Ing. Claudio Nicora
2018-Jul-23 14:30 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC I get the error: --- ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} The requested operation was unsuccessful.') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) --- AFAIK this error is thrown when the script tries to set an NT permission on a missing file; it usually happens when a new GPO is created on the primary DC and it's not yet replicated to other DCs, since sysvolreset uses AD to find defined GPO items. That said, I've cleaned up the whole sysvol folder on secondary DC, rsync'ed all its content from primary DC then rerun sysvolreset: same error. I've also run sysvolreset on the primary DC as well, and again I've got the same error. So now I suppose there's something wrong in AD, like an "orphaned" GPO. How do I know which GPO file is causing the error? (running samba-tool with "-d 10" parameter gives no clue. Full output (same on both DCs): ------------------------------- # samba-tool ntacl sysvolreset -d 10 INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 lpcfg_load: refreshing parameters from /etc/samba/smb.conf Processing section "[global]" Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes Security token SIDs (1): SID[ 0]: S-1-5-18 Privileges (0xFFFFFFFFFFFFFFFF): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeSecurityPrivilege Privilege[ 9]: SeSystemtimePrivilege Privilege[ 10]: SeShutdownPrivilege Privilege[ 11]: SeDebugPrivilege Privilege[ 12]: SeSystemEnvironmentPrivilege Privilege[ 13]: SeSystemProfilePrivilege Privilege[ 14]: SeProfileSingleProcessPrivilege Privilege[ 15]: SeIncreaseBasePriorityPrivilege Privilege[ 16]: SeLoadDriverPrivilege Privilege[ 17]: SeCreatePagefilePrivilege Privilege[ 18]: SeIncreaseQuotaPrivilege Privilege[ 19]: SeChangeNotifyPrivilege Privilege[ 20]: SeUndockPrivilege Privilege[ 21]: SeManageVolumePrivilege Privilege[ 22]: SeImpersonatePrivilege Privilege[ 23]: SeCreateGlobalPrivilege Privilege[ 24]: SeEnableDelegationPrivilege Rights (0x 0): lpcfg_servicenumber: couldn't find ldb Initial schema load needed, as we have no existing schema, seq_num: 1 schema_fsmo_init: we are master[no] updates allowed[no] Initial schema load needed, as we have no existing schema, seq_num: 1 schema_fsmo_init: we are master[no] updates allowed[no] lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" doing parameter bind interfaces only = Yes doing parameter interfaces = lo eth_lan doing parameter netbios name = SRVSAMBA2 doing parameter realm = SAMDOM.LOCAL doing parameter server role = active directory domain controller doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate doing parameter workgroup = SAMDOM doing parameter ldap server require strong auth = no doing parameter client ldap sasl wrapping = plain doing parameter log level = 2 vfs:1 Processing section "[netlogon]" Processing section "[sysvol]" Processing section "[netlogon]" Processing section "[sysvol]" Processing section "[netlogon]" Processing section "[sysvol]" idmap range not specified for domain '*' idmap range not specified for domain '*' ***** ***** huge lot of these lines... ***** idmap range not specified for domain '*' idmap range not specified for domain '*' open: error=2 (No such file or directory) ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} The requested operation was unsuccessful.') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
L.P.H. van Belle
2018-Jul-23 14:45 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
Hai, Check these. https://www.google.nl/search?biw=1680&bih=888&ei=0-hVW7zQMqzkkgWIjqawDA&q=site%3Asamba.org+sysvol+permission&oq=site%3Asamba.org+sysvol+permission&gs_l=psy-ab.3...5368.10525.0.11916.17.14.3.0.0.0.72.580.14.14.0....0...1c.1.64.psy-ab..0.0.0....0.Ot64q9CRMN8 https://www.google.nl/search?biw=1680&bih=888&ei=4OhVW4_xH5L5kwXizI7YCQ&q=site%3Asamba.org+sysvol+reset&oq=site%3Asamba.org+sysvol+reset&gs_l=psy-ab.3...14561.18658.0.19243.13.8.5.0.0.0.47.336.8.8.0....0...1c.1.64.psy-ab..0.0.0....0.fIvwA6AUPAo The answer and workarounds are there. This is discussed so much. (sorry). Short version. Dont run sysvolreset and has an bug. Get the correct settings from my script. https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh And if you want to apply them, change in the script: APPLY_CHANGES_DIRECT="no" to yes.> ***** huge lot of these lines... > ***** > idmap range not specified for domain '*'And i suggest, you post your smb.conf. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ing. > Claudio Nicora via samba > Verzonden: maandag 23 juli 2018 16:30 > Aan: samba at lists.samba.org > Onderwerp: [Samba] sysvolreset error '{Operation Failed} The > requested operation was unsuccessful.' > > When I run samba-tool ntacl sysvolreset on my "secondary" > Samba AD DC I > get the error: > > --- > ERROR(runtime): uncaught exception - (-1073741823, > '{Operation Failed} > The requested operation was unsuccessful.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line > 239, in run > lp, use_ntvfs=use_ntvfs) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1609, in setsysvolacl > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > use_ntvfs, passdb=s4_passdb) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1502, in set_gpos_acl > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, > service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 162, in > setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, > sd, service=service) > --- > > AFAIK this error is thrown when the script tries to set an NT > permission > on a missing file; > it usually happens when a new GPO is created on the primary > DC and it's > not yet replicated to other DCs, since sysvolreset uses AD to find > defined GPO items. > That said, I've cleaned up the whole sysvol folder on secondary DC, > rsync'ed all its content from primary DC then rerun > sysvolreset: same error. > I've also run sysvolreset on the primary DC as well, and > again I've got > the same error. > > So now I suppose there's something wrong in AD, like an > "orphaned" GPO. > How do I know which GPO file is causing the error? (running > samba-tool > with "-d 10" parameter gives no clue. > > Full output (same on both DCs): > ------------------------------- > > # samba-tool ntacl sysvolreset -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > pm_process() returned Yes > Security token SIDs (1): > SID[ 0]: S-1-5-18 > Privileges (0xFFFFFFFFFFFFFFFF): > Privilege[ 0]: SeMachineAccountPrivilege > Privilege[ 1]: SeTakeOwnershipPrivilege > Privilege[ 2]: SeBackupPrivilege > Privilege[ 3]: SeRestorePrivilege > Privilege[ 4]: SeRemoteShutdownPrivilege > Privilege[ 5]: SePrintOperatorPrivilege > Privilege[ 6]: SeAddUsersPrivilege > Privilege[ 7]: SeDiskOperatorPrivilege > Privilege[ 8]: SeSecurityPrivilege > Privilege[ 9]: SeSystemtimePrivilege > Privilege[ 10]: SeShutdownPrivilege > Privilege[ 11]: SeDebugPrivilege > Privilege[ 12]: SeSystemEnvironmentPrivilege > Privilege[ 13]: SeSystemProfilePrivilege > Privilege[ 14]: SeProfileSingleProcessPrivilege > Privilege[ 15]: SeIncreaseBasePriorityPrivilege > Privilege[ 16]: SeLoadDriverPrivilege > Privilege[ 17]: SeCreatePagefilePrivilege > Privilege[ 18]: SeIncreaseQuotaPrivilege > Privilege[ 19]: SeChangeNotifyPrivilege > Privilege[ 20]: SeUndockPrivilege > Privilege[ 21]: SeManageVolumePrivilege > Privilege[ 22]: SeImpersonatePrivilege > Privilege[ 23]: SeCreateGlobalPrivilege > Privilege[ 24]: SeEnableDelegationPrivilege > Rights (0x 0): > lpcfg_servicenumber: couldn't find ldb > Initial schema load needed, as we have no existing schema, seq_num: 1 > schema_fsmo_init: we are master[no] updates allowed[no] > Initial schema load needed, as we have no existing schema, seq_num: 1 > schema_fsmo_init: we are master[no] updates allowed[no] > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows > limit (16384) > Processing section "[global]" > doing parameter bind interfaces only = Yes > doing parameter interfaces = lo eth_lan > doing parameter netbios name = SRVSAMBA2 > doing parameter realm = SAMDOM.LOCAL > doing parameter server role = active directory domain controller > doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > doing parameter workgroup = SAMDOM > doing parameter ldap server require strong auth = no > doing parameter client ldap sasl wrapping = plain > doing parameter log level = 2 vfs:1 > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[netlogon]" > Processing section "[sysvol]" > idmap range not specified for domain '*' > idmap range not specified for domain '*' > ***** > ***** huge lot of these lines... > ***** > idmap range not specified for domain '*' > idmap range not specified for domain '*' > open: error=2 (No such file or directory) > ERROR(runtime): uncaught exception - (-1073741823, > '{Operation Failed} > The requested operation was unsuccessful.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line > 239, in run > lp, use_ntvfs=use_ntvfs) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1609, in setsysvolacl > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > use_ntvfs, passdb=s4_passdb) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1502, in set_gpos_acl > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, > service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 162, in > setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, > sd, service=service) > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2018-Jul-23 14:59 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
On Mon, 23 Jul 2018 16:30:11 +0200 "Ing. Claudio Nicora via samba" <samba at lists.samba.org> wrote:> When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC > I get the error: > > --- > ERROR(runtime): uncaught exception - (-1073741823, '{Operation > Failed} The requested operation was unsuccessful.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", > line 239, in run > lp, use_ntvfs=use_ntvfs) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, > domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, > passdb=passdb, service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, > in setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, sd, service=service) > --- > > AFAIK this error is thrown when the script tries to set an NT > permission on a missing file; > it usually happens when a new GPO is created on the primary DC and > it's not yet replicated to other DCs, since sysvolreset uses AD to > find defined GPO items.When you join another DC, you get virtually nothing in sysvol, you need to sync it manually, but when a GPO is added it is not only stored in sysvol, it is also stored in AD. When you use sysvolreset, it is the GPO's stored in AD that are found first and then these are used to 'walk' sysvol, so if they exist in AD and not in sysvol, you get an error. There are several lines in the output I do not understand, so can you post your smb.conf. I would also double check just what is in sysvol on both machines. Rowland> That said, I've cleaned up the whole sysvol folder on secondary DC, > rsync'ed all its content from primary DC then rerun sysvolreset: same > error. I've also run sysvolreset on the primary DC as well, and again > I've got the same error. > > So now I suppose there's something wrong in AD, like an "orphaned" > GPO. How do I know which GPO file is causing the error? (running > samba-tool with "-d 10" parameter gives no clue. > > Full output (same on both DCs): > ------------------------------- > > # samba-tool ntacl sysvolreset -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > pm_process() returned Yes > Security token SIDs (1): > SID[ 0]: S-1-5-18 > Privileges (0xFFFFFFFFFFFFFFFF): > Privilege[ 0]: SeMachineAccountPrivilege > Privilege[ 1]: SeTakeOwnershipPrivilege > Privilege[ 2]: SeBackupPrivilege > Privilege[ 3]: SeRestorePrivilege > Privilege[ 4]: SeRemoteShutdownPrivilege > Privilege[ 5]: SePrintOperatorPrivilege > Privilege[ 6]: SeAddUsersPrivilege > Privilege[ 7]: SeDiskOperatorPrivilege > Privilege[ 8]: SeSecurityPrivilege > Privilege[ 9]: SeSystemtimePrivilege > Privilege[ 10]: SeShutdownPrivilege > Privilege[ 11]: SeDebugPrivilege > Privilege[ 12]: SeSystemEnvironmentPrivilege > Privilege[ 13]: SeSystemProfilePrivilege > Privilege[ 14]: SeProfileSingleProcessPrivilege > Privilege[ 15]: SeIncreaseBasePriorityPrivilege > Privilege[ 16]: SeLoadDriverPrivilege > Privilege[ 17]: SeCreatePagefilePrivilege > Privilege[ 18]: SeIncreaseQuotaPrivilege > Privilege[ 19]: SeChangeNotifyPrivilege > Privilege[ 20]: SeUndockPrivilege > Privilege[ 21]: SeManageVolumePrivilege > Privilege[ 22]: SeImpersonatePrivilege > Privilege[ 23]: SeCreateGlobalPrivilege > Privilege[ 24]: SeEnableDelegationPrivilege > Rights (0x 0): > lpcfg_servicenumber: couldn't find ldb > Initial schema load needed, as we have no existing schema, seq_num: 1 > schema_fsmo_init: we are master[no] updates allowed[no] > Initial schema load needed, as we have no existing schema, seq_num: 1 > schema_fsmo_init: we are master[no] updates allowed[no] > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[global]" > doing parameter bind interfaces only = Yes > doing parameter interfaces = lo eth_lan > doing parameter netbios name = SRVSAMBA2 > doing parameter realm = SAMDOM.LOCAL > doing parameter server role = active directory domain controller > doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > doing parameter workgroup = SAMDOM > doing parameter ldap server require strong auth = no > doing parameter client ldap sasl wrapping = plain > doing parameter log level = 2 vfs:1 > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[netlogon]" > Processing section "[sysvol]" > idmap range not specified for domain '*' > idmap range not specified for domain '*' > ***** > ***** huge lot of these lines... > ***** > idmap range not specified for domain '*' > idmap range not specified for domain '*' > open: error=2 (No such file or directory) > ERROR(runtime): uncaught exception - (-1073741823, '{Operation > Failed} The requested operation was unsuccessful.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", > line 239, in run > lp, use_ntvfs=use_ntvfs) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, > domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, > passdb=passdb, service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, > in setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, sd, service=service) > >
Ing. Claudio Nicora
2018-Jul-23 15:05 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
I'm not a Python guru but I've tried added a "print" just before the smbd.set_nt_acl() call in file /usr/lib/python2.7/dist-packages/samba/ntacls.py. This way I've found the GUID of the orphaned GPO and removed it with RSAT: error disappeared ;) It was only a test GPO so I won't go further investigating about why its files were lost... Still having lot of "idmap range not specified for domain '*'" lines, maybe causing sysvolreset take forever to run. Here you are my smb.conf file; hope you can find something wrong: --- # cat /etc/samba/smb.conf [global] bind interfaces only = Yes interfaces = lo eth_lan netbios name = SRVSAMBA2 realm = SAMDOM.LOCAL server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SAMDOM ldap server require strong auth = no client ldap sasl wrapping = plain log level = 2 vfs:1 log file = /var/log/samba/log.samba max log size = 10000 [netlogon] path = /var/lib/samba/sysvol/samdom.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No --- Thanks Claudio Il 23/07/2018 16:45, L.P.H. van Belle via samba ha scritto:> Hai, > > Check these. > https://www.google.nl/search?biw=1680&bih=888&ei=0-hVW7zQMqzkkgWIjqawDA&q=site%3Asamba.org+sysvol+permission&oq=site%3Asamba.org+sysvol+permission&gs_l=psy-ab.3...5368.10525.0.11916.17.14.3.0.0.0.72.580.14.14.0....0...1c.1.64.psy-ab..0.0.0....0.Ot64q9CRMN8 > > https://www.google.nl/search?biw=1680&bih=888&ei=4OhVW4_xH5L5kwXizI7YCQ&q=site%3Asamba.org+sysvol+reset&oq=site%3Asamba.org+sysvol+reset&gs_l=psy-ab.3...14561.18658.0.19243.13.8.5.0.0.0.47.336.8.8.0....0...1c.1.64.psy-ab..0.0.0....0.fIvwA6AUPAo > > The answer and workarounds are there. > This is discussed so much. (sorry). > > Short version. > Dont run sysvolreset and has an bug. > Get the correct settings from my script. > https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh > > And if you want to apply them, change in the script: > APPLY_CHANGES_DIRECT="no" to yes. > > >> ***** huge lot of these lines... >> ***** >> idmap range not specified for domain '*' > And i suggest, you post your smb.conf. > > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ing. >> Claudio Nicora via samba >> Verzonden: maandag 23 juli 2018 16:30 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] sysvolreset error '{Operation Failed} The >> requested operation was unsuccessful.' >> >> When I run samba-tool ntacl sysvolreset on my "secondary" >> Samba AD DC I >> get the error: >> >> --- >> ERROR(runtime): uncaught exception - (-1073741823, >> '{Operation Failed} >> The requested operation was unsuccessful.') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line >> 239, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1609, in setsysvolacl >> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, >> use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1502, in set_gpos_acl >> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, >> service=SYSVOL_SERVICE) >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", >> line 162, in >> setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, >> sd, service=service) >> --- >> >> AFAIK this error is thrown when the script tries to set an NT >> permission >> on a missing file; >> it usually happens when a new GPO is created on the primary >> DC and it's >> not yet replicated to other DCs, since sysvolreset uses AD to find >> defined GPO items. >> That said, I've cleaned up the whole sysvol folder on secondary DC, >> rsync'ed all its content from primary DC then rerun >> sysvolreset: same error. >> I've also run sysvolreset on the primary DC as well, and >> again I've got >> the same error. >> >> So now I suppose there's something wrong in AD, like an >> "orphaned" GPO. >> How do I know which GPO file is causing the error? (running >> samba-tool >> with "-d 10" parameter gives no clue. >> >> Full output (same on both DCs): >> ------------------------------- >> >> # samba-tool ntacl sysvolreset -d 10 >> INFO: Current debug levels: >> all: 10 >> tdb: 10 >> printdrivers: 10 >> lanman: 10 >> smb: 10 >> rpc_parse: 10 >> rpc_srv: 10 >> rpc_cli: 10 >> passdb: 10 >> sam: 10 >> auth: 10 >> winbind: 10 >> vfs: 10 >> idmap: 10 >> quota: 10 >> acls: 10 >> locking: 10 >> msdfs: 10 >> dmapi: 10 >> registry: 10 >> scavenger: 10 >> dns: 10 >> ldb: 10 >> tevent: 10 >> auth_audit: 10 >> auth_json_audit: 10 >> kerberos: 10 >> drs_repl: 10 >> lpcfg_load: refreshing parameters from /etc/samba/smb.conf >> Processing section "[global]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> pm_process() returned Yes >> Security token SIDs (1): >> SID[ 0]: S-1-5-18 >> Privileges (0xFFFFFFFFFFFFFFFF): >> Privilege[ 0]: SeMachineAccountPrivilege >> Privilege[ 1]: SeTakeOwnershipPrivilege >> Privilege[ 2]: SeBackupPrivilege >> Privilege[ 3]: SeRestorePrivilege >> Privilege[ 4]: SeRemoteShutdownPrivilege >> Privilege[ 5]: SePrintOperatorPrivilege >> Privilege[ 6]: SeAddUsersPrivilege >> Privilege[ 7]: SeDiskOperatorPrivilege >> Privilege[ 8]: SeSecurityPrivilege >> Privilege[ 9]: SeSystemtimePrivilege >> Privilege[ 10]: SeShutdownPrivilege >> Privilege[ 11]: SeDebugPrivilege >> Privilege[ 12]: SeSystemEnvironmentPrivilege >> Privilege[ 13]: SeSystemProfilePrivilege >> Privilege[ 14]: SeProfileSingleProcessPrivilege >> Privilege[ 15]: SeIncreaseBasePriorityPrivilege >> Privilege[ 16]: SeLoadDriverPrivilege >> Privilege[ 17]: SeCreatePagefilePrivilege >> Privilege[ 18]: SeIncreaseQuotaPrivilege >> Privilege[ 19]: SeChangeNotifyPrivilege >> Privilege[ 20]: SeUndockPrivilege >> Privilege[ 21]: SeManageVolumePrivilege >> Privilege[ 22]: SeImpersonatePrivilege >> Privilege[ 23]: SeCreateGlobalPrivilege >> Privilege[ 24]: SeEnableDelegationPrivilege >> Rights (0x 0): >> lpcfg_servicenumber: couldn't find ldb >> Initial schema load needed, as we have no existing schema, seq_num: 1 >> schema_fsmo_init: we are master[no] updates allowed[no] >> Initial schema load needed, as we have no existing schema, seq_num: 1 >> schema_fsmo_init: we are master[no] updates allowed[no] >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows >> limit (16384) >> Processing section "[global]" >> doing parameter bind interfaces only = Yes >> doing parameter interfaces = lo eth_lan >> doing parameter netbios name = SRVSAMBA2 >> doing parameter realm = SAMDOM.LOCAL >> doing parameter server role = active directory domain controller >> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, >> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate >> doing parameter workgroup = SAMDOM >> doing parameter ldap server require strong auth = no >> doing parameter client ldap sasl wrapping = plain >> doing parameter log level = 2 vfs:1 >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> ***** >> ***** huge lot of these lines... >> ***** >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> open: error=2 (No such file or directory) >> ERROR(runtime): uncaught exception - (-1073741823, >> '{Operation Failed} >> The requested operation was unsuccessful.') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line >> 239, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1609, in setsysvolacl >> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, >> use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1502, in set_gpos_acl >> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, >> service=SYSVOL_SERVICE) >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", >> line 162, in >> setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, >> sd, service=service) >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
Ing. Claudio Nicora
2018-Jul-23 15:17 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
I've added a "print" in file "/usr/lib/python2.7/dist-packages/samba/ntacls.py" just before the line raising the error to log the (missing) file causing the error. I've found I had an orphaned GPO: it was shown in RSAT but didn't have any file in sysvol folder on both DCs. Just removed it from AD (it was only a test GPO) and the error disappeared. I've posted my smb.conf in a reply to Louis Van Belle, hope you can see what's causing the lot of "idmap range not specified for domain '*'" lines. Thanks Claudio Il 23/07/2018 16:59, Rowland Penny via samba ha scritto:> On Mon, 23 Jul 2018 16:30:11 +0200 > "Ing. Claudio Nicora via samba" <samba at lists.samba.org> wrote: > >> When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC >> I get the error: >> >> --- >> ERROR(runtime): uncaught exception - (-1073741823, '{Operation >> Failed} The requested operation was unsuccessful.') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", >> line 239, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, >> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, >> passdb=passdb, service=SYSVOL_SERVICE) >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, >> in setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, sd, service=service) >> --- >> >> AFAIK this error is thrown when the script tries to set an NT >> permission on a missing file; >> it usually happens when a new GPO is created on the primary DC and >> it's not yet replicated to other DCs, since sysvolreset uses AD to >> find defined GPO items. > When you join another DC, you get virtually nothing in sysvol, you need > to sync it manually, but when a GPO is added it is not only stored in > sysvol, it is also stored in AD. When you use sysvolreset, it is the > GPO's stored in AD that are found first and then these are used to > 'walk' sysvol, so if they exist in AD and not in sysvol, you get an > error. > > There are several lines in the output I do not understand, so can you > post your smb.conf. > I would also double check just what is in sysvol on both machines. > > Rowland > >> That said, I've cleaned up the whole sysvol folder on secondary DC, >> rsync'ed all its content from primary DC then rerun sysvolreset: same >> error. I've also run sysvolreset on the primary DC as well, and again >> I've got the same error. >> >> So now I suppose there's something wrong in AD, like an "orphaned" >> GPO. How do I know which GPO file is causing the error? (running >> samba-tool with "-d 10" parameter gives no clue. >> >> Full output (same on both DCs): >> ------------------------------- >> >> # samba-tool ntacl sysvolreset -d 10 >> INFO: Current debug levels: >> all: 10 >> tdb: 10 >> printdrivers: 10 >> lanman: 10 >> smb: 10 >> rpc_parse: 10 >> rpc_srv: 10 >> rpc_cli: 10 >> passdb: 10 >> sam: 10 >> auth: 10 >> winbind: 10 >> vfs: 10 >> idmap: 10 >> quota: 10 >> acls: 10 >> locking: 10 >> msdfs: 10 >> dmapi: 10 >> registry: 10 >> scavenger: 10 >> dns: 10 >> ldb: 10 >> tevent: 10 >> auth_audit: 10 >> auth_json_audit: 10 >> kerberos: 10 >> drs_repl: 10 >> lpcfg_load: refreshing parameters from /etc/samba/smb.conf >> Processing section "[global]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> pm_process() returned Yes >> Security token SIDs (1): >> SID[ 0]: S-1-5-18 >> Privileges (0xFFFFFFFFFFFFFFFF): >> Privilege[ 0]: SeMachineAccountPrivilege >> Privilege[ 1]: SeTakeOwnershipPrivilege >> Privilege[ 2]: SeBackupPrivilege >> Privilege[ 3]: SeRestorePrivilege >> Privilege[ 4]: SeRemoteShutdownPrivilege >> Privilege[ 5]: SePrintOperatorPrivilege >> Privilege[ 6]: SeAddUsersPrivilege >> Privilege[ 7]: SeDiskOperatorPrivilege >> Privilege[ 8]: SeSecurityPrivilege >> Privilege[ 9]: SeSystemtimePrivilege >> Privilege[ 10]: SeShutdownPrivilege >> Privilege[ 11]: SeDebugPrivilege >> Privilege[ 12]: SeSystemEnvironmentPrivilege >> Privilege[ 13]: SeSystemProfilePrivilege >> Privilege[ 14]: SeProfileSingleProcessPrivilege >> Privilege[ 15]: SeIncreaseBasePriorityPrivilege >> Privilege[ 16]: SeLoadDriverPrivilege >> Privilege[ 17]: SeCreatePagefilePrivilege >> Privilege[ 18]: SeIncreaseQuotaPrivilege >> Privilege[ 19]: SeChangeNotifyPrivilege >> Privilege[ 20]: SeUndockPrivilege >> Privilege[ 21]: SeManageVolumePrivilege >> Privilege[ 22]: SeImpersonatePrivilege >> Privilege[ 23]: SeCreateGlobalPrivilege >> Privilege[ 24]: SeEnableDelegationPrivilege >> Rights (0x 0): >> lpcfg_servicenumber: couldn't find ldb >> Initial schema load needed, as we have no existing schema, seq_num: 1 >> schema_fsmo_init: we are master[no] updates allowed[no] >> Initial schema load needed, as we have no existing schema, seq_num: 1 >> schema_fsmo_init: we are master[no] updates allowed[no] >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >> (16384) Processing section "[global]" >> doing parameter bind interfaces only = Yes >> doing parameter interfaces = lo eth_lan >> doing parameter netbios name = SRVSAMBA2 >> doing parameter realm = SAMDOM.LOCAL >> doing parameter server role = active directory domain controller >> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, >> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate >> doing parameter workgroup = SAMDOM >> doing parameter ldap server require strong auth = no >> doing parameter client ldap sasl wrapping = plain >> doing parameter log level = 2 vfs:1 >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> ***** >> ***** huge lot of these lines... >> ***** >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> open: error=2 (No such file or directory) >> ERROR(runtime): uncaught exception - (-1073741823, '{Operation >> Failed} The requested operation was unsuccessful.') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", >> line 239, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, >> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, >> passdb=passdb, service=SYSVOL_SERVICE) >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, >> in setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, sd, service=service) >> >> >
Maybe Matching Threads
- samba-tool ntacl sysvolreset, - open: error=2 (No such file or directory)
- Problems with joining a second DC to AD
- Setting up Second Samba DC samba-tool ntacl sysvolreset fails
- Problems joining a Samba DC to an existing active directory
- Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs