Hi, thanks for your hints! Am 10.01.19 um 03:46 schrieb Tim Beale via samba:> - As a sanity-check, you could run 'samba-tool ntacl sysvolcheck' > locally on your DC. It may tell you if there's an ACL problem.samba-tool ntacl sysvolcheck doesn't show any problems.> - Instead of an online backup, try running 'samba-tool domain backup > offline' locally on your DC. It creates a slightly different type of > backup, but how it backs up sysvol will work a bit different.I tried to do a "offline" backup. But I dont' find an option "offline" samba-tool domain backup --help Usage: samba-tool domain backup <subcommand> Create or restore a backup of the domain. Options: -h, --help show this help message and exit Available subcommands: online - Copy a running DC's current DB into a backup tar file. rename - Copy a running DC's DB to backup file, renaming the domain in the process. restore - Restore the domain's DB from a backup-file. For more help on a specific subcommand, please type: samba-tool domain backup <subcommand> (-h|--help)> - If you can work out the file it's failing on, then you could check if > 'samba-tool ntacl get' works for that file.We changed the loglevel to 10 and we didn't find any file with unsufficient permissions. Best Benedikt -- forumZFD Entschieden für Frieden|Committed to Peace Benedikt Kaleß Leiter Team IT|Head team IT Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service Am Kölner Brett 8 | 50825 Köln | Germany Tel 0221 91273233 | Fax 0221 91273299 | http://www.forumZFD.de Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board: Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz VR 17651 Amtsgericht Köln Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
Oh sorry, I forgot that the offline option isn't in 4.9. It will be in
4.10 (release candidate should be available next week some time).
However, you have to run the offline command locally on the DC, and you
probably don't want to install a rc build on a production DC.
So when I set the DC's smb.conf debug level to 3, I see smbd logs like
the following when doing the sysvol portion of the backup:
smbd: call_nt_transact_query_security_desc: file
addom.samba.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE,
info_wanted = 0xf
smbd: smbd_do_query_security_desc: sd_size = 272.
The last call_nt_transact_query_security_desc log you see may be the
file that it's failing on. If (for the last file) you see the first log
but not the second, then that narrows it down - it means
smbd_do_query_security_desc() is failing. If you use debug level 10 on
the server, it should display a smbd_do_query_security_desc() error
message pinpointing the problem.
You might want to double-check the smbd debug you got at level 10.
There's a lot of noise that comes out, so it's easy to miss things.
Cheers,
Tim
On 11/01/19 3:43 AM, Benedikt Kaleß via samba wrote:> Hi,
>
> thanks for your hints!
>
> Am 10.01.19 um 03:46 schrieb Tim Beale via samba:
>
>> - As a sanity-check, you could run 'samba-tool ntacl
sysvolcheck'
>> locally on your DC. It may tell you if there's an ACL problem.
> samba-tool ntacl sysvolcheck doesn't show any problems.
>
>> - Instead of an online backup, try running 'samba-tool domain
backup
>> offline' locally on your DC. It creates a slightly different type
of
>> backup, but how it backs up sysvol will work a bit different.
> I tried to do a "offline" backup. But I dont' find an option
"offline"
>
> samba-tool domain backup --help
> Usage: samba-tool domain backup <subcommand>
>
> Create or restore a backup of the domain.
>
>
> Options:
> -h, --help show this help message and exit
>
>
> Available subcommands:
> online - Copy a running DC's current DB into a backup tar file.
> rename - Copy a running DC's DB to backup file, renaming the domain
> in the process.
> restore - Restore the domain's DB from a backup-file.
> For more help on a specific subcommand, please type: samba-tool domain
> backup <subcommand> (-h|--help)
>
>> - If you can work out the file it's failing on, then you could
check if
>> 'samba-tool ntacl get' works for that file.
> We changed the loglevel to 10 and we didn't find any file with
> unsufficient permissions.
>
> Best
>
> Benedikt
>
Hi Tim, What we did: setting "log level = 10" in smb.conf then exdcute the following command: ------ samba-tool domain backup online --server=addc3 --targetdir=/root -k yes >backup.txt 2>&1 ------ Then we grep for the message with "call_nt_transact_query_security_desc" ------ grep call_nt_transact_query_security_desc backup.txt ------ And got nothing :-( still the same errormessage about the missing access rights I will wait for samba 4.10. ;) Best regards and thanks for your support! Benedikt -- forumZFD Entschieden für Frieden|Committed to Peace Benedikt Kaleß Leiter Team IT|Head team IT Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service Am Kölner Brett 8 | 50825 Köln | Germany Tel 0221 91273233 | Fax 0221 91273299 | http://www.forumZFD.de Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board: Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz VR 17651 Amtsgericht Köln Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX