Ing. Claudio Nicora
2018-Jul-23 14:30 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC
I
get the error:
---
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
The requested operation was unsuccessful.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
239, in run
lp, use_ntvfs=use_ntvfs)
File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
in
setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
sd, service=service)
---
AFAIK this error is thrown when the script tries to set an NT permission
on a missing file;
it usually happens when a new GPO is created on the primary DC and it's
not yet replicated to other DCs, since sysvolreset uses AD to find
defined GPO items.
That said, I've cleaned up the whole sysvol folder on secondary DC,
rsync'ed all its content from primary DC then rerun sysvolreset: same error.
I've also run sysvolreset on the primary DC as well, and again I've got
the same error.
So now I suppose there's something wrong in AD, like an "orphaned"
GPO.
How do I know which GPO file is causing the error? (running samba-tool
with "-d 10" parameter gives no clue.
Full output (same on both DCs):
-------------------------------
# samba-tool ntacl sysvolreset -d 10
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
Security token SIDs (1):
SID[ 0]: S-1-5-18
Privileges (0xFFFFFFFFFFFFFFFF):
Privilege[ 0]: SeMachineAccountPrivilege
Privilege[ 1]: SeTakeOwnershipPrivilege
Privilege[ 2]: SeBackupPrivilege
Privilege[ 3]: SeRestorePrivilege
Privilege[ 4]: SeRemoteShutdownPrivilege
Privilege[ 5]: SePrintOperatorPrivilege
Privilege[ 6]: SeAddUsersPrivilege
Privilege[ 7]: SeDiskOperatorPrivilege
Privilege[ 8]: SeSecurityPrivilege
Privilege[ 9]: SeSystemtimePrivilege
Privilege[ 10]: SeShutdownPrivilege
Privilege[ 11]: SeDebugPrivilege
Privilege[ 12]: SeSystemEnvironmentPrivilege
Privilege[ 13]: SeSystemProfilePrivilege
Privilege[ 14]: SeProfileSingleProcessPrivilege
Privilege[ 15]: SeIncreaseBasePriorityPrivilege
Privilege[ 16]: SeLoadDriverPrivilege
Privilege[ 17]: SeCreatePagefilePrivilege
Privilege[ 18]: SeIncreaseQuotaPrivilege
Privilege[ 19]: SeChangeNotifyPrivilege
Privilege[ 20]: SeUndockPrivilege
Privilege[ 21]: SeManageVolumePrivilege
Privilege[ 22]: SeImpersonatePrivilege
Privilege[ 23]: SeCreateGlobalPrivilege
Privilege[ 24]: SeEnableDelegationPrivilege
Rights (0x 0):
lpcfg_servicenumber: couldn't find ldb
Initial schema load needed, as we have no existing schema, seq_num: 1
schema_fsmo_init: we are master[no] updates allowed[no]
Initial schema load needed, as we have no existing schema, seq_num: 1
schema_fsmo_init: we are master[no] updates allowed[no]
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
doing parameter bind interfaces only = Yes
doing parameter interfaces = lo eth_lan
doing parameter netbios name = SRVSAMBA2
doing parameter realm = SAMDOM.LOCAL
doing parameter server role = active directory domain controller
doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
doing parameter workgroup = SAMDOM
doing parameter ldap server require strong auth = no
doing parameter client ldap sasl wrapping = plain
doing parameter log level = 2 vfs:1
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[sysvol]"
idmap range not specified for domain '*'
idmap range not specified for domain '*'
*****
***** huge lot of these lines...
*****
idmap range not specified for domain '*'
idmap range not specified for domain '*'
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed}
The requested operation was unsuccessful.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
239, in run
lp, use_ntvfs=use_ntvfs)
File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
in
setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
sd, service=service)
L.P.H. van Belle
2018-Jul-23 14:45 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
Hai, Check these. https://www.google.nl/search?biw=1680&bih=888&ei=0-hVW7zQMqzkkgWIjqawDA&q=site%3Asamba.org+sysvol+permission&oq=site%3Asamba.org+sysvol+permission&gs_l=psy-ab.3...5368.10525.0.11916.17.14.3.0.0.0.72.580.14.14.0....0...1c.1.64.psy-ab..0.0.0....0.Ot64q9CRMN8 https://www.google.nl/search?biw=1680&bih=888&ei=4OhVW4_xH5L5kwXizI7YCQ&q=site%3Asamba.org+sysvol+reset&oq=site%3Asamba.org+sysvol+reset&gs_l=psy-ab.3...14561.18658.0.19243.13.8.5.0.0.0.47.336.8.8.0....0...1c.1.64.psy-ab..0.0.0....0.fIvwA6AUPAo The answer and workarounds are there. This is discussed so much. (sorry). Short version. Dont run sysvolreset and has an bug. Get the correct settings from my script. https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh And if you want to apply them, change in the script: APPLY_CHANGES_DIRECT="no" to yes.> ***** huge lot of these lines... > ***** > idmap range not specified for domain '*'And i suggest, you post your smb.conf. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ing. > Claudio Nicora via samba > Verzonden: maandag 23 juli 2018 16:30 > Aan: samba at lists.samba.org > Onderwerp: [Samba] sysvolreset error '{Operation Failed} The > requested operation was unsuccessful.' > > When I run samba-tool ntacl sysvolreset on my "secondary" > Samba AD DC I > get the error: > > --- > ERROR(runtime): uncaught exception - (-1073741823, > '{Operation Failed} > The requested operation was unsuccessful.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line > 239, in run > lp, use_ntvfs=use_ntvfs) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1609, in setsysvolacl > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > use_ntvfs, passdb=s4_passdb) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1502, in set_gpos_acl > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, > service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 162, in > setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, > sd, service=service) > --- > > AFAIK this error is thrown when the script tries to set an NT > permission > on a missing file; > it usually happens when a new GPO is created on the primary > DC and it's > not yet replicated to other DCs, since sysvolreset uses AD to find > defined GPO items. > That said, I've cleaned up the whole sysvol folder on secondary DC, > rsync'ed all its content from primary DC then rerun > sysvolreset: same error. > I've also run sysvolreset on the primary DC as well, and > again I've got > the same error. > > So now I suppose there's something wrong in AD, like an > "orphaned" GPO. > How do I know which GPO file is causing the error? (running > samba-tool > with "-d 10" parameter gives no clue. > > Full output (same on both DCs): > ------------------------------- > > # samba-tool ntacl sysvolreset -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > pm_process() returned Yes > Security token SIDs (1): > SID[ 0]: S-1-5-18 > Privileges (0xFFFFFFFFFFFFFFFF): > Privilege[ 0]: SeMachineAccountPrivilege > Privilege[ 1]: SeTakeOwnershipPrivilege > Privilege[ 2]: SeBackupPrivilege > Privilege[ 3]: SeRestorePrivilege > Privilege[ 4]: SeRemoteShutdownPrivilege > Privilege[ 5]: SePrintOperatorPrivilege > Privilege[ 6]: SeAddUsersPrivilege > Privilege[ 7]: SeDiskOperatorPrivilege > Privilege[ 8]: SeSecurityPrivilege > Privilege[ 9]: SeSystemtimePrivilege > Privilege[ 10]: SeShutdownPrivilege > Privilege[ 11]: SeDebugPrivilege > Privilege[ 12]: SeSystemEnvironmentPrivilege > Privilege[ 13]: SeSystemProfilePrivilege > Privilege[ 14]: SeProfileSingleProcessPrivilege > Privilege[ 15]: SeIncreaseBasePriorityPrivilege > Privilege[ 16]: SeLoadDriverPrivilege > Privilege[ 17]: SeCreatePagefilePrivilege > Privilege[ 18]: SeIncreaseQuotaPrivilege > Privilege[ 19]: SeChangeNotifyPrivilege > Privilege[ 20]: SeUndockPrivilege > Privilege[ 21]: SeManageVolumePrivilege > Privilege[ 22]: SeImpersonatePrivilege > Privilege[ 23]: SeCreateGlobalPrivilege > Privilege[ 24]: SeEnableDelegationPrivilege > Rights (0x 0): > lpcfg_servicenumber: couldn't find ldb > Initial schema load needed, as we have no existing schema, seq_num: 1 > schema_fsmo_init: we are master[no] updates allowed[no] > Initial schema load needed, as we have no existing schema, seq_num: 1 > schema_fsmo_init: we are master[no] updates allowed[no] > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows > limit (16384) > Processing section "[global]" > doing parameter bind interfaces only = Yes > doing parameter interfaces = lo eth_lan > doing parameter netbios name = SRVSAMBA2 > doing parameter realm = SAMDOM.LOCAL > doing parameter server role = active directory domain controller > doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > doing parameter workgroup = SAMDOM > doing parameter ldap server require strong auth = no > doing parameter client ldap sasl wrapping = plain > doing parameter log level = 2 vfs:1 > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[netlogon]" > Processing section "[sysvol]" > idmap range not specified for domain '*' > idmap range not specified for domain '*' > ***** > ***** huge lot of these lines... > ***** > idmap range not specified for domain '*' > idmap range not specified for domain '*' > open: error=2 (No such file or directory) > ERROR(runtime): uncaught exception - (-1073741823, > '{Operation Failed} > The requested operation was unsuccessful.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line > 239, in run > lp, use_ntvfs=use_ntvfs) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1609, in setsysvolacl > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > use_ntvfs, passdb=s4_passdb) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1502, in set_gpos_acl > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, > service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 162, in > setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, > sd, service=service) > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2018-Jul-23 14:59 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
On Mon, 23 Jul 2018 16:30:11 +0200 "Ing. Claudio Nicora via samba" <samba at lists.samba.org> wrote:> When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC > I get the error: > > --- > ERROR(runtime): uncaught exception - (-1073741823, '{Operation > Failed} The requested operation was unsuccessful.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", > line 239, in run > lp, use_ntvfs=use_ntvfs) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, > domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, > passdb=passdb, service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, > in setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, sd, service=service) > --- > > AFAIK this error is thrown when the script tries to set an NT > permission on a missing file; > it usually happens when a new GPO is created on the primary DC and > it's not yet replicated to other DCs, since sysvolreset uses AD to > find defined GPO items.When you join another DC, you get virtually nothing in sysvol, you need to sync it manually, but when a GPO is added it is not only stored in sysvol, it is also stored in AD. When you use sysvolreset, it is the GPO's stored in AD that are found first and then these are used to 'walk' sysvol, so if they exist in AD and not in sysvol, you get an error. There are several lines in the output I do not understand, so can you post your smb.conf. I would also double check just what is in sysvol on both machines. Rowland> That said, I've cleaned up the whole sysvol folder on secondary DC, > rsync'ed all its content from primary DC then rerun sysvolreset: same > error. I've also run sysvolreset on the primary DC as well, and again > I've got the same error. > > So now I suppose there's something wrong in AD, like an "orphaned" > GPO. How do I know which GPO file is causing the error? (running > samba-tool with "-d 10" parameter gives no clue. > > Full output (same on both DCs): > ------------------------------- > > # samba-tool ntacl sysvolreset -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > pm_process() returned Yes > Security token SIDs (1): > SID[ 0]: S-1-5-18 > Privileges (0xFFFFFFFFFFFFFFFF): > Privilege[ 0]: SeMachineAccountPrivilege > Privilege[ 1]: SeTakeOwnershipPrivilege > Privilege[ 2]: SeBackupPrivilege > Privilege[ 3]: SeRestorePrivilege > Privilege[ 4]: SeRemoteShutdownPrivilege > Privilege[ 5]: SePrintOperatorPrivilege > Privilege[ 6]: SeAddUsersPrivilege > Privilege[ 7]: SeDiskOperatorPrivilege > Privilege[ 8]: SeSecurityPrivilege > Privilege[ 9]: SeSystemtimePrivilege > Privilege[ 10]: SeShutdownPrivilege > Privilege[ 11]: SeDebugPrivilege > Privilege[ 12]: SeSystemEnvironmentPrivilege > Privilege[ 13]: SeSystemProfilePrivilege > Privilege[ 14]: SeProfileSingleProcessPrivilege > Privilege[ 15]: SeIncreaseBasePriorityPrivilege > Privilege[ 16]: SeLoadDriverPrivilege > Privilege[ 17]: SeCreatePagefilePrivilege > Privilege[ 18]: SeIncreaseQuotaPrivilege > Privilege[ 19]: SeChangeNotifyPrivilege > Privilege[ 20]: SeUndockPrivilege > Privilege[ 21]: SeManageVolumePrivilege > Privilege[ 22]: SeImpersonatePrivilege > Privilege[ 23]: SeCreateGlobalPrivilege > Privilege[ 24]: SeEnableDelegationPrivilege > Rights (0x 0): > lpcfg_servicenumber: couldn't find ldb > Initial schema load needed, as we have no existing schema, seq_num: 1 > schema_fsmo_init: we are master[no] updates allowed[no] > Initial schema load needed, as we have no existing schema, seq_num: 1 > schema_fsmo_init: we are master[no] updates allowed[no] > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[global]" > doing parameter bind interfaces only = Yes > doing parameter interfaces = lo eth_lan > doing parameter netbios name = SRVSAMBA2 > doing parameter realm = SAMDOM.LOCAL > doing parameter server role = active directory domain controller > doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > doing parameter workgroup = SAMDOM > doing parameter ldap server require strong auth = no > doing parameter client ldap sasl wrapping = plain > doing parameter log level = 2 vfs:1 > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[netlogon]" > Processing section "[sysvol]" > idmap range not specified for domain '*' > idmap range not specified for domain '*' > ***** > ***** huge lot of these lines... > ***** > idmap range not specified for domain '*' > idmap range not specified for domain '*' > open: error=2 (No such file or directory) > ERROR(runtime): uncaught exception - (-1073741823, '{Operation > Failed} The requested operation was unsuccessful.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", > line 239, in run > lp, use_ntvfs=use_ntvfs) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, > domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, > passdb=passdb, service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, > in setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, sd, service=service) > >
Ing. Claudio Nicora
2018-Jul-23 15:05 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
I'm not a Python guru but I've tried added a "print" just before the smbd.set_nt_acl() call in file /usr/lib/python2.7/dist-packages/samba/ntacls.py. This way I've found the GUID of the orphaned GPO and removed it with RSAT: error disappeared ;) It was only a test GPO so I won't go further investigating about why its files were lost... Still having lot of "idmap range not specified for domain '*'" lines, maybe causing sysvolreset take forever to run. Here you are my smb.conf file; hope you can find something wrong: --- # cat /etc/samba/smb.conf [global] bind interfaces only = Yes interfaces = lo eth_lan netbios name = SRVSAMBA2 realm = SAMDOM.LOCAL server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SAMDOM ldap server require strong auth = no client ldap sasl wrapping = plain log level = 2 vfs:1 log file = /var/log/samba/log.samba max log size = 10000 [netlogon] path = /var/lib/samba/sysvol/samdom.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No --- Thanks Claudio Il 23/07/2018 16:45, L.P.H. van Belle via samba ha scritto:> Hai, > > Check these. > https://www.google.nl/search?biw=1680&bih=888&ei=0-hVW7zQMqzkkgWIjqawDA&q=site%3Asamba.org+sysvol+permission&oq=site%3Asamba.org+sysvol+permission&gs_l=psy-ab.3...5368.10525.0.11916.17.14.3.0.0.0.72.580.14.14.0....0...1c.1.64.psy-ab..0.0.0....0.Ot64q9CRMN8 > > https://www.google.nl/search?biw=1680&bih=888&ei=4OhVW4_xH5L5kwXizI7YCQ&q=site%3Asamba.org+sysvol+reset&oq=site%3Asamba.org+sysvol+reset&gs_l=psy-ab.3...14561.18658.0.19243.13.8.5.0.0.0.47.336.8.8.0....0...1c.1.64.psy-ab..0.0.0....0.fIvwA6AUPAo > > The answer and workarounds are there. > This is discussed so much. (sorry). > > Short version. > Dont run sysvolreset and has an bug. > Get the correct settings from my script. > https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh > > And if you want to apply them, change in the script: > APPLY_CHANGES_DIRECT="no" to yes. > > >> ***** huge lot of these lines... >> ***** >> idmap range not specified for domain '*' > And i suggest, you post your smb.conf. > > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ing. >> Claudio Nicora via samba >> Verzonden: maandag 23 juli 2018 16:30 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] sysvolreset error '{Operation Failed} The >> requested operation was unsuccessful.' >> >> When I run samba-tool ntacl sysvolreset on my "secondary" >> Samba AD DC I >> get the error: >> >> --- >> ERROR(runtime): uncaught exception - (-1073741823, >> '{Operation Failed} >> The requested operation was unsuccessful.') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line >> 239, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1609, in setsysvolacl >> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, >> use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1502, in set_gpos_acl >> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, >> service=SYSVOL_SERVICE) >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", >> line 162, in >> setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, >> sd, service=service) >> --- >> >> AFAIK this error is thrown when the script tries to set an NT >> permission >> on a missing file; >> it usually happens when a new GPO is created on the primary >> DC and it's >> not yet replicated to other DCs, since sysvolreset uses AD to find >> defined GPO items. >> That said, I've cleaned up the whole sysvol folder on secondary DC, >> rsync'ed all its content from primary DC then rerun >> sysvolreset: same error. >> I've also run sysvolreset on the primary DC as well, and >> again I've got >> the same error. >> >> So now I suppose there's something wrong in AD, like an >> "orphaned" GPO. >> How do I know which GPO file is causing the error? (running >> samba-tool >> with "-d 10" parameter gives no clue. >> >> Full output (same on both DCs): >> ------------------------------- >> >> # samba-tool ntacl sysvolreset -d 10 >> INFO: Current debug levels: >> all: 10 >> tdb: 10 >> printdrivers: 10 >> lanman: 10 >> smb: 10 >> rpc_parse: 10 >> rpc_srv: 10 >> rpc_cli: 10 >> passdb: 10 >> sam: 10 >> auth: 10 >> winbind: 10 >> vfs: 10 >> idmap: 10 >> quota: 10 >> acls: 10 >> locking: 10 >> msdfs: 10 >> dmapi: 10 >> registry: 10 >> scavenger: 10 >> dns: 10 >> ldb: 10 >> tevent: 10 >> auth_audit: 10 >> auth_json_audit: 10 >> kerberos: 10 >> drs_repl: 10 >> lpcfg_load: refreshing parameters from /etc/samba/smb.conf >> Processing section "[global]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> pm_process() returned Yes >> Security token SIDs (1): >> SID[ 0]: S-1-5-18 >> Privileges (0xFFFFFFFFFFFFFFFF): >> Privilege[ 0]: SeMachineAccountPrivilege >> Privilege[ 1]: SeTakeOwnershipPrivilege >> Privilege[ 2]: SeBackupPrivilege >> Privilege[ 3]: SeRestorePrivilege >> Privilege[ 4]: SeRemoteShutdownPrivilege >> Privilege[ 5]: SePrintOperatorPrivilege >> Privilege[ 6]: SeAddUsersPrivilege >> Privilege[ 7]: SeDiskOperatorPrivilege >> Privilege[ 8]: SeSecurityPrivilege >> Privilege[ 9]: SeSystemtimePrivilege >> Privilege[ 10]: SeShutdownPrivilege >> Privilege[ 11]: SeDebugPrivilege >> Privilege[ 12]: SeSystemEnvironmentPrivilege >> Privilege[ 13]: SeSystemProfilePrivilege >> Privilege[ 14]: SeProfileSingleProcessPrivilege >> Privilege[ 15]: SeIncreaseBasePriorityPrivilege >> Privilege[ 16]: SeLoadDriverPrivilege >> Privilege[ 17]: SeCreatePagefilePrivilege >> Privilege[ 18]: SeIncreaseQuotaPrivilege >> Privilege[ 19]: SeChangeNotifyPrivilege >> Privilege[ 20]: SeUndockPrivilege >> Privilege[ 21]: SeManageVolumePrivilege >> Privilege[ 22]: SeImpersonatePrivilege >> Privilege[ 23]: SeCreateGlobalPrivilege >> Privilege[ 24]: SeEnableDelegationPrivilege >> Rights (0x 0): >> lpcfg_servicenumber: couldn't find ldb >> Initial schema load needed, as we have no existing schema, seq_num: 1 >> schema_fsmo_init: we are master[no] updates allowed[no] >> Initial schema load needed, as we have no existing schema, seq_num: 1 >> schema_fsmo_init: we are master[no] updates allowed[no] >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows >> limit (16384) >> Processing section "[global]" >> doing parameter bind interfaces only = Yes >> doing parameter interfaces = lo eth_lan >> doing parameter netbios name = SRVSAMBA2 >> doing parameter realm = SAMDOM.LOCAL >> doing parameter server role = active directory domain controller >> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, >> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate >> doing parameter workgroup = SAMDOM >> doing parameter ldap server require strong auth = no >> doing parameter client ldap sasl wrapping = plain >> doing parameter log level = 2 vfs:1 >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> ***** >> ***** huge lot of these lines... >> ***** >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> open: error=2 (No such file or directory) >> ERROR(runtime): uncaught exception - (-1073741823, >> '{Operation Failed} >> The requested operation was unsuccessful.') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line >> 239, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1609, in setsysvolacl >> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, >> use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1502, in set_gpos_acl >> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, >> service=SYSVOL_SERVICE) >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", >> line 162, in >> setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, >> sd, service=service) >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
Ing. Claudio Nicora
2018-Jul-23 15:17 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
I've added a "print" in file "/usr/lib/python2.7/dist-packages/samba/ntacls.py" just before the line raising the error to log the (missing) file causing the error. I've found I had an orphaned GPO: it was shown in RSAT but didn't have any file in sysvol folder on both DCs. Just removed it from AD (it was only a test GPO) and the error disappeared. I've posted my smb.conf in a reply to Louis Van Belle, hope you can see what's causing the lot of "idmap range not specified for domain '*'" lines. Thanks Claudio Il 23/07/2018 16:59, Rowland Penny via samba ha scritto:> On Mon, 23 Jul 2018 16:30:11 +0200 > "Ing. Claudio Nicora via samba" <samba at lists.samba.org> wrote: > >> When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC >> I get the error: >> >> --- >> ERROR(runtime): uncaught exception - (-1073741823, '{Operation >> Failed} The requested operation was unsuccessful.') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", >> line 239, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, >> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, >> passdb=passdb, service=SYSVOL_SERVICE) >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, >> in setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, sd, service=service) >> --- >> >> AFAIK this error is thrown when the script tries to set an NT >> permission on a missing file; >> it usually happens when a new GPO is created on the primary DC and >> it's not yet replicated to other DCs, since sysvolreset uses AD to >> find defined GPO items. > When you join another DC, you get virtually nothing in sysvol, you need > to sync it manually, but when a GPO is added it is not only stored in > sysvol, it is also stored in AD. When you use sysvolreset, it is the > GPO's stored in AD that are found first and then these are used to > 'walk' sysvol, so if they exist in AD and not in sysvol, you get an > error. > > There are several lines in the output I do not understand, so can you > post your smb.conf. > I would also double check just what is in sysvol on both machines. > > Rowland > >> That said, I've cleaned up the whole sysvol folder on secondary DC, >> rsync'ed all its content from primary DC then rerun sysvolreset: same >> error. I've also run sysvolreset on the primary DC as well, and again >> I've got the same error. >> >> So now I suppose there's something wrong in AD, like an "orphaned" >> GPO. How do I know which GPO file is causing the error? (running >> samba-tool with "-d 10" parameter gives no clue. >> >> Full output (same on both DCs): >> ------------------------------- >> >> # samba-tool ntacl sysvolreset -d 10 >> INFO: Current debug levels: >> all: 10 >> tdb: 10 >> printdrivers: 10 >> lanman: 10 >> smb: 10 >> rpc_parse: 10 >> rpc_srv: 10 >> rpc_cli: 10 >> passdb: 10 >> sam: 10 >> auth: 10 >> winbind: 10 >> vfs: 10 >> idmap: 10 >> quota: 10 >> acls: 10 >> locking: 10 >> msdfs: 10 >> dmapi: 10 >> registry: 10 >> scavenger: 10 >> dns: 10 >> ldb: 10 >> tevent: 10 >> auth_audit: 10 >> auth_json_audit: 10 >> kerberos: 10 >> drs_repl: 10 >> lpcfg_load: refreshing parameters from /etc/samba/smb.conf >> Processing section "[global]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> pm_process() returned Yes >> Security token SIDs (1): >> SID[ 0]: S-1-5-18 >> Privileges (0xFFFFFFFFFFFFFFFF): >> Privilege[ 0]: SeMachineAccountPrivilege >> Privilege[ 1]: SeTakeOwnershipPrivilege >> Privilege[ 2]: SeBackupPrivilege >> Privilege[ 3]: SeRestorePrivilege >> Privilege[ 4]: SeRemoteShutdownPrivilege >> Privilege[ 5]: SePrintOperatorPrivilege >> Privilege[ 6]: SeAddUsersPrivilege >> Privilege[ 7]: SeDiskOperatorPrivilege >> Privilege[ 8]: SeSecurityPrivilege >> Privilege[ 9]: SeSystemtimePrivilege >> Privilege[ 10]: SeShutdownPrivilege >> Privilege[ 11]: SeDebugPrivilege >> Privilege[ 12]: SeSystemEnvironmentPrivilege >> Privilege[ 13]: SeSystemProfilePrivilege >> Privilege[ 14]: SeProfileSingleProcessPrivilege >> Privilege[ 15]: SeIncreaseBasePriorityPrivilege >> Privilege[ 16]: SeLoadDriverPrivilege >> Privilege[ 17]: SeCreatePagefilePrivilege >> Privilege[ 18]: SeIncreaseQuotaPrivilege >> Privilege[ 19]: SeChangeNotifyPrivilege >> Privilege[ 20]: SeUndockPrivilege >> Privilege[ 21]: SeManageVolumePrivilege >> Privilege[ 22]: SeImpersonatePrivilege >> Privilege[ 23]: SeCreateGlobalPrivilege >> Privilege[ 24]: SeEnableDelegationPrivilege >> Rights (0x 0): >> lpcfg_servicenumber: couldn't find ldb >> Initial schema load needed, as we have no existing schema, seq_num: 1 >> schema_fsmo_init: we are master[no] updates allowed[no] >> Initial schema load needed, as we have no existing schema, seq_num: 1 >> schema_fsmo_init: we are master[no] updates allowed[no] >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >> (16384) Processing section "[global]" >> doing parameter bind interfaces only = Yes >> doing parameter interfaces = lo eth_lan >> doing parameter netbios name = SRVSAMBA2 >> doing parameter realm = SAMDOM.LOCAL >> doing parameter server role = active directory domain controller >> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, >> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate >> doing parameter workgroup = SAMDOM >> doing parameter ldap server require strong auth = no >> doing parameter client ldap sasl wrapping = plain >> doing parameter log level = 2 vfs:1 >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> ***** >> ***** huge lot of these lines... >> ***** >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> open: error=2 (No such file or directory) >> ERROR(runtime): uncaught exception - (-1073741823, '{Operation >> Failed} The requested operation was unsuccessful.') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", >> line 239, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, >> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, >> passdb=passdb, service=SYSVOL_SERVICE) >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, >> in setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, sd, service=service) >> >> >
Reasonably Related Threads
- samba-tool ntacl sysvolreset, - open: error=2 (No such file or directory)
- Problems with joining a second DC to AD
- Setting up Second Samba DC samba-tool ntacl sysvolreset fails
- Problems joining a Samba DC to an existing active directory
- Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs