Corrupted GPO
George Lazar
Hi,
I'm using Samba 4 alpha12 from about 6 months in a production environment
with ~ 150 users. Yesterday I have created an new GPO and when I was adding
users on the security section I was started to receive error messages like:
"There is not enough space on the disk", "Cannot find object", etc.
This turned in to an corrupted GPO, basically now I can't see the existing
GPOs and I can't delete the new created GPO...
I need a way similar with: dcgpofix /ignoreschema (this can be runed only
from Windows 2003)
to fix the GPOs.
I didn't tried (yet) to add an Windows 2003 on the domain and try from
there.
Please advise!
Thanks,
George
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29020398.html
Sent from the Samba - samba-technical mailing list archive at Nabble.com.
Wilco Baan Hofman
Op maandag 28-06-2010 om 22:46 uur [tijdzone -0700], schreef George
Lazar:
> Hi,
>
> I'm using Samba 4 alpha12 from about 6 months in a production environment
> with ~ 150 users. Yesterday I have created an new GPO and when I was adding
> users on the security section I was started to receive error messages like:
> "There is not enough space on the disk", "Cannot find object", etc.
> This turned in to an corrupted GPO, basically now I can't see the existing
> GPOs and I can't delete the new created GPO...
How did you try this? From the GPMC? You might try manually deleting the
directory from sysvol and then try deleting the GPO through the GPMC.
> I need a way similar with: dcgpofix /ignoreschema (this can be runed only
> from Windows 2003)
> to fix the GPOs.
As far as I can tell, this tool only reads the security settings from a
DC and resets these in the Domain Controller Policy. In the case of
samba4, that won't really do anything useful unless that is the GPO you
have a problem with.
> I didn't tried (yet) to add an Windows 2003 on the domain and try from
> there.
Replication does not currently replicate the sysvol directory, so in
this case, this won't help you.
--
Wilco Baan Hofman
Matthieu Patou
> I'm using Samba 4 alpha12 from about 6 months in a production environment
> with ~ 150 users. Yesterday I have created an new GPO and when I was adding
> users on the security section I was started to receive error messages like:
> "There is not enough space on the disk", "Cannot find object", etc.
> This turned in to an corrupted GPO, basically now I can't see the existing
> GPOs and I can't delete the new created GPO...
What tool are you using ? gpmc ? can you send a screenshot ?
What is the content of
/usr/local/samba/private/lockdir/sysvol/<domain>/Policies
What is the result of ldbsearch -s sub -H ldap://localhost -b
CN=Policies,CN=System,DC=... dn ?
> I need a way similar with: dcgpofix /ignoreschema (this can be runed only
> from Windows 2003)
> to fix the GPOs.
> I didn't tried (yet) to add an Windows 2003 on the domain and try from
> there.
>
We do not have (yet) this kind of tool, feel free to send us a patch to
implement it !
--
Matthieu Patou
Samba Team http://samba.org
George Lazar
Hi Wilco,
I'm using dsa.msc with GPMC from an Windows XP machine. Now the errors that
I have once I open GPMC:
"The system cannot open the device or file specified"
click ok and and under domain at Group Policy Objects I don't have any
policy anymore. If I want to create a new one I got:
"The specified server cannot perform the requested operation"
and right after that:
"The directory service is unavailable"
and then I have to reboot the server in order to be able to authenticate
against the LDAP.
Sometimes there is no necessary a reboot and I can see GPOs linked to the
OUs and are working but I can't create a new one and I don't see them
anymore on the GPO list.
I have tried to manually delete the folder with the last policy that I have
created but the situation is the same, even after a reboot.
I'm really desperate..
Thanks.
Wilco Baan Hofman wrote:
>
> Hi George,
>
> Op maandag 28-06-2010 om 22:46 uur [tijdzone -0700], schreef George
> Lazar:
>> Hi,
>>
>> I'm using Samba 4 alpha12 from about 6 months in a production environment
>> with ~ 150 users. Yesterday I have created an new GPO and when I was
>> adding
>> users on the security section I was started to receive error messages
>> like:
>> "There is not enough space on the disk", "Cannot find object", etc.
>> This turned in to an corrupted GPO, basically now I can't see the
>> existing
>> GPOs and I can't delete the new created GPO...
>
> How did you try this? From the GPMC? You might try manually deleting the
> directory from sysvol and then try deleting the GPO through the GPMC.
>
>> I need a way similar with: dcgpofix /ignoreschema (this can be runed only
>> from Windows 2003)
>> to fix the GPOs.
>
> As far as I can tell, this tool only reads the security settings from a
> DC and resets these in the Domain Controller Policy. In the case of
> samba4, that won't really do anything useful unless that is the GPO you
> have a problem with.
>
>> I didn't tried (yet) to add an Windows 2003 on the domain and try from
>> there.
>
> Replication does not currently replicate the sysvol directory, so in
> this case, this won't help you.
>
>
> --
> Wilco Baan Hofman
>
>
>
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29021843.html
Matthieu Patou
> Hi Wilco,
>
> I'm using dsa.msc with GPMC from an Windows XP machine. Now the errors that
> I have once I open GPMC:
> "The system cannot open the device or file specified"
> click ok and and under domain at Group Policy Objects I don't have any
> policy anymore. If I want to create a new one I got:
> "The specified server cannot perform the requested operation"
> and right after that:
> "The directory service is unavailable"
> and then I have to reboot the server in order to be able to authenticate
> against the LDAP.
> Sometimes there is no necessary a reboot and I can see GPOs linked to the
> OUs and are working but I can't create a new one and I don't see them
> anymore on the GPO list.
>
> I have tried to manually delete the folder with the last policy that I have
> created but the situation is the same, even after a reboot.
>
> I'm really desperate..
>
Do you have backups ?
George Lazar
Hi Matthieu,
I have attached the output of the command that you sent.
I will send a screen shot with GPMC if necessary but for example now the
only error I've got when I click on GPO: "The system cannot open the device
or file specified"
Regarding the output, the GPO I was creating when I started to receive
"there is not enough space" is record no. 13... (Themes Enabled GPO)
The content of /usr/local/samba/var/locks/.. doesn't seems not unusual. I
have there all the policies owned by 3000008 as before.
Important: sometimes when I insist on the GPMC console I got other errors
(mentioned before)
and also the LDAP authentication stop working and I have to reboot the vm.
George
http://old.nabble.com/file/p29022265/putty.log putty.log
Matthieu Patou-7 wrote:
>
> Hi George,
>
>> I'm using Samba 4 alpha12 from about 6 months in a production environment
>> with ~ 150 users. Yesterday I have created an new GPO and when I was
>> adding
>> users on the security section I was started to receive error messages
>> like:
>> "There is not enough space on the disk", "Cannot find object", etc.
>> This turned in to an corrupted GPO, basically now I can't see the
>> existing
>> GPOs and I can't delete the new created GPO...
> What tool are you using ? gpmc ? can you send a screenshot ?
>
> What is the content of
> /usr/local/samba/private/lockdir/sysvol/<domain>/Policies
>
> What is the result of ldbsearch -s sub -H ldap://localhost -b
> CN=Policies,CN=System,DC=... dn ?
>> I need a way similar with: dcgpofix /ignoreschema (this can be runed only
>> from Windows 2003)
>> to fix the GPOs.
>> I didn't tried (yet) to add an Windows 2003 on the domain and try from
>> there.
>>
> We do not have (yet) this kind of tool, feel free to send us a patch to
> implement it !
>
>
>
>
> --
> Matthieu Patou
> Samba Team http://samba.org
>
>
>
http://old.nabble.com/file/p29022265/putty.log putty.log
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29022265.html
George Lazar
Matthieu Patou-7 wrote:
>
> On 29/06/2010 13:38, George Lazar wrote:
>> Hi Wilco,
>>
>> I'm using dsa.msc with GPMC from an Windows XP machine. Now the errors
>> that
>> I have once I open GPMC:
>> "The system cannot open the device or file specified"
> Can you make a trace with wireshark and put it somewhere accessible ?
>
> Attached! XP host with dsa: 192.168.1.102, Samba 4 DC: 192.168.93.11.
> I have started the capture, open dsa.msc, open GPMC and then click on GPO
> and the errors:
> "The system cannot find .." and then click on existing OU - Create or link
> existing GPO - "The directory service is not available"
>
> LDAP not working anymore - reboot.
>
>> click ok and and under domain at Group Policy Objects I don't have any
>> policy anymore. If I want to create a new one I got:
>> "The specified server cannot perform the requested operation"
>> and right after that:
>> "The directory service is unavailable"
>> and then I have to reboot the server in order to be able to
>> authenticate
>> against the LDAP.
> The same for here, make a trace
>> Sometimes there is no necessary a reboot and I can see GPOs linked to the
>> OUs and are working but I can't create a new one and I don't see them
>> anymore on the GPO list.
>>
>> I have tried to manually delete the folder with the last policy that I
>> have
>> created but the situation is the same, even after a reboot.
>>
> Please send us the list of gpo object as I wrote in my previous email.
>> I'm really desperate..
>>
> Do you have backups ?
>
> Yes, I have an 6 days old backup..
> http://old.nabble.com/file/p29022511/wireshark wireshark
>
> --
> Matthieu Patou
> Samba Team http://samba.org
>
>
>
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29022511.html
Matthieu Patou
> Hi Matthieu,
>
> I have attached the output of the command that you sent.
> I will send a screen shot with GPMC if necessary but for example now the
> or file specified"
How is it when clicking on other GPO ?
> Regarding the output, the GPO I was creating when I started to receive
> "there is not enough space" is record no. 13... (Themes Enabled GPO)
>
> The content of /usr/local/samba/var/locks/.. doesn't seems not unusual. I
> have there all the policies owned by 3000008 as before.
Policies container are also here on the filesystem.
More specifically can you show the content of
{391F2562-1AB9-4CA5-BC87-4BD72929CC5E} folder ?
Can you access
\\domain.eu\SysVol\domain.eu\Policies\{391F2562-1AB9-4CA5-BC87-4BD72929CC5E}
?
Do you see a file called gpt.ini and two folders MACHINE and USER ?
If no can create the folder and the file with the following content:
[General]
Version=65543
Matthieu.
George Lazar
Matthieu PATOU-2 wrote:
>
> On 29/06/2010 14:37, George Lazar wrote:
>> Hi Matthieu,
>>
>> I have attached the output of the command that you sent.
>> I will send a screen shot with GPMC if necessary but for example now the
>> only error I've got when I click on GPO: "The system cannot open the
>> device
>> or file specified"
> How is it when clicking on other GPO ?
>
> See attached GPO.jpg I don't have the possibility to click on another GPO.
> When I click on Group Policy Objects then I have the errors mentioned.
>
>> Regarding the output, the GPO I was creating when I started to receive
>> "there is not enough space" is record no. 13... (Themes Enabled GPO)
>>
>> The content of /usr/local/samba/var/locks/.. doesn't seems not unusual. I
>> have there all the policies owned by 3000008 as before.
> Yes but I need it to see if all the policy object declared in the
> Policies container are also here on the filesystem.
>
> See attached policies.png
>
> More specifically can you show the content of
> {391F2562-1AB9-4CA5-BC87-4BD72929CC5E} folder ?
> Can you access
> \\domain.eu\SysVol\domain.eu\Policies\{391F2562-1AB9-4CA5-BC87-4BD72929CC5E}
> ?
> Do you see a file called gpt.ini and two folders MACHINE and USER ?
> If no can create the folder and the file with the following content:
> [General]
> Version=65543
>
> See attached policy.png http://old.nabble.com/file/p29022853/GPO.JPG
> GPO.JPG http://old.nabble.com/file/p29022853/polcies.PNG polcies.PNG
> http://old.nabble.com/file/p29022853/policy.PNG policy.PNG
>
> Matthieu.
>
>
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29022853.html
Matthieu Patou
>>> Regarding the output, the GPO I was creating when I started to receive
>>> "there is not enough space" is record no. 13... (Themes Enabled GPO)
>>>
>>> The content of /usr/local/samba/var/locks/.. doesn't seems not unusual. I
>>> have there all the policies owned by 3000008 as before.
>> Yes but I need it to see if all the policy object declared in the
>> Policies container are also here on the filesystem.
>>
>> See attached policies.png
>>
>> More specifically can you show the content of
>> {391F2562-1AB9-4CA5-BC87-4BD72929CC5E} folder ?
>> Can you access
>> \\domain.eu\SysVol\domain.eu\Policies\{391F2562-1AB9-4CA5-BC87-4BD72929CC5E}
>> ?
>> Do you see a file called gpt.ini and two folders MACHINE and USER ?
>> If no can create the folder and the file with the following content:
>> [General]
>> Version=65543
>>
>> See attached policy.png http://old.nabble.com/file/p29022853/GPO.JPG
>> GPO.JPG http://old.nabble.com/file/p29022853/polcies.PNG polcies.PNG
>> http://old.nabble.com/file/p29022853/policy.PNG policy.PNG
It's the fist time I see such things but I'm not the most experienced
with gpo.
Ok let's try to nuke the GPO:
do a tdbbackup on all the ldb files in /usr/local/samba/private then
ldbedit -H ldap:/localhost -b
CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
You should have three objects, remove them.
Restart gpmc: gpmc.msc.
Let us know !
George Lazar
> Done.
>
> ldbedit -H ldap:/localhost -b
> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
>
> You should have three objects, remove them.
>
> It doesn't let me delete them, I got:
> failed to delete
> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
> - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: insufficient
> access rights> <>
>
> I'm doing this as root but should I stop samba first?
>
> Thanks!
>
>
> Restart gpmc: gpmc.msc.
>
> Let us know !
>
>
> --
> Matthieu Patou
> Samba Team http://samba.org
>
>
>
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29024429.html
Matthieu Patou
George Lazar
> with authentication I got another error:
> LDAP error 66 LDAP_NOT_ALLOWED_ON_NON_LEAF - <00002015: Not allowed on
> non-leaf> <>
>
>
> --
> Matthieu Patou
> Samba Team http://samba.org
>
>
>
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29024754.html
Matthieu Patou
ldbedit -H /usr/local/samba/private/sam.ldb -b
CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
ps: can you join #samba-technical it would be easier for realtime debug.
George Lazar
> another error:
> failed to delete
> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu
> - Cannot delete
> CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu,
> not a leaf node (has 2 children)
>
> :(
>
> I will join tomorrow morning on #samba-technical.
> Thx.
>
> ps: can you join #samba-technical it would be easier for realtime debug.
>
>
> --
> Matthieu Patou
> Samba Team http://samba.org
>
>
>
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29027608.html
Matthieu Patou
reedit to remove the CN={....}, ....
George Lazar
> It works! now I can see the GPOs.. God how much I miss them!
> Everything seems fine now.
> Man, Thanks a LOT!!
>
> George
>
>
>
> --
> Matthieu Patou
> Samba Team http://samba.org
>
>
>
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29032329.html
Matthieu Patou
>> Ah yes, you have to remove the CN=Machine, ... and CN=User, quit and
>> reedit to remove the CN={....}, ....
>>
>> It works! now I can see the GPOs.. God how much I miss them!
>> Everything seems fine now.
>> Man, Thanks a LOT!!
Make a backup and can you retry to add a new one ?
George Lazar
Matthieu Patou-7 wrote:
>
> Hi Georges,
>
>>> Ah yes, you have to remove the CN=Machine, ... and CN=User, quit and
>>> reedit to remove the CN={....}, ....
>>>
>>> It works! now I can see the GPOs.. God how much I miss them!
>>> Everything seems fine now.
>>> Man, Thanks a LOT!!
> Make a backup and can you retry to add a new one ?
>
> Yes, I will clone the vm a bit later and then create and configure a new
> one.
> I will let you know the results.
> 10x
>
>
>
> --
> Matthieu Patou
> Samba Team http://samba.org
>
>
>
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29033254.html
George Lazar
George Lazar wrote:
>
>
>
> Matthieu Patou-7 wrote:
>>
>> Hi Georges,
>>
>>>> Ah yes, you have to remove the CN=Machine, ... and CN=User, quit and
>>>> reedit to remove the CN={....}, ....
>>>>
>>>> It works! now I can see the GPOs.. God how much I miss them!
>>>> Everything seems fine now.
>>>> Man, Thanks a LOT!!
>> Make a backup and can you retry to add a new one ?
>>
>> Yes, I will clone the vm a bit later and then create and configure a new
>> one.
>> I will let you know the results.
>> 10x
>>
>> :(
>> When I started to change the security settings on an existing GPO I
>> started to have exactly the same issues..
>> - There is not enough space on the disk
>> - the directory service is unavailable
>> - etc.
>>
>> Before this I have created a new GPO but I didn't change any security
>> settings on it or edit the GPO. This operation was without issues.
>> First time when I have started to have issues was also when I have
>> changed the security settings on a GPO (add users on Security Filtering
>> section).
>>
>> Additionally, since yesterday I had few XP computers with blue screen on
>> Applying Computer Policy.
>>
>>
>>
>>
>> --
>> Matthieu Patou
>> Samba Team http://samba.org
>>
>>
>>
>
>
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29043019.html
George Lazar
>>> Matthieu, I'm now on #samba-technical with nick GeorgeLazar
>>>
>>>
>>>
>>>
>>> --
>>> Matthieu Patou
>>> Samba Team http://samba.org
>>>
>>>
>>>
>>
>>
>
>
--
View this message in context: http://old.nabble.com/Corrupted-GPO-tp29020398p29043126.html