >> drwxrws---+ 4 3000015 3000015 4096 Mai 15 2014 >> {4D8D96AA-C7E4-47F9-A8AF-D1D72CA6CBA1} drwxrws---+ 4 3000015 >> 3000015 4096 Nov 11 2014 {5C3768B4-E734-4168-A370-E0BB95C00B29} >> drwxrws---+ 4 3000015 3000015 4096 Mär 1 2013 >> {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrws---+ 5 3000015 >> 3000015 4096 Jun 11 2014 {6FBD7831-E891-41A4-A5FA-B3BCCEAEA519} >> drwxrws---+ 4 3000015 3000015 4096 Mai 26 2014 >> {8DD38317-E675-4042-84DD-0CF499F8C5F1} drwxrws---+ 5 3000015 >> 3000015 4096 Mär 23 2015 {9C353A54-854E-4CA5-A038-98B5F935627A} >> drwxrws---+ 4 3000015 3000015 4096 Dez 3 2014 >> {A42F9750-57C8-4E48-8928-EF22B6E27CAE} drwxrws---+ 5 3000015 >> 3000015 4096 Jun 16 2014 {EE730522-233D-47BB-A05C-058B5D9E10DB} >> >> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/ insgesamt >> 24 drwxrws---+ 12 root 3000000 4096 Jan 29 2015 Policies >> drwxrws---+ 5 root 3000000 4096 Jun 30 2014 scripts drwxrws---+ >> 10 root 3000000 4096 Mär 26 2013 StarterGPOs >> >> YES I know .local is not a good choice, but it is as it is NOT >> my choice >> >> All GPOs are working >> >> One more thing. The old DC was a selfcompiled Samba 4 with >> /usr/local/samba/sysvol. The new one is running the >> sernet-packeges with /var/lib/samba/sysvol als path. >> >> Where should I look next? >> >> >> Thank you >> >> Stefan >> > Hello, > > Can you post your smb.conf? >Here are the smb.conf - --------------# Global parameters [global] workgroup = DKHH realm = dkhh.local netbios name = DKHHDC2 server role = active directory domain controller dns forwarder = 172.16.0.52 allow dns updates = nonsecure [netlogon] path = /var/lib/samba/sysvol/dkhh.local/scripts read only = No write ok = Yes [sysvol] path = /var/lib/samba/sysvol read only = No write ok = Yes -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlYczOQACgkQ2JOGcNAHDTZ2TQCfWc+u/IytXLsB4+EJw8xVULpC q5IAnjAZ4zxi4PLmWZPAgvQw2e+DVRcn =7cAX -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 13.10.2015 um 11:20 schrieb Stefan Kania:> Am 12.10.2015 um 18:47 schrieb James: >> On 10/12/2015 12:20 PM, Stefan Kania wrote: >>> Hello, >>> >>> when I check ACLs on my sysvol I got the following errors: >>> >>> root at DKHHDC1:~# samba-tool gpo aclcheck ERROR(<type >>> 'exceptions.KeyError'>): uncaught exception - 'No such element' >>> File >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >>> line 175, in _run return self.run(*args, **kwargs) File >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line >>> 1150, in run ds_sd_ndr = m['nTSecurityDescriptor'][0] >>> >>> >>> root at DKHHDC1:~# samba-tool ntacl sysvolcheck ERROR(<type >>> 'exceptions.TypeError'>): uncaught exception - (2, 'No such >>> file or directory') File >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >>> line 175, in _run return self.run(*args, **kwargs) File >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line >>> 249, in run lp) File >>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >>> line 1733, in checksysvolacl direct_db_access) File >>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >>> line 1684, in check_gpos_acl domainsid, direct_db_access) >>> File >>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >>> line 1628, in check_dir_acl fsacl = getntacl(lp, path, >>> direct_db_access=direct_db_access, service=SYSVOL_SERVICE) >>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line >>> 73, in getntacl xattr.XATTR_NTACL_NAME) >>> >>> Then I tried to fix erros. Doing this, I got the next errors >>> >>> root at DKHHDC1:~# samba-tool ntacl sysvolreset open: error=2 (No >>> such file or directory) ERROR(runtime): uncaught exception - >>> (-1073741823, 'Undetermined error') File >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >>> line 175, in _run return self.run(*args, **kwargs) File >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line >>> 218, in run lp, use_ntvfs=use_ntvfs) File >>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >>> line 1619, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, >>> domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) >>> File >>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >>> line 1524, in set_gpos_acl passdb=passdb) File >>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >>> line 1487, in set_dir_acl setntacl(lp, path, acl, domsid, >>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, >>> service=service) File >>> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154, >>> in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | >>> security.SECINFO_GROUP | security.SECINFO_DACL | >>> security.SECINFO_SACL, sd, service=service) >>> >>> When I check the database everything is ok. >>> >>> root at DKHHDC1:~# samba-tool dbcheck Checking 1185 objects >>> Checked 1185 objects (0 errors) >>> >>> Here are the permissions in sysvol: >>> >>> root at DKHHDC1:~# ls -l >>> /var/lib/samba/sysvol/dkhh.local/Policies/ insgesamt 80 >>> drwxrws---+ 6 root 3000000 4096 Jun 25 2014 >>> {08BE834B-49D1-4F47-950E-C0D0CB4D2486} drwxrws---+ 6 root >>> 3000015 4096 Nov 5 2013 >>> {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrws---+ 4 3000015 >>> 3000015 4096 Mai 15 2014 >>> {4D8D96AA-C7E4-47F9-A8AF-D1D72CA6CBA1} drwxrws---+ 4 3000015 >>> 3000015 4096 Nov 11 2014 >>> {5C3768B4-E734-4168-A370-E0BB95C00B29} drwxrws---+ 4 3000015 >>> 3000015 4096 Mär 1 2013 >>> {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrws---+ 5 3000015 >>> 3000015 4096 Jun 11 2014 >>> {6FBD7831-E891-41A4-A5FA-B3BCCEAEA519} drwxrws---+ 4 3000015 >>> 3000015 4096 Mai 26 2014 >>> {8DD38317-E675-4042-84DD-0CF499F8C5F1} drwxrws---+ 5 3000015 >>> 3000015 4096 Mär 23 2015 >>> {9C353A54-854E-4CA5-A038-98B5F935627A} drwxrws---+ 4 3000015 >>> 3000015 4096 Dez 3 2014 >>> {A42F9750-57C8-4E48-8928-EF22B6E27CAE} drwxrws---+ 5 3000015 >>> 3000015 4096 Jun 16 2014 >>> {EE730522-233D-47BB-A05C-058B5D9E10DB} >>> >>> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/ >>> insgesamt 24 drwxrws---+ 12 root 3000000 4096 Jan 29 2015 >>> Policies drwxrws---+ 5 root 3000000 4096 Jun 30 2014 scripts >>> drwxrws---+ 10 root 3000000 4096 Mär 26 2013 StarterGPOs >>> >>> YES I know .local is not a good choice, but it is as it is >>> NOT my choice >>> >>> All GPOs are working >>> >>> One more thing. The old DC was a selfcompiled Samba 4 with >>> /usr/local/samba/sysvol. The new one is running the >>> sernet-packeges with /var/lib/samba/sysvol als path. >>> >>> Where should I look next? >>> >>> >>> Thank you >>> >>> Stefan >>> >> Hello, > >> Can you post your smb.conf? > > Here are the smb.conf --------------# Global parameters [global] > workgroup = DKHH realm = dkhh.local netbios name = DKHHDC2 server > role = active directory domain controller dns forwarder > 172.16.0.52 allow dns updates = nonsecure > > [netlogon] path = /var/lib/samba/sysvol/dkhh.local/scripts read > only = No write ok = Yes > > [sysvol] path = /var/lib/samba/sysvol read only = No write ok > Yes > > > >During the migration from old samba4 self-compiled to new samba4 Sernet-Packages one of the GPO-Entries in /var/lib/samba/sysvol/Policies/ was not copied. After reinstalling the missing GPO everything works fine. Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlYc4G8ACgkQ2JOGcNAHDTYpGgCfdxJfdlNG5aLZV2TkImN7wCYN t+kAnAtatHZEhX/04Pt2pEvo3yzuMHOC =BilN -----END PGP SIGNATURE-----
On 10/13/2015 6:43 AM, Stefan Kania wrote:> Am 13.10.2015 um 11:20 schrieb Stefan Kania: > > Am 12.10.2015 um 18:47 schrieb James: > >> On 10/12/2015 12:20 PM,Stefan Kania wrote: > >>> Hello, > >>> > >>> when I check ACLs on my sysvol I got the following errors: > >>> > >>> root at DKHHDC1:~# samba-tool gpo aclcheck ERROR(<type > >>> 'exceptions.KeyError'>): uncaught exception - 'No such element' > >>> File > >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > >>> line 175, in _run return self.run(*args, **kwargs) File > >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line > >>> 1150, in run ds_sd_ndr = m['nTSecurityDescriptor'][0] > >>> > >>> > >>> root at DKHHDC1:~# samba-tool ntacl sysvolcheck ERROR(<type > >>> 'exceptions.TypeError'>): uncaught exception - (2, 'No such > >>> file or directory') File > >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > >>> line 175, in _run return self.run(*args, **kwargs) File > >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line > >>> 249, in run lp) File > >>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > >>> line 1733, in checksysvolacl direct_db_access) File > >>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > >>> line 1684, in check_gpos_acl domainsid, direct_db_access) > >>> File >>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > >>> line 1628, in check_dir_acl fsacl = getntacl(lp, path, > >>>direct_db_access=direct_db_access, service=SYSVOL_SERVICE) > >>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line > >>> 73, in getntacl xattr.XATTR_NTACL_NAME) > >>> > >>> Then I tried to fix erros. Doing this, I got the next errors > >>> > >>> root at DKHHDC1:~# samba-tool ntacl sysvolreset open: error=2 (No > >>> such file or directory) ERROR(runtime): uncaught exception - > >>> (-1073741823, 'Undetermined error') File > >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > >>> line 175, in _run return self.run(*args, **kwargs) File > >>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line > >>> 218, in run lp, use_ntvfs=use_ntvfs) File > >>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > >>> line 1619, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, > >>> domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) > >>> File> >>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > >>> line 1524, in set_gpos_acl passdb=passdb) File > >>>"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > >>> line 1487, in set_dir_acl setntacl(lp, path, acl, domsid, > >>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, > >>> service=service) File > >>> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154, > >>> in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | > >>> security.SECINFO_GROUP | security.SECINFO_DACL | > >>> security.SECINFO_SACL, sd, service=service) > >>> > >>> When I check the database everything is ok. > >>> > >>> root at DKHHDC1:~# samba-tool dbcheck Checking 1185 objects > >>> Checked 1185 objects (0 errors) >>>> > >>> Here are the permissions in sysvol: > >>> > >>>root at DKHHDC1:~# ls -l > >>> /var/lib/samba/sysvol/dkhh.local/Policies/ insgesamt 80 > >>> drwxrws---+ 6 root 3000000 4096 Jun 25 2014 > >>> {08BE834B-49D1-4F47-950E-C0D0CB4D2486} drwxrws---+ 6 root > >>> 3000015 4096 Nov 5 2013 > >>> {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrws---+ 4 3000015 > >>> 3000015 4096 Mai 15 2014 > >>> {4D8D96AA-C7E4-47F9-A8AF-D1D72CA6CBA1} drwxrws---+ 4 3000015 > >>> 3000015 4096 Nov 11 2014 > >>> {5C3768B4-E734-4168-A370-E0BB95C00B29} drwxrws---+ 4 3000015 > >>> 3000015 4096 Mär 1 2013 > >>> {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrws---+ 5 3000015 > >>> 3000015 4096 Jun 11 2014 > >>> {6FBD7831-E891-41A4-A5FA-B3BCCEAEA519} drwxrws---+ 4 3000015 > >>> 3000015 4096 Mai 26 2014 > >>> {8DD38317-E675-4042-84DD-0CF499F8C5F1} drwxrws---+ 5 3000015 > >>> 3000015 4096 Mär 23 2015 > >>> {9C353A54-854E-4CA5-A038-98B5F935627A} drwxrws---+ 4 3000015 > >>> 3000015 4096 Dez 3 2014 > >>> {A42F9750-57C8-4E48-8928-EF22B6E27CAE} drwxrws---+ 5 3000015 > >>> 3000015 4096 Jun 16 2014 > >>> {EE730522-233D-47BB-A05C-058B5D9E10DB} >>>> > >>> root at DKHHDC1:~# ls -l /var/lib/samba/sysvol/dkhh.local/ > >>>insgesamt 24 drwxrws---+ 12 root 3000000 4096 Jan 29 2015 > >>> Policies drwxrws---+ 5 root 3000000 4096 Jun 30 2014 scripts > >>> drwxrws---+ 10 root 3000000 4096 Mär 26 2013 StarterGPOs > >>> > >>> YES I know .local is not a good choice, but it is as it is > >>> NOT my choice > >>> > >>> All GPOs are working > >>> > >>> One more thing. The old DC was a selfcompiled Samba 4 with > >>> /usr/local/samba/sysvol. The new one is running the > >>> sernet-packeges with /var/lib/samba/sysvol als path. > >>> > >>> Where should I look next? >>>> > >>> > >>> Thank you > >>> > >>> Stefan > >>> > >> Hello, > > >>Can you post your smb.conf? > > > Here are the smb.conf --------------# Global parameters [global] > > workgroup = DKHH realm = dkhh.local netbios name = DKHHDC2 server > > role = active directory domain controller dns forwarder = > > 172.16.0.52 allow dns updates = nonsecure> > > [netlogon] path = /var/lib/samba/sysvol/dkhh.local/scripts read > > only = No write ok = Yes > > > [sysvol] path = /var/lib/samba/sysvolread only = No write ok = > > Yes > > > > > > During the migration from old samba4 self-compiled to new samba4 > Sernet-Packages one of the GPO-Entries in > /var/lib/samba/sysvol/Policies/ was not copied. After reinstalling the > missing GPO everything works fine. > > Stefan>From past experience deleting or changing permissions on a GPO fromwithin the sysvol will prompt this error. -- -James