Jonathan Hunter
2016-Sep-11 21:55 UTC
[Samba] samba-tool ntacl sysvolreset - NT_STATUS_BUFFER_TOO_SMALL
Hi, After making progress with my scripts for software installation (thanks, Rowland!) I am on a bit of a mission to get things working again. I found that permissions on my sysvol share were somehow incorrect (group ownership was root, etc.) so I ran 'samba-tool ntacl sysvolreset'.. however this now fails with the following error. (I'm on Samba 4.5.0) user at dc2:~ $ sudo /usr/local/samba/bin/samba-tool ntacl sysvolreset set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL. ERROR(runtime): uncaught exception - (-1073741789, 'Buffer too small') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1606, in setsysvolacl passdb=s4_passdb, service=SYSVOL_SERVICE) File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) I'm not really sure what might be causing this.. I have a '-d10' trace, and the last section before the exception is as follows: et_nt_acl_internal: name=/usr/local/samba/var/locks/sysvol/ mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:107) parse_acl_blob: ndr_pull_xattr_NTACL failed: Buffer Size Error validate_nt_acl_blob: parse_acl_blob returned NT_STATUS_BUFFER_TOO_SMALL get_nt_acl_internal: ACL validation for [/usr/local/samba/var/locks/sysvol/ n-client.ninja.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine] failed set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL. delete_lock_ref_count for file /usr/local/samba/var/locks/sysvol/ n-client.ninja.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine I don't really know where to look next, though.. Cheers, Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Jonathan Hunter
2016-Sep-23 22:49 UTC
[Samba] samba-tool ntacl sysvolreset - NT_STATUS_BUFFER_TOO_SMALL
Hi, I'm still getting these errors when I run 'samba-tool ntacl sysvolreset'. On 11 September 2016 at 22:55, Jonathan Hunter <jmhunter1 at gmail.com> wrote:> > (I'm on Samba 4.5.0) > > user at dc2:~ $ sudo /usr/local/samba/bin/samba-tool ntacl sysvolreset > set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL. > ERROR(runtime): uncaught exception - (-1073741789, 'Buffer too small') > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run > lp, use_ntvfs=use_ntvfs) > File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1606, in setsysvolacl > passdb=s4_passdb, service=SYSVOL_SERVICE) > File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)I guess nobody has seen these before. Unfortunately I've had a look at the various Python files above, and I have to confess I am not a Python coder - I don't really know where to start, in order to insert some debug statements to print out various variables and see if I can figure out exactly which buffer is too small, and why. Is anyone familiar with this code and could possibly point me in the right direction of where I might be able to debug this further? I don't think I have a particularly large number of files in my sysvol folder.. but I'm not sure what else it might be trying to do, or which buffer is full. $ sudo find /usr/local/samba/var/locks/sysvol/ | wc -l 679 I have a nagging feeling it might be to do with me allocating UIDs/GIDs to various groups in AD, using rfc2307 attributes.. but I'm not certain of this, and am unsure as to how to check if that is indeed what is causing the errors. Cheers Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Jonathan Hunter
2016-Sep-28 13:54 UTC
[Samba] samba-tool ntacl sysvolreset - NT_STATUS_BUFFER_TOO_SMALL
OK, I've traced this a little further on now. I think I have followed the trail via the following items that call or refer to each other in turn: - python samba-tool ntacl sysvolreset - source3/smbd/pysmbd.c: SMB_VFS_FSET_NT_ACL( fsp, security_info_sent, sd); - source3/include/vfs_macros.h:#define SMB_VFS_FSET_NT_ACL smb_vfs_call_fset_nt_acl - source3/smbd/vfs.c:NTSTATUS smb_vfs_call_fset_nt_acl [which calls fset_nt_acl_fn] - source3/modules/vfs_acl_xattr.c: .fset_nt_acl_fn = fset_nt_acl_common - source3/modules/vfs_acl_common.c:static NTSTATUS fset_nt_acl_common - source3/modules/vfs_acl_common.c: parse_acl_blob() [which seems to be where the error occurs] However it appears that I'm now trying to debug the VFS modules in Samba, which isn't quite where I thought I would end up when I started looking into this error :) I've found a couple of Python debugger tools, which got me out of the python samba-tool code and into the Samba source3/modules/vfs* code.. but just as I had never debugged python before, I've also never debugged any Samba C code before. Does anyone have any tips or guidance as to how I can further find out which part of parse_acl_blob() is failing and why it is returning NT_STATUS_BUFFER_TOO_SMALL? I have a feeling it is something to do with the ndr_pull_error shown in the level 10 trace above.. but I'm quite far down the rabbit hole here and at this stage don't know what NDR pull errors would be, or what I'd need to do to find them. How do I confirm which of the many VFS modules I am using in my installation - I expect it is probably vfs_acl_xattr but can I confirm somehow? I am running ext4 and have nothing set in smb.conf, I've never consciously set any VFS settings. And are there any tips on how to debug this part of the code? It's on a running DC so I don't want to do anything too major.. but can perhaps I recompile vfs_acl_xattr to add some printf() statements in key places and have this patched version called by the python samba-tool code somehow? Any pointers appreciated, I do want to get my samba-tool ntacl sysvolreset working again as it's causing issues :( Jonathan On 11 September 2016 at 22:55, Jonathan Hunter <jmhunter1 at gmail.com> wrote:> user at dc2:~ $ sudo /usr/local/samba/bin/samba-tool ntacl sysvolreset > set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL. > ERROR(runtime): uncaught exception - (-1073741789, 'Buffer too small') > [...] > File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line > 162, in setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | > security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) > > I'm not really sure what might be causing this.. I have a '-d10' trace, and > the last section before the exception is as follows: > > et_nt_acl_internal: > name=/usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine > ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:107) > parse_acl_blob: ndr_pull_xattr_NTACL failed: Buffer Size Error > validate_nt_acl_blob: parse_acl_blob returned NT_STATUS_BUFFER_TOO_SMALL > get_nt_acl_internal: ACL validation for > [/usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine] > failed > set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL. > delete_lock_ref_count for file > /usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Jonathan Hunter
2016-Oct-06 07:44 UTC
[Samba] samba-tool ntacl sysvolreset - NT_STATUS_BUFFER_TOO_SMALL
On 28 September 2016 at 14:54, Jonathan Hunter <jmhunter1 at gmail.com> wrote:> OK, I've traced this a little further on now. > > I think I have followed the trail via the following items that call or > refer to each other in turn:In the meantime, as a workaround until I can figure out why 'samba-tool ntacl sysvolreset' is failing with this error... can I use 'setfacl -R' to set permissions on my sysvol share? My GPOs are failing at the moment and I am no further forward towards figuring out why. Does sysvolreset set different permissions at any point further down the sysvol directory structure, or can I just take the top level sysvol permissions and propagate them all the way down? (I'm now wondering why more people don't simply use setfacl -R.. there must be something else that sysvolreset does?) Cheers Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
L.P.H. van Belle
2016-Oct-06 08:00 UTC
[Samba] samba-tool ntacl sysvolreset - NT_STATUS_BUFFER_TOO_SMALL
Hai, Run the following. Backup the current rights. getfacl /usr/local/samba/var/locks/sysvol/mydomain.org.uk > sysvol-before.acl now, copy (backup) the (domain sysvol) /usr/local/samba/var/locks/sysvol/mydomain.org.uk Now remove all content from /usr/local/samba/var/locks/sysvol/mydomain.org.uk/* run sysvol reset. Get the rights applies by samba-tool getfacl /usr/local/samba/var/locks/sysvol/mydomain.org.uk > sysvol-after.acl copy the content back to /usr/local/samba/var/locks/sysvol/mydomain.org.uk/ reapply the all rights recursive. setfacl -R -b -M sysvol-after.acl /usr/local/samba/var/locks/sysvol/mydomain.org.uk try if that helps fixing sysvol. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jonathan Hunter > via samba > Verzonden: donderdag 6 oktober 2016 9:44 > Aan: samba > Onderwerp: Re: [Samba] samba-tool ntacl sysvolreset - > NT_STATUS_BUFFER_TOO_SMALL > > On 28 September 2016 at 14:54, Jonathan Hunter <jmhunter1 at gmail.com> > wrote: > > OK, I've traced this a little further on now. > > > > I think I have followed the trail via the following items that call or > > refer to each other in turn: > > In the meantime, as a workaround until I can figure out why > 'samba-tool ntacl sysvolreset' is failing with this error... can I use > 'setfacl -R' to set permissions on my sysvol share? My GPOs are > failing at the moment and I am no further forward towards figuring out > why. > > Does sysvolreset set different permissions at any point further down > the sysvol directory structure, or can I just take the top level > sysvol permissions and propagate them all the way down? > > (I'm now wondering why more people don't simply use setfacl -R.. there > must be something else that sysvolreset does?) > > Cheers > > Jonathan > > -- > "If we knew what it was we were doing, it would not be called > research, would it?" > - Albert Einstein > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Reasonably Related Threads
- samba-tool ntacl sysvolreset - NT_STATUS_BUFFER_TOO_SMALL
- Issue with acl_xattr:ignore system acls in 4.5rc2
- roaming profile fails with NT_STATUS_BUFFER_TOO_SMALL
- Problem setting password: : failed to pull old supplementalCredentialsBlob: NT_STATUS_BUFFER_TOO_SMALL
- Problem setting password: : failed to pull old supplementalCredentialsBlob: NT_STATUS_BUFFER_TOO_SMALL