samba - Jul 2018 - sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'

When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC
I
get the error:

---
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} 
The requested operation was unsuccessful.')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
239, in run
     lp, use_ntvfs=use_ntvfs)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
service=SYSVOL_SERVICE)
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
in
setntacl
     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, 
sd, service=service)
---

AFAIK this error is thrown when the script tries to set an NT permission 
on a missing file;
it usually happens when a new GPO is created on the primary DC and it's 
not yet replicated to other DCs, since sysvolreset uses AD to find 
defined GPO items.
That said, I've cleaned up the whole sysvol folder on secondary DC, 
rsync'ed all its content from primary DC then rerun sysvolreset: same error.
I've also run sysvolreset on the primary DC as well, and again I've got 
the same error.

So now I suppose there's something wrong in AD, like an "orphaned"
GPO.
How do I know which GPO file is causing the error? (running samba-tool 
with "-d 10" parameter gives no clue.

Full output (same on both DCs):
-------------------------------

# samba-tool ntacl sysvolreset -d 10
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
   scavenger: 10
   dns: 10
   ldb: 10
   tevent: 10
   auth_audit: 10
   auth_json_audit: 10
   kerberos: 10
   drs_repl: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
Security token SIDs (1):
   SID[  0]: S-1-5-18
  Privileges (0xFFFFFFFFFFFFFFFF):
   Privilege[  0]: SeMachineAccountPrivilege
   Privilege[  1]: SeTakeOwnershipPrivilege
   Privilege[  2]: SeBackupPrivilege
   Privilege[  3]: SeRestorePrivilege
   Privilege[  4]: SeRemoteShutdownPrivilege
   Privilege[  5]: SePrintOperatorPrivilege
   Privilege[  6]: SeAddUsersPrivilege
   Privilege[  7]: SeDiskOperatorPrivilege
   Privilege[  8]: SeSecurityPrivilege
   Privilege[  9]: SeSystemtimePrivilege
   Privilege[ 10]: SeShutdownPrivilege
   Privilege[ 11]: SeDebugPrivilege
   Privilege[ 12]: SeSystemEnvironmentPrivilege
   Privilege[ 13]: SeSystemProfilePrivilege
   Privilege[ 14]: SeProfileSingleProcessPrivilege
   Privilege[ 15]: SeIncreaseBasePriorityPrivilege
   Privilege[ 16]: SeLoadDriverPrivilege
   Privilege[ 17]: SeCreatePagefilePrivilege
   Privilege[ 18]: SeIncreaseQuotaPrivilege
   Privilege[ 19]: SeChangeNotifyPrivilege
   Privilege[ 20]: SeUndockPrivilege
   Privilege[ 21]: SeManageVolumePrivilege
   Privilege[ 22]: SeImpersonatePrivilege
   Privilege[ 23]: SeCreateGlobalPrivilege
   Privilege[ 24]: SeEnableDelegationPrivilege
  Rights (0x               0):
lpcfg_servicenumber: couldn't find ldb
Initial schema load needed, as we have no existing schema, seq_num: 1
schema_fsmo_init: we are master[no] updates allowed[no]
Initial schema load needed, as we have no existing schema, seq_num: 1
schema_fsmo_init: we are master[no] updates allowed[no]
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
doing parameter bind interfaces only = Yes
doing parameter interfaces = lo eth_lan
doing parameter netbios name = SRVSAMBA2
doing parameter realm = SAMDOM.LOCAL
doing parameter server role = active directory domain controller
doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
doing parameter workgroup = SAMDOM
doing parameter ldap server require strong auth = no
doing parameter client ldap sasl wrapping = plain
doing parameter log level = 2 vfs:1
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[sysvol]"
idmap range not specified for domain '*'
idmap range not specified for domain '*'
*****
***** huge lot of these lines...
*****
idmap range not specified for domain '*'
idmap range not specified for domain '*'
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} 
The requested operation was unsuccessful.')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
239, in run
     lp, use_ntvfs=use_ntvfs)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1609, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1502, in set_gpos_acl
     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
service=SYSVOL_SERVICE)
   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162,
in
setntacl
     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, 
sd, service=service)

Hai, 

Check these. 
https://www.google.nl/search?biw=1680&bih=888&ei=0-hVW7zQMqzkkgWIjqawDA&q=site%3Asamba.org+sysvol+permission&oq=site%3Asamba.org+sysvol+permission&gs_l=psy-ab.3...5368.10525.0.11916.17.14.3.0.0.0.72.580.14.14.0....0...1c.1.64.psy-ab..0.0.0....0.Ot64q9CRMN8

https://www.google.nl/search?biw=1680&bih=888&ei=4OhVW4_xH5L5kwXizI7YCQ&q=site%3Asamba.org+sysvol+reset&oq=site%3Asamba.org+sysvol+reset&gs_l=psy-ab.3...14561.18658.0.19243.13.8.5.0.0.0.47.336.8.8.0....0...1c.1.64.psy-ab..0.0.0....0.fIvwA6AUPAo

The answer and workarounds are there. 
This is discussed so much. (sorry). 

Short version. 
Dont run sysvolreset and has an bug. 
Get the correct settings from my script. 
https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh 

And if you want to apply them, change in the script: 
APPLY_CHANGES_DIRECT="no" to yes. 

> ***** huge lot of these lines...
> *****
> idmap range not specified for domain '*'
And i suggest, you post your smb.conf. 



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ing. 
> Claudio Nicora via samba
> Verzonden: maandag 23 juli 2018 16:30
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] sysvolreset error '{Operation Failed} The 
> requested operation was unsuccessful.'
> 
> When I run samba-tool ntacl sysvolreset on my "secondary" 
> Samba AD DC I 
> get the error:
> 
> ---
> ERROR(runtime): uncaught exception - (-1073741823, 
> '{Operation Failed} 
> The requested operation was unsuccessful.')
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
> 239, in run
>      lp, use_ntvfs=use_ntvfs)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1609, in setsysvolacl
>      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
> use_ntvfs, passdb=s4_passdb)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1502, in set_gpos_acl
>      use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
> service=SYSVOL_SERVICE)
>    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
> line 162, in 
> setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL | 
> security.SECINFO_SACL, 
> sd, service=service)
> ---
> 
> AFAIK this error is thrown when the script tries to set an NT 
> permission 
> on a missing file;
> it usually happens when a new GPO is created on the primary 
> DC and it's 
> not yet replicated to other DCs, since sysvolreset uses AD to find 
> defined GPO items.
> That said, I've cleaned up the whole sysvol folder on secondary DC, 
> rsync'ed all its content from primary DC then rerun 
> sysvolreset: same error.
> I've also run sysvolreset on the primary DC as well, and 
> again I've got 
> the same error.
> 
> So now I suppose there's something wrong in AD, like an 
> "orphaned" GPO.
> How do I know which GPO file is causing the error? (running 
> samba-tool 
> with "-d 10" parameter gives no clue.
> 
> Full output (same on both DCs):
> -------------------------------
> 
> # samba-tool ntacl sysvolreset -d 10
> INFO: Current debug levels:
>    all: 10
>    tdb: 10
>    printdrivers: 10
>    lanman: 10
>    smb: 10
>    rpc_parse: 10
>    rpc_srv: 10
>    rpc_cli: 10
>    passdb: 10
>    sam: 10
>    auth: 10
>    winbind: 10
>    vfs: 10
>    idmap: 10
>    quota: 10
>    acls: 10
>    locking: 10
>    msdfs: 10
>    dmapi: 10
>    registry: 10
>    scavenger: 10
>    dns: 10
>    ldb: 10
>    tevent: 10
>    auth_audit: 10
>    auth_json_audit: 10
>    kerberos: 10
>    drs_repl: 10
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> Security token SIDs (1):
>    SID[  0]: S-1-5-18
>   Privileges (0xFFFFFFFFFFFFFFFF):
>    Privilege[  0]: SeMachineAccountPrivilege
>    Privilege[  1]: SeTakeOwnershipPrivilege
>    Privilege[  2]: SeBackupPrivilege
>    Privilege[  3]: SeRestorePrivilege
>    Privilege[  4]: SeRemoteShutdownPrivilege
>    Privilege[  5]: SePrintOperatorPrivilege
>    Privilege[  6]: SeAddUsersPrivilege
>    Privilege[  7]: SeDiskOperatorPrivilege
>    Privilege[  8]: SeSecurityPrivilege
>    Privilege[  9]: SeSystemtimePrivilege
>    Privilege[ 10]: SeShutdownPrivilege
>    Privilege[ 11]: SeDebugPrivilege
>    Privilege[ 12]: SeSystemEnvironmentPrivilege
>    Privilege[ 13]: SeSystemProfilePrivilege
>    Privilege[ 14]: SeProfileSingleProcessPrivilege
>    Privilege[ 15]: SeIncreaseBasePriorityPrivilege
>    Privilege[ 16]: SeLoadDriverPrivilege
>    Privilege[ 17]: SeCreatePagefilePrivilege
>    Privilege[ 18]: SeIncreaseQuotaPrivilege
>    Privilege[ 19]: SeChangeNotifyPrivilege
>    Privilege[ 20]: SeUndockPrivilege
>    Privilege[ 21]: SeManageVolumePrivilege
>    Privilege[ 22]: SeImpersonatePrivilege
>    Privilege[ 23]: SeCreateGlobalPrivilege
>    Privilege[ 24]: SeEnableDelegationPrivilege
>   Rights (0x               0):
> lpcfg_servicenumber: couldn't find ldb
> Initial schema load needed, as we have no existing schema, seq_num: 1
> schema_fsmo_init: we are master[no] updates allowed[no]
> Initial schema load needed, as we have no existing schema, seq_num: 1
> schema_fsmo_init: we are master[no] updates allowed[no]
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows 
> limit (16384)
> Processing section "[global]"
> doing parameter bind interfaces only = Yes
> doing parameter interfaces = lo eth_lan
> doing parameter netbios name = SRVSAMBA2
> doing parameter realm = SAMDOM.LOCAL
> doing parameter server role = active directory domain controller
> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> doing parameter workgroup = SAMDOM
> doing parameter ldap server require strong auth = no
> doing parameter client ldap sasl wrapping = plain
> doing parameter log level = 2 vfs:1
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> *****
> ***** huge lot of these lines...
> *****
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 
> '{Operation Failed} 
> The requested operation was unsuccessful.')
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
> 239, in run
>      lp, use_ntvfs=use_ntvfs)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1609, in setsysvolacl
>      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
> use_ntvfs, passdb=s4_passdb)
>    File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1502, in set_gpos_acl
>      use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
> service=SYSVOL_SERVICE)
>    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
> line 162, in 
> setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL | 
> security.SECINFO_SACL, 
> sd, service=service)
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Mon, 23 Jul 2018 16:30:11 +0200
"Ing. Claudio Nicora via samba" <samba at lists.samba.org>
wrote:
> When I run samba-tool ntacl sysvolreset on my "secondary" Samba
AD DC
> I get the error:
> 
> ---
> ERROR(runtime): uncaught exception - (-1073741823, '{Operation
> Failed} The requested operation was unsuccessful.')
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
> line 239, in run
>      lp, use_ntvfs=use_ntvfs)
>    File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line
> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>    File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line
> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE)
>    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line
162,
> in setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> ---
> 
> AFAIK this error is thrown when the script tries to set an NT
> permission on a missing file;
> it usually happens when a new GPO is created on the primary DC and
> it's not yet replicated to other DCs, since sysvolreset uses AD to
> find defined GPO items.
When you join another DC, you get virtually nothing in sysvol, you need
to sync it manually, but when a GPO is added it is not only stored in
sysvol, it is also stored in AD. When you use sysvolreset, it is the
GPO's stored in AD that are found first and then these are used to
'walk' sysvol, so if they exist in AD and not in sysvol, you get an
error.

There are several lines in the output I do not understand, so can you
post your smb.conf.
I would also double check just what is in sysvol on both machines.

Rowland
 
> That said, I've cleaned up the whole sysvol folder on secondary DC, 
> rsync'ed all its content from primary DC then rerun sysvolreset: same
> error. I've also run sysvolreset on the primary DC as well, and again
> I've got the same error.
> 
> So now I suppose there's something wrong in AD, like an
"orphaned"
> GPO. How do I know which GPO file is causing the error? (running
> samba-tool with "-d 10" parameter gives no clue.
> 
> Full output (same on both DCs):
> -------------------------------
> 
> # samba-tool ntacl sysvolreset -d 10
> INFO: Current debug levels:
>    all: 10
>    tdb: 10
>    printdrivers: 10
>    lanman: 10
>    smb: 10
>    rpc_parse: 10
>    rpc_srv: 10
>    rpc_cli: 10
>    passdb: 10
>    sam: 10
>    auth: 10
>    winbind: 10
>    vfs: 10
>    idmap: 10
>    quota: 10
>    acls: 10
>    locking: 10
>    msdfs: 10
>    dmapi: 10
>    registry: 10
>    scavenger: 10
>    dns: 10
>    ldb: 10
>    tevent: 10
>    auth_audit: 10
>    auth_json_audit: 10
>    kerberos: 10
>    drs_repl: 10
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> Security token SIDs (1):
>    SID[  0]: S-1-5-18
>   Privileges (0xFFFFFFFFFFFFFFFF):
>    Privilege[  0]: SeMachineAccountPrivilege
>    Privilege[  1]: SeTakeOwnershipPrivilege
>    Privilege[  2]: SeBackupPrivilege
>    Privilege[  3]: SeRestorePrivilege
>    Privilege[  4]: SeRemoteShutdownPrivilege
>    Privilege[  5]: SePrintOperatorPrivilege
>    Privilege[  6]: SeAddUsersPrivilege
>    Privilege[  7]: SeDiskOperatorPrivilege
>    Privilege[  8]: SeSecurityPrivilege
>    Privilege[  9]: SeSystemtimePrivilege
>    Privilege[ 10]: SeShutdownPrivilege
>    Privilege[ 11]: SeDebugPrivilege
>    Privilege[ 12]: SeSystemEnvironmentPrivilege
>    Privilege[ 13]: SeSystemProfilePrivilege
>    Privilege[ 14]: SeProfileSingleProcessPrivilege
>    Privilege[ 15]: SeIncreaseBasePriorityPrivilege
>    Privilege[ 16]: SeLoadDriverPrivilege
>    Privilege[ 17]: SeCreatePagefilePrivilege
>    Privilege[ 18]: SeIncreaseQuotaPrivilege
>    Privilege[ 19]: SeChangeNotifyPrivilege
>    Privilege[ 20]: SeUndockPrivilege
>    Privilege[ 21]: SeManageVolumePrivilege
>    Privilege[ 22]: SeImpersonatePrivilege
>    Privilege[ 23]: SeCreateGlobalPrivilege
>    Privilege[ 24]: SeEnableDelegationPrivilege
>   Rights (0x               0):
> lpcfg_servicenumber: couldn't find ldb
> Initial schema load needed, as we have no existing schema, seq_num: 1
> schema_fsmo_init: we are master[no] updates allowed[no]
> Initial schema load needed, as we have no existing schema, seq_num: 1
> schema_fsmo_init: we are master[no] updates allowed[no]
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[global]"
> doing parameter bind interfaces only = Yes
> doing parameter interfaces = lo eth_lan
> doing parameter netbios name = SRVSAMBA2
> doing parameter realm = SAMDOM.LOCAL
> doing parameter server role = active directory domain controller
> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> doing parameter workgroup = SAMDOM
> doing parameter ldap server require strong auth = no
> doing parameter client ldap sasl wrapping = plain
> doing parameter log level = 2 vfs:1
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> *****
> ***** huge lot of these lines...
> *****
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, '{Operation
> Failed} The requested operation was unsuccessful.')
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
> line 239, in run
>      lp, use_ntvfs=use_ntvfs)
>    File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line
> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>    File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line
> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE)
>    File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line
162,
> in setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> 
>

I'm not a Python guru but I've tried added a "print" just
before the
smbd.set_nt_acl() call in file 
/usr/lib/python2.7/dist-packages/samba/ntacls.py.
This way I've found the GUID of the orphaned GPO and removed it with 
RSAT: error disappeared ;)
It was only a test GPO so I won't go further investigating about why its 
files were lost...

Still having lot of "idmap range not specified for domain '*'"
lines,
maybe causing sysvolreset take forever to run.
Here you are my smb.conf file; hope you can find something wrong:
---
# cat /etc/samba/smb.conf
[global]
   bind interfaces only = Yes
   interfaces = lo eth_lan
   netbios name = SRVSAMBA2
   realm = SAMDOM.LOCAL
   server role = active directory domain controller
   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
   workgroup = SAMDOM
   ldap server require strong auth = no
   client ldap sasl wrapping = plain
   log level = 2 vfs:1
   log file = /var/log/samba/log.samba
   max log size = 10000

[netlogon]
   path = /var/lib/samba/sysvol/samdom.local/scripts
   read only = No

[sysvol]
   path = /var/lib/samba/sysvol
   read only = No
---

Thanks
Claudio


Il 23/07/2018 16:45, L.P.H. van Belle via samba ha
scritto:
> Hai,
>
> Check these.
>
https://www.google.nl/search?biw=1680&bih=888&ei=0-hVW7zQMqzkkgWIjqawDA&q=site%3Asamba.org+sysvol+permission&oq=site%3Asamba.org+sysvol+permission&gs_l=psy-ab.3...5368.10525.0.11916.17.14.3.0.0.0.72.580.14.14.0....0...1c.1.64.psy-ab..0.0.0....0.Ot64q9CRMN8
>
>
https://www.google.nl/search?biw=1680&bih=888&ei=4OhVW4_xH5L5kwXizI7YCQ&q=site%3Asamba.org+sysvol+reset&oq=site%3Asamba.org+sysvol+reset&gs_l=psy-ab.3...14561.18658.0.19243.13.8.5.0.0.0.47.336.8.8.0....0...1c.1.64.psy-ab..0.0.0....0.fIvwA6AUPAo
>
> The answer and workarounds are there.
> This is discussed so much. (sorry).
>
> Short version.
> Dont run sysvolreset and has an bug.
> Get the correct settings from my script.
> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh
>
> And if you want to apply them, change in the script:
> APPLY_CHANGES_DIRECT="no" to yes.
>
>
>> ***** huge lot of these lines...
>> *****
>> idmap range not specified for domain '*'
> And i suggest, you post your smb.conf.
>
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ing.
>> Claudio Nicora via samba
>> Verzonden: maandag 23 juli 2018 16:30
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] sysvolreset error '{Operation Failed} The
>> requested operation was unsuccessful.'
>>
>> When I run samba-tool ntacl sysvolreset on my "secondary"
>> Samba AD DC I
>> get the error:
>>
>> ---
>> ERROR(runtime): uncaught exception - (-1073741823,
>> '{Operation Failed}
>> The requested operation was unsuccessful.')
>>     File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>>       return self.run(*args, **kwargs)
>>     File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line
>> 239, in run
>>       lp, use_ntvfs=use_ntvfs)
>>     File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1609, in setsysvolacl
>>       set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>> use_ntvfs, passdb=s4_passdb)
>>     File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1502, in set_gpos_acl
>>       use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
>> service=SYSVOL_SERVICE)
>>     File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
>> line 162, in
>> setntacl
>>       smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL,
>> sd, service=service)
>> ---
>>
>> AFAIK this error is thrown when the script tries to set an NT
>> permission
>> on a missing file;
>> it usually happens when a new GPO is created on the primary
>> DC and it's
>> not yet replicated to other DCs, since sysvolreset uses AD to find
>> defined GPO items.
>> That said, I've cleaned up the whole sysvol folder on secondary DC,
>> rsync'ed all its content from primary DC then rerun
>> sysvolreset: same error.
>> I've also run sysvolreset on the primary DC as well, and
>> again I've got
>> the same error.
>>
>> So now I suppose there's something wrong in AD, like an
>> "orphaned" GPO.
>> How do I know which GPO file is causing the error? (running
>> samba-tool
>> with "-d 10" parameter gives no clue.
>>
>> Full output (same on both DCs):
>> -------------------------------
>>
>> # samba-tool ntacl sysvolreset -d 10
>> INFO: Current debug levels:
>>     all: 10
>>     tdb: 10
>>     printdrivers: 10
>>     lanman: 10
>>     smb: 10
>>     rpc_parse: 10
>>     rpc_srv: 10
>>     rpc_cli: 10
>>     passdb: 10
>>     sam: 10
>>     auth: 10
>>     winbind: 10
>>     vfs: 10
>>     idmap: 10
>>     quota: 10
>>     acls: 10
>>     locking: 10
>>     msdfs: 10
>>     dmapi: 10
>>     registry: 10
>>     scavenger: 10
>>     dns: 10
>>     ldb: 10
>>     tevent: 10
>>     auth_audit: 10
>>     auth_json_audit: 10
>>     kerberos: 10
>>     drs_repl: 10
>> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> pm_process() returned Yes
>> Security token SIDs (1):
>>     SID[  0]: S-1-5-18
>>    Privileges (0xFFFFFFFFFFFFFFFF):
>>     Privilege[  0]: SeMachineAccountPrivilege
>>     Privilege[  1]: SeTakeOwnershipPrivilege
>>     Privilege[  2]: SeBackupPrivilege
>>     Privilege[  3]: SeRestorePrivilege
>>     Privilege[  4]: SeRemoteShutdownPrivilege
>>     Privilege[  5]: SePrintOperatorPrivilege
>>     Privilege[  6]: SeAddUsersPrivilege
>>     Privilege[  7]: SeDiskOperatorPrivilege
>>     Privilege[  8]: SeSecurityPrivilege
>>     Privilege[  9]: SeSystemtimePrivilege
>>     Privilege[ 10]: SeShutdownPrivilege
>>     Privilege[ 11]: SeDebugPrivilege
>>     Privilege[ 12]: SeSystemEnvironmentPrivilege
>>     Privilege[ 13]: SeSystemProfilePrivilege
>>     Privilege[ 14]: SeProfileSingleProcessPrivilege
>>     Privilege[ 15]: SeIncreaseBasePriorityPrivilege
>>     Privilege[ 16]: SeLoadDriverPrivilege
>>     Privilege[ 17]: SeCreatePagefilePrivilege
>>     Privilege[ 18]: SeIncreaseQuotaPrivilege
>>     Privilege[ 19]: SeChangeNotifyPrivilege
>>     Privilege[ 20]: SeUndockPrivilege
>>     Privilege[ 21]: SeManageVolumePrivilege
>>     Privilege[ 22]: SeImpersonatePrivilege
>>     Privilege[ 23]: SeCreateGlobalPrivilege
>>     Privilege[ 24]: SeEnableDelegationPrivilege
>>    Rights (0x               0):
>> lpcfg_servicenumber: couldn't find ldb
>> Initial schema load needed, as we have no existing schema, seq_num: 1
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> Initial schema load needed, as we have no existing schema, seq_num: 1
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows
>> limit (16384)
>> Processing section "[global]"
>> doing parameter bind interfaces only = Yes
>> doing parameter interfaces = lo eth_lan
>> doing parameter netbios name = SRVSAMBA2
>> doing parameter realm = SAMDOM.LOCAL
>> doing parameter server role = active directory domain controller
>> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>> doing parameter workgroup = SAMDOM
>> doing parameter ldap server require strong auth = no
>> doing parameter client ldap sasl wrapping = plain
>> doing parameter log level = 2 vfs:1
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> *****
>> ***** huge lot of these lines...
>> *****
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> open: error=2 (No such file or directory)
>> ERROR(runtime): uncaught exception - (-1073741823,
>> '{Operation Failed}
>> The requested operation was unsuccessful.')
>>     File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>>       return self.run(*args, **kwargs)
>>     File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line
>> 239, in run
>>       lp, use_ntvfs=use_ntvfs)
>>     File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1609, in setsysvolacl
>>       set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>> use_ntvfs, passdb=s4_passdb)
>>     File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1502, in set_gpos_acl
>>       use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
>> service=SYSVOL_SERVICE)
>>     File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
>> line 162, in
>> setntacl
>>       smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL,
>> sd, service=service)
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>

I've added a "print" in file 
"/usr/lib/python2.7/dist-packages/samba/ntacls.py" just before the
line
raising the error to log the (missing) file causing the error.
I've found I had an orphaned GPO: it was shown in RSAT but didn't have 
any file in sysvol folder on both DCs.
Just removed it from AD (it was only a test GPO) and the error disappeared.

I've posted my smb.conf in a reply to Louis Van Belle, hope you can see 
what's causing the lot of "idmap range not specified for domain
'*'" lines.

Thanks
Claudio


Il 23/07/2018 16:59, Rowland Penny via samba ha scritto:
> On Mon, 23 Jul 2018 16:30:11 +0200
> "Ing. Claudio Nicora via samba" <samba at lists.samba.org>
wrote:
>
>> When I run samba-tool ntacl sysvolreset on my "secondary"
Samba AD DC
>> I get the error:
>>
>> ---
>> ERROR(runtime): uncaught exception - (-1073741823, '{Operation
>> Failed} The requested operation was unsuccessful.')
>>     File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>>       return self.run(*args, **kwargs)
>>     File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
>> line 239, in run
>>       lp, use_ntvfs=use_ntvfs)
>>     File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
>> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>>     File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
>> passdb=passdb, service=SYSVOL_SERVICE)
>>     File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
line 162,
>> in setntacl
>>       smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd, service=service)
>> ---
>>
>> AFAIK this error is thrown when the script tries to set an NT
>> permission on a missing file;
>> it usually happens when a new GPO is created on the primary DC and
>> it's not yet replicated to other DCs, since sysvolreset uses AD to
>> find defined GPO items.
> When you join another DC, you get virtually nothing in sysvol, you need
> to sync it manually, but when a GPO is added it is not only stored in
> sysvol, it is also stored in AD. When you use sysvolreset, it is the
> GPO's stored in AD that are found first and then these are used to
> 'walk' sysvol, so if they exist in AD and not in sysvol, you get an
> error.
>
> There are several lines in the output I do not understand, so can you
> post your smb.conf.
> I would also double check just what is in sysvol on both machines.
>
> Rowland
>   
>> That said, I've cleaned up the whole sysvol folder on secondary DC,
>> rsync'ed all its content from primary DC then rerun sysvolreset:
same
>> error. I've also run sysvolreset on the primary DC as well, and
again
>> I've got the same error.
>>
>> So now I suppose there's something wrong in AD, like an
"orphaned"
>> GPO. How do I know which GPO file is causing the error? (running
>> samba-tool with "-d 10" parameter gives no clue.
>>
>> Full output (same on both DCs):
>> -------------------------------
>>
>> # samba-tool ntacl sysvolreset -d 10
>> INFO: Current debug levels:
>>     all: 10
>>     tdb: 10
>>     printdrivers: 10
>>     lanman: 10
>>     smb: 10
>>     rpc_parse: 10
>>     rpc_srv: 10
>>     rpc_cli: 10
>>     passdb: 10
>>     sam: 10
>>     auth: 10
>>     winbind: 10
>>     vfs: 10
>>     idmap: 10
>>     quota: 10
>>     acls: 10
>>     locking: 10
>>     msdfs: 10
>>     dmapi: 10
>>     registry: 10
>>     scavenger: 10
>>     dns: 10
>>     ldb: 10
>>     tevent: 10
>>     auth_audit: 10
>>     auth_json_audit: 10
>>     kerberos: 10
>>     drs_repl: 10
>> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> pm_process() returned Yes
>> Security token SIDs (1):
>>     SID[  0]: S-1-5-18
>>    Privileges (0xFFFFFFFFFFFFFFFF):
>>     Privilege[  0]: SeMachineAccountPrivilege
>>     Privilege[  1]: SeTakeOwnershipPrivilege
>>     Privilege[  2]: SeBackupPrivilege
>>     Privilege[  3]: SeRestorePrivilege
>>     Privilege[  4]: SeRemoteShutdownPrivilege
>>     Privilege[  5]: SePrintOperatorPrivilege
>>     Privilege[  6]: SeAddUsersPrivilege
>>     Privilege[  7]: SeDiskOperatorPrivilege
>>     Privilege[  8]: SeSecurityPrivilege
>>     Privilege[  9]: SeSystemtimePrivilege
>>     Privilege[ 10]: SeShutdownPrivilege
>>     Privilege[ 11]: SeDebugPrivilege
>>     Privilege[ 12]: SeSystemEnvironmentPrivilege
>>     Privilege[ 13]: SeSystemProfilePrivilege
>>     Privilege[ 14]: SeProfileSingleProcessPrivilege
>>     Privilege[ 15]: SeIncreaseBasePriorityPrivilege
>>     Privilege[ 16]: SeLoadDriverPrivilege
>>     Privilege[ 17]: SeCreatePagefilePrivilege
>>     Privilege[ 18]: SeIncreaseQuotaPrivilege
>>     Privilege[ 19]: SeChangeNotifyPrivilege
>>     Privilege[ 20]: SeUndockPrivilege
>>     Privilege[ 21]: SeManageVolumePrivilege
>>     Privilege[ 22]: SeImpersonatePrivilege
>>     Privilege[ 23]: SeCreateGlobalPrivilege
>>     Privilege[ 24]: SeEnableDelegationPrivilege
>>    Rights (0x               0):
>> lpcfg_servicenumber: couldn't find ldb
>> Initial schema load needed, as we have no existing schema, seq_num: 1
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> Initial schema load needed, as we have no existing schema, seq_num: 1
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384) Processing section "[global]"
>> doing parameter bind interfaces only = Yes
>> doing parameter interfaces = lo eth_lan
>> doing parameter netbios name = SRVSAMBA2
>> doing parameter realm = SAMDOM.LOCAL
>> doing parameter server role = active directory domain controller
>> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>> doing parameter workgroup = SAMDOM
>> doing parameter ldap server require strong auth = no
>> doing parameter client ldap sasl wrapping = plain
>> doing parameter log level = 2 vfs:1
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> *****
>> ***** huge lot of these lines...
>> *****
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> open: error=2 (No such file or directory)
>> ERROR(runtime): uncaught exception - (-1073741823, '{Operation
>> Failed} The requested operation was unsuccessful.')
>>     File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>>       return self.run(*args, **kwargs)
>>     File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
>> line 239, in run
>>       lp, use_ntvfs=use_ntvfs)
>>     File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
>> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>>     File
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True,
>> passdb=passdb, service=SYSVOL_SERVICE)
>>     File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
line 162,
>> in setntacl
>>       smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL |
>> security.SECINFO_SACL, sd, service=service)
>>
>>
>