Colleagues,
I come to seek help to solve this problem. I use Samba 4.4.5.
I'm getting errors when running gpupdate / force on local desktops.
I get the following error:
User policy could not be updated successfully. The following errors were
encountered:
The processing of Group Policy failed. Windows could not apply the
registry-based policy settings for the Group Policy object
LDAP://CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local.
Group Policy settings will not be resolved until this event is resolved. View
the event details for more information on the file name and path that caused the
failure.
The following warnings were encountered during user policy processing:
Windows failed to apply the Scripts settings. Scripts settings might have its
own log file. Please click on the "More information" link.
Computer policy could not be updated successfully. The following errors were
encountered:
The processing of Group Policy failed. Windows could not apply the
registry-based policy settings for the Group Policy object
LDAP://CN=Machine,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local.
Group Policy settings will not be resolved until this event is resolved. View
the event details for more information on the file name and path that caused the
failure.
In the Samba log I see this error:
Oct 5 08:32:53 srv14 smbd_audit:
DOMAIN\VMWIN10_|172.16.16.158|sysvol|3000019|stat|fail (File or directory not
found)|domain.local/Policies/{0F5704BA-11D0-4D46-A138-34A085A4E44D}/gpt.ini
Oct 5 08:32:54 srv14 smbd_audit:
DOMAIN\iuser|172.16.16.158|sysvol|users|stat|fail (File or directory not
found)|domain.local/Policies/{7E0FAD97-3DFB-4C01-B35F-5EB3FD63E371}/gpt.ini
I checked the directory and confirmed that the file exists.
Already I tried to reset the Sysvol, but I get this error:
# samba-tool ntacl sysvolreset -d3
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
lp_load_ex: refreshing parameters
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [full_audit]
Module 'full_audit' loaded
Segmentation fault (core of the recorded image)
Could someone help me?
On 10/5/2016 8:05 AM, Ricardo Pardim Claus via samba wrote:> Segmentation fault (core of the recorded image)Did GPO's ever work? Can you run 'samba-tool ntacl sysvolcheck' and report the status? Even though the file exists physically, the permissions may not be correct. -- -James
Just waking from my nap but several things: A - I believe I read several times it is not advised to use ".local" as top level domain. B - samba-tool should not segfault during sysvolreset C - most generally GPO update issue are linked to access rights of user or computer accessing the share or the file(s). I wouldn't bother for now about the A. I would solve the segfault first (B). Finally once Samba is working fully again (including sysvolreset I mean) I would have a look on rights (issue on rights when accessing GPO folder seems to happen mainly when several DC are involved). 2016-10-05 14:05 GMT+02:00 Ricardo Pardim Claus via samba < samba at lists.samba.org>:> Colleagues, > > I come to seek help to solve this problem. I use Samba 4.4.5. > I'm getting errors when running gpupdate / force on local desktops. > I get the following error: > > User policy could not be updated successfully. The following errors were > encountered: > > > The processing of Group Policy failed. Windows could not apply the > registry-based policy settings for the Group Policy object > LDAP://CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9}, > CN=Policies,CN=System,DC=domain,DC=local. Group Policy settings will not > be resolved until this event is resolved. View the event details for more > information on the file name and path that caused the failure. > The following warnings were encountered during user policy processing: > > Windows failed to apply the Scripts settings. Scripts settings might have > its own log file. Please click on the "More information" link. > Computer policy could not be updated successfully. The following errors > were encountered: > > The processing of Group Policy failed. Windows could not apply the > registry-based policy settings for the Group Policy object > LDAP://CN=Machine,CN={31B2F340-016D-11D2-945F- > 00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local. Group Policy > settings will not be resolved until this event is resolved. View the event > details for more information on the file name and path that caused the > failure. > > In the Samba log I see this error: > > Oct 5 08:32:53 srv14 smbd_audit: DOMAIN\VMWIN10_|172.16.16.158|sysvol|3000019|stat|fail > (File or directory not found)|domain.local/Policies/{ > 0F5704BA-11D0-4D46-A138-34A085A4E44D}/gpt.ini > Oct 5 08:32:54 srv14 smbd_audit: DOMAIN\iuser|172.16.16.158|sysvol|users|stat|fail > (File or directory not found)|domain.local/Policies/{ > 7E0FAD97-3DFB-4C01-B35F-5EB3FD63E371}/gpt.ini > > > I checked the directory and confirmed that the file exists. > > > Already I tried to reset the Sysvol, but I get this error: > > # samba-tool ntacl sysvolreset -d3 > lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > ldb_wrap open of idmap.ldb > lp_load_ex: refreshing parameters > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] > Initialising custom vfs hooks from [full_audit] > Module 'full_audit' loaded > > Segmentation fault (core of the recorded image) > > Could someone help me? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Dear James and Lingpanda
Here I have 2 DC's running. Everything was running perfectly.
The problem started after I started to rsync to synchronize the Sysvol folder
between DC's.
I believe it is a permission problem in the GPO's or Sysvol folder.
Another detail. Even accessing the gpedit Group Polic Manager via RSAT using the
Administrator User, I can no longer edit any GPO. I get access denied error.
When I browse through the folders of GPO's, I do not get access denied
error.
Anyone know tell me how I Corrigo this problem?
How to fix the permissions?
Follow the error return in the commands:
# samba-tool ntacl sysvolcheck
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on sysvol directory
/usr/local/samba/var/locks/sysvol/domain.local
O:BAG:SYD:(A;ID;0x001200a9;;;AU)(A;OICIIOID;0x001200a9;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;0x001200a9;;;SO)(A;ID;0x001e01bf;;;BA)(A;OICIIOID;0x001e01bf;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;0x001f01ff;;;SY)(A;OICIIOID;0x001e01bf;;;CO)S:AI(AU;OICIIDSA;SD;;;WD)
does not match expected value
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
from provision
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 270, in run
lp)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1728, in checksysvolacl
raise ProvisioningError('%s ACL on sysvol directory %s %s does not match
expected value %s from provision' % (acl_type(direct_db_access), dir_path,
fsacl_sddl, SYSVOL_ACL))
# getfacl
/usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/GPT.INI
getfacl: Removing leading '/' from absolute path names
# file:
usr/local/samba/var/locks/sysvol/domain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
# owner: 3000000
# group: 3000025
user::rwx
user:3000012:r-x
user:3000025:rwx
user:3000026:r-x
group::rwx
group:users:r-x
group:3000000:rwx
group:3000012:r-x
group:3000025:rwx
group:3000026:r-x
mask::rwx
other::---
# getfacl /usr/local/samba/var/locks/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:3000010:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000010:rwx
default:mask::rwx
default:other::---
>> Segmentation fault (core of the recorded image)
>Did GPO's ever work?
>Can you run 'samba-tool ntacl sysvolcheck' and report the status?
>Even though the file exists physically, the permissions may not be correct.
>--
>-James
>Just waking from my nap but several things:
>A - I believe I read several times it is not advised to use
".local" as top level domain.
>B - samba-tool should not segfault during sysvolreset
>C - most generally GPO update issue are linked to access rights of user or
computer accessing the share or the file(s).
>I wouldn't bother for now about the A.
>I would solve the segfault first (B).
>Finally once Samba is working fully again (including sysvolreset I mean) I
would have a look on rights (issue on rights when accessing GPO folder seems to
happen mainly when several DC are >involved).
Hai,
After latest ms security fixes, user group policies are retrieved by using the
computer’s security context.
now read :
https://bugzilla.samba.org/show_bug.cgi?id=11997
and due to that you have a problem. You can work around it.
Try the following.
[sysvol]
path = /path_to/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
Now restart samba, and do the sysvol reset.
If you have multiple DC's, i suggest you sync sysvol and the idmap.tdb also.
* idmap.tdb, samba must be stopped to copy it, only needed once per new DC.
And do read the link below, explains a lot.
Link:
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ricardo Pardim
> Claus via samba
> Verzonden: woensdag 5 oktober 2016 14:05
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Failure gpupdate
>
> Colleagues,
>
> I come to seek help to solve this problem. I use Samba 4.4.5.
> I'm getting errors when running gpupdate / force on local desktops.
> I get the following error:
>
> User policy could not be updated successfully. The following errors were
> encountered:
>
>
> The processing of Group Policy failed. Windows could not apply the
> registry-based policy settings for the Group Policy object
> LDAP://CN=User,CN={31B2F340-016D-11D2-945F-
> 00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local. Group Policy
> settings will not be resolved until this event is resolved. View the event
> details for more information on the file name and path that caused the
> failure.
> The following warnings were encountered during user policy processing:
>
> Windows failed to apply the Scripts settings. Scripts settings might have
> its own log file. Please click on the "More information" link.
> Computer policy could not be updated successfully. The following errors
> were encountered:
>
> The processing of Group Policy failed. Windows could not apply the
> registry-based policy settings for the Group Policy object
> LDAP://CN=Machine,CN={31B2F340-016D-11D2-945F-
> 00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local. Group Policy
> settings will not be resolved until this event is resolved. View the event
> details for more information on the file name and path that caused the
> failure.
>
> In the Samba log I see this error:
>
> Oct 5 08:32:53 srv14 smbd_audit:
> DOMAIN\VMWIN10_|172.16.16.158|sysvol|3000019|stat|fail (File or directory
> not found)|domain.local/Policies/{0F5704BA-11D0-4D46-A138-
> 34A085A4E44D}/gpt.ini
> Oct 5 08:32:54 srv14 smbd_audit:
> DOMAIN\iuser|172.16.16.158|sysvol|users|stat|fail (File or directory not
> found)|domain.local/Policies/{7E0FAD97-3DFB-4C01-B35F-
> 5EB3FD63E371}/gpt.ini
>
>
> I checked the directory and confirmed that the file exists.
>
>
> Already I tried to reset the Sysvol, but I get this error:
>
> # samba-tool ntacl sysvolreset -d3
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ldb_wrap open of idmap.ldb
> lp_load_ex: refreshing parameters
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [full_audit]
> Module 'full_audit' loaded
>
> Segmentation fault (core of the recorded image)
>
> Could someone help me?
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba