Ing. Claudio Nicora
2018-Jul-23 15:17 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
I've added a "print" in file "/usr/lib/python2.7/dist-packages/samba/ntacls.py" just before the line raising the error to log the (missing) file causing the error. I've found I had an orphaned GPO: it was shown in RSAT but didn't have any file in sysvol folder on both DCs. Just removed it from AD (it was only a test GPO) and the error disappeared. I've posted my smb.conf in a reply to Louis Van Belle, hope you can see what's causing the lot of "idmap range not specified for domain '*'" lines. Thanks Claudio Il 23/07/2018 16:59, Rowland Penny via samba ha scritto:> On Mon, 23 Jul 2018 16:30:11 +0200 > "Ing. Claudio Nicora via samba" <samba at lists.samba.org> wrote: > >> When I run samba-tool ntacl sysvolreset on my "secondary" Samba AD DC >> I get the error: >> >> --- >> ERROR(runtime): uncaught exception - (-1073741823, '{Operation >> Failed} The requested operation was unsuccessful.') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", >> line 239, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, >> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, >> passdb=passdb, service=SYSVOL_SERVICE) >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, >> in setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, sd, service=service) >> --- >> >> AFAIK this error is thrown when the script tries to set an NT >> permission on a missing file; >> it usually happens when a new GPO is created on the primary DC and >> it's not yet replicated to other DCs, since sysvolreset uses AD to >> find defined GPO items. > When you join another DC, you get virtually nothing in sysvol, you need > to sync it manually, but when a GPO is added it is not only stored in > sysvol, it is also stored in AD. When you use sysvolreset, it is the > GPO's stored in AD that are found first and then these are used to > 'walk' sysvol, so if they exist in AD and not in sysvol, you get an > error. > > There are several lines in the output I do not understand, so can you > post your smb.conf. > I would also double check just what is in sysvol on both machines. > > Rowland > >> That said, I've cleaned up the whole sysvol folder on secondary DC, >> rsync'ed all its content from primary DC then rerun sysvolreset: same >> error. I've also run sysvolreset on the primary DC as well, and again >> I've got the same error. >> >> So now I suppose there's something wrong in AD, like an "orphaned" >> GPO. How do I know which GPO file is causing the error? (running >> samba-tool with "-d 10" parameter gives no clue. >> >> Full output (same on both DCs): >> ------------------------------- >> >> # samba-tool ntacl sysvolreset -d 10 >> INFO: Current debug levels: >> all: 10 >> tdb: 10 >> printdrivers: 10 >> lanman: 10 >> smb: 10 >> rpc_parse: 10 >> rpc_srv: 10 >> rpc_cli: 10 >> passdb: 10 >> sam: 10 >> auth: 10 >> winbind: 10 >> vfs: 10 >> idmap: 10 >> quota: 10 >> acls: 10 >> locking: 10 >> msdfs: 10 >> dmapi: 10 >> registry: 10 >> scavenger: 10 >> dns: 10 >> ldb: 10 >> tevent: 10 >> auth_audit: 10 >> auth_json_audit: 10 >> kerberos: 10 >> drs_repl: 10 >> lpcfg_load: refreshing parameters from /etc/samba/smb.conf >> Processing section "[global]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> pm_process() returned Yes >> Security token SIDs (1): >> SID[ 0]: S-1-5-18 >> Privileges (0xFFFFFFFFFFFFFFFF): >> Privilege[ 0]: SeMachineAccountPrivilege >> Privilege[ 1]: SeTakeOwnershipPrivilege >> Privilege[ 2]: SeBackupPrivilege >> Privilege[ 3]: SeRestorePrivilege >> Privilege[ 4]: SeRemoteShutdownPrivilege >> Privilege[ 5]: SePrintOperatorPrivilege >> Privilege[ 6]: SeAddUsersPrivilege >> Privilege[ 7]: SeDiskOperatorPrivilege >> Privilege[ 8]: SeSecurityPrivilege >> Privilege[ 9]: SeSystemtimePrivilege >> Privilege[ 10]: SeShutdownPrivilege >> Privilege[ 11]: SeDebugPrivilege >> Privilege[ 12]: SeSystemEnvironmentPrivilege >> Privilege[ 13]: SeSystemProfilePrivilege >> Privilege[ 14]: SeProfileSingleProcessPrivilege >> Privilege[ 15]: SeIncreaseBasePriorityPrivilege >> Privilege[ 16]: SeLoadDriverPrivilege >> Privilege[ 17]: SeCreatePagefilePrivilege >> Privilege[ 18]: SeIncreaseQuotaPrivilege >> Privilege[ 19]: SeChangeNotifyPrivilege >> Privilege[ 20]: SeUndockPrivilege >> Privilege[ 21]: SeManageVolumePrivilege >> Privilege[ 22]: SeImpersonatePrivilege >> Privilege[ 23]: SeCreateGlobalPrivilege >> Privilege[ 24]: SeEnableDelegationPrivilege >> Rights (0x 0): >> lpcfg_servicenumber: couldn't find ldb >> Initial schema load needed, as we have no existing schema, seq_num: 1 >> schema_fsmo_init: we are master[no] updates allowed[no] >> Initial schema load needed, as we have no existing schema, seq_num: 1 >> schema_fsmo_init: we are master[no] updates allowed[no] >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >> (16384) Processing section "[global]" >> doing parameter bind interfaces only = Yes >> doing parameter interfaces = lo eth_lan >> doing parameter netbios name = SRVSAMBA2 >> doing parameter realm = SAMDOM.LOCAL >> doing parameter server role = active directory domain controller >> doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, >> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate >> doing parameter workgroup = SAMDOM >> doing parameter ldap server require strong auth = no >> doing parameter client ldap sasl wrapping = plain >> doing parameter log level = 2 vfs:1 >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> ***** >> ***** huge lot of these lines... >> ***** >> idmap range not specified for domain '*' >> idmap range not specified for domain '*' >> open: error=2 (No such file or directory) >> ERROR(runtime): uncaught exception - (-1073741823, '{Operation >> Failed} The requested operation was unsuccessful.') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", >> line 239, in run >> lp, use_ntvfs=use_ntvfs) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, >> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 1502, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, >> passdb=passdb, service=SYSVOL_SERVICE) >> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, >> in setntacl >> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, sd, service=service) >> >> >
Rowland Penny
2018-Jul-23 15:27 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
On Mon, 23 Jul 2018 17:17:07 +0200 "Ing. Claudio Nicora" <claudio.nicora at gmail.com> wrote:> I've added a "print" in file > "/usr/lib/python2.7/dist-packages/samba/ntacls.py" just before the > line raising the error to log the (missing) file causing the error. > I've found I had an orphaned GPO: it was shown in RSAT but didn't > have any file in sysvol folder on both DCs. > Just removed it from AD (it was only a test GPO) and the error > disappeared. > > I've posted my smb.conf in a reply to Louis Van Belle, hope you can > see what's causing the lot of "idmap range not specified for domain > '*'" lines. >That's easy, it is a bug introduced at 4.6.0 (I think that was the version). You cannot do anything to stop them on a DC. People were not setting 'idmap config' correctly, so the error message was added. The only problem is, you cannot use the 'idmap config' lines on a DC, so you get the error message every time smb.conf is checked. Rowland
Ing. Claudio Nicora
2018-Jul-23 15:40 UTC
[Samba] sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
So there's no error on my side: I have no idmap lines in my smb.conf and since I can't add any I should live with the error/warning, right? Is this error related to sysvolreset taking forever to run? What about Louis/your script here https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh ? I know it's safer but... is it also faster? :) Thanks again Claudio --- # cat /etc/samba/smb.conf [global] bind interfaces only = Yes interfaces = lo eth_lan netbios name = SRVSAMBA2 realm = SAMDOM.LOCAL server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SAMDOM ldap server require strong auth = no client ldap sasl wrapping = plain log level = 2 vfs:1 log file = /var/log/samba/log.samba max log size = 10000 [netlogon] path = /var/lib/samba/sysvol/samdom.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No --- Il 23/07/2018 17:27, Rowland Penny via samba ha scritto:> On Mon, 23 Jul 2018 17:17:07 +0200 > "Ing. Claudio Nicora" <claudio.nicora at gmail.com> wrote: > >> I've added a "print" in file >> "/usr/lib/python2.7/dist-packages/samba/ntacls.py" just before the >> line raising the error to log the (missing) file causing the error. >> I've found I had an orphaned GPO: it was shown in RSAT but didn't >> have any file in sysvol folder on both DCs. >> Just removed it from AD (it was only a test GPO) and the error >> disappeared. >> >> I've posted my smb.conf in a reply to Louis Van Belle, hope you can >> see what's causing the lot of "idmap range not specified for domain >> '*'" lines. >> > That's easy, it is a bug introduced at 4.6.0 (I think that was the > version). You cannot do anything to stop them on a DC. People were > not setting 'idmap config' correctly, so the error message was added. > The only problem is, you cannot use the 'idmap config' lines on a DC, > so you get the error message every time smb.conf is checked. > > Rowland > >
Possibly Parallel Threads
- sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
- sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
- sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
- sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'
- sysvolreset error '{Operation Failed} The requested operation was unsuccessful.'