Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Missing Policies folder after failure; how to recreate
531 views
Skip to first unread message
"Gergely, Kaszás"
Jan 13, 2015, 3:48:07 PM1/13/15
to
Dear Samba List!
Long story short and please just don't ask; if it were up to me this
would have not happened:
I need to recreate the default GPO-s (as in the
\SysVol\domain.of\Policies\ folder and subfolders) of my domain.
Trying to delete the old GPO-s I run into errors, both in the windows
mmc and on the dc with runing samba-tools as root.
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on
CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of
> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
Reprovisioning is not an option; since this is an active, "in use"
system with lots of accounts.
The moment this is solved I swear to make a second DC with sysvol
replication.
Thank you!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Long story short and please just don't ask; if it were up to me this
would have not happened:
I need to recreate the default GPO-s (as in the
\SysVol\domain.of\Policies\ folder and subfolders) of my domain.
Trying to delete the old GPO-s I run into errors, both in the windows
mmc and on the dc with runing samba-tools as root.
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on
CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of
> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
Reprovisioning is not an option; since this is an active, "in use"
system with lots of accounts.
The moment this is solved I swear to make a second DC with sysvol
replication.
Thank you!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
James
Jan 13, 2015, 3:51:04 PM1/13/15
to
Have you tried to reset the permissions?
samba-tool ntacl sysvolreset
On 1/13/2015 3:09 PM, "Gergely, Kaszás" wrote:
> Dear Samba List!
>
> Long story short and please just don't ask; if it were up to me this
> would have not happened:
>
> I need to recreate the default GPO-s (as in the
> \SysVol\domain.of\Policies\ folder and subfolders) of my domain.
> Trying to delete the old GPO-s I run into errors, both in the windows
> mmc and on the dc with runing samba-tools as root.
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed
> on
> CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of
> > <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
>
> Reprovisioning is not an option; since this is an active, "in use"
> system with lots of accounts.
> The moment this is solved I swear to make a second DC with sysvol
> replication.
>
> Thank you!
--
-James
samba-tool ntacl sysvolreset
On 1/13/2015 3:09 PM, "Gergely, Kaszás" wrote:
> Dear Samba List!
>
> Long story short and please just don't ask; if it were up to me this
> would have not happened:
>
> I need to recreate the default GPO-s (as in the
> \SysVol\domain.of\Policies\ folder and subfolders) of my domain.
> Trying to delete the old GPO-s I run into errors, both in the windows
> mmc and on the dc with runing samba-tools as root.
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed
> on
> CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of
> > <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
>
> Reprovisioning is not an option; since this is an active, "in use"
> system with lots of accounts.
> The moment this is solved I swear to make a second DC with sysvol
> replication.
>
> Thank you!
--
Marc Muehlfeld
Jan 13, 2015, 4:13:48 PM1/13/15
to
Am 13.01.2015 um 21:50 schrieb James:
> Have you tried to reset the permissions?
>
> samba-tool ntacl sysvolreset
If he lost folders, as he said, sysvolreset won't help. This command
> Have you tried to reset the permissions?
>
> samba-tool ntacl sysvolreset
wont recreate the sysvol content.
> On 1/13/2015 3:09 PM, "Gergely, Kaszás" wrote:
>> I need to recreate the default GPO-s (as in the
>> \SysVol\domain.of\Policies\ folder and subfolders) of my domain.
>> Trying to delete the old GPO-s I run into errors, both in the windows
>> mmc and on the dc with runing samba-tools as root.
>> ERROR(ldb): uncaught exception - LDAP error 50
>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed
>> on
>> CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of
>> > <>
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 175, in _run
backup or copy them from an additional DC in the domain + run
'samba-tool ntacl sysvolreset'.
If the security stuff inside the AD is messed up, too, I have no idea,
if you don't give more information and if we aren't allowed to ask to
find out what happened and what exactly is broken. ;-)
Regards,
Marc
Tim
Jan 13, 2015, 5:30:03 PM1/13/15
to
When you only need the default gpos than we possibly can send you the folders and its content. When I'm not completely wrong, these folders are empty as long nothing has been set.
With samba the default gpos are empty - no settings at all.
Possibly it is important to know your functional level? I don't know.
With samba the default gpos are empty - no settings at all.
Possibly it is important to know your functional level? I don't know.
The two default domain policies have well known SIDs so it's not hard to find them.
I will have a look at it tomorrow at work if you like.
Possibly you just create these folders and run samba-tool ntacl sysvolreset.
There is a technet article about these well known SIDs. But I can't find it again.
Am 13. Januar 2015 21:09:07 MEZ, schrieb "Gergely, Kaszás" <che...@caesar.elte.hu>:
>Dear Samba List!
>
>Long story short and please just don't ask; if it were up to me this
>would have not happened:
>
>I need to recreate the default GPO-s (as in the
>\SysVol\domain.of\Policies\ folder and subfolders) of my domain.
>Trying to delete the old GPO-s I run into errors, both in the windows
>mmc and on the dc with runing samba-tools as root.
>ERROR(ldb): uncaught exception - LDAP error 50
>LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on
>
>CN={97A64DB0-B51D-4A70-80A3-7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of
>
> > <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>line 175, in _run
>
>Reprovisioning is not an option; since this is an active, "in use"
>system with lots of accounts.
>The moment this is solved I swear to make a second DC with sysvol
>replication.
>
>Thank you!
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
Marc Muehlfeld
Jan 14, 2015, 9:49:33 AM1/14/15
to
Am 14.01.2015 um 11:18 schrieb "Gergely, Kaszás":
>> If you just lost your sysvol folder content, restore the files from
>> your backup or copy them from an additional DC in the domain + run
>> 'samba-tool ntacl sysvolreset'.
> Yes if the site would have backups or a second DC this wouldn't be a
>> If you just lost your sysvol folder content, restore the files from
>> your backup or copy them from an additional DC in the domain + run
>> 'samba-tool ntacl sysvolreset'.
> problem.
> But unfortunately this isn't the case. The admin of this site didn't
> make backups and there is no other DC in the domain.
As I already said: If you don't give more information about the
situation and details, we can't help.
>> If the security stuff inside the AD is messed up, too, I have no
>> idea, if you don't give more information and if we aren't allowed to
>> ask to find out what happened and what exactly is broken. ;-)
Regards,
Marc
Marcel de Reuver
Jan 14, 2015, 12:06:42 PM1/14/15
to
Quick solution can be copy the contents of the attached zipfile to: /usr
/local/samba/var/locks/sysvol/domain.of/
Run the command: samba-tool ntacl sysvolreset
You will end up without any GPO's and look at https://wiki.samba.org/index.
php/Backup_and_Recovery to get backups of your Samba installation!!
Regards, Marcel
2015-01-13 21:09 GMT+01:00 "Gergely, Kaszás" <che...@caesar.elte.hu>:
> Dear Samba List!
>
> Long story short and please just don't ask; if it were up to me this would
> have not happened:
>
> I need to recreate the default GPO-s (as in the
> \SysVol\domain.of\Policies\ folder and subfolders) of my domain.
> Trying to delete the old GPO-s I run into errors, both in the windows mmc
> and on the dc with runing samba-tools as root.
> ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS
> - <dsdb_access: Access check failed on CN={97A64DB0-B51D-4A70-80A3-
> 7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of > <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>
> Reprovisioning is not an option; since this is an active, "in use" system
> with lots of accounts.
> The moment this is solved I swear to make a second DC with sysvol
> replication.
>
> Thank you!
/local/samba/var/locks/sysvol/domain.of/
Run the command: samba-tool ntacl sysvolreset
You will end up without any GPO's and look at https://wiki.samba.org/index.
php/Backup_and_Recovery to get backups of your Samba installation!!
Regards, Marcel
2015-01-13 21:09 GMT+01:00 "Gergely, Kaszás" <che...@caesar.elte.hu>:
> Dear Samba List!
>
> Long story short and please just don't ask; if it were up to me this would
> have not happened:
>
> I need to recreate the default GPO-s (as in the
> \SysVol\domain.of\Policies\ folder and subfolders) of my domain.
> Trying to delete the old GPO-s I run into errors, both in the windows mmc
> and on the dc with runing samba-tools as root.
> ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS
> - <dsdb_access: Access check failed on CN={97A64DB0-B51D-4A70-80A3-
> 7F47483B0EB2},CN=Policies,CN=System,DC=domain,DC=of > <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>
> Reprovisioning is not an option; since this is an active, "in use" system
> with lots of accounts.
> The moment this is solved I swear to make a second DC with sysvol
> replication.
>
> Thank you!
"Gergely, Kaszás"
Jan 16, 2015, 11:42:19 AM1/16/15
to
2015.01.14. 15:48 keltezéssel, Marc Muehlfeld írta:
> Am 14.01.2015 um 11:18 schrieb "Gergely, Kaszás":
>>> If you just lost your sysvol folder content, restore the files from
>>> your backup or copy them from an additional DC in the domain + run
>>> 'samba-tool ntacl sysvolreset'.
>> Yes if the site would have backups or a second DC this wouldn't be a
>> problem.
>> But unfortunately this isn't the case. The admin of this site didn't
>> make backups and there is no other DC in the domain.
> As I already said: If you don't give more information about the
> situation and details, we can't help.
There is only a single active DC in this domain that was recovered after
a hardware failure caused by an unplaned outage.
This DC is mostly used for radius authentication and for a simple
library lab with 5 computers.
The domain has around ~400 users.
The real name of the domain is not "domain.of", I just masked it.
*Listing of the sysvol folder gives*
sysvol # find .
.
./domain.of/
./domain.of/scripts
The DC is a *4.1.6 ubuntu* packaged samba
Trying to *delete one of the gpo*-s gives:
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on
CN={MASKED},CN=Policies,CN=System,DC=domain,DC=of> <>
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
line 175, in _run
File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
1083, in run
self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)))
*samba-tool ntacl sysvolcheck*
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such
file or directory')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
line 175, in _run
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1695, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1631, in check_gpos_acl
direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in
getntacl
xattr.XATTR_NTACL_NAME)
*samba-tool ntacl sysvolreset*
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
line 175, in _run
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
218, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1581, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1499, in set_gpos_acl
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 154, in
setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
sd, service=service)
the *smb.conf*
[global]
workgroup = DOMAINOF
realm = domain.of
netbios name = DC
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
nt acl support = yes
inherit acls = yes
wins support = yes
#security = ads
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = true
kerberos method = secrets and keytab
socket options = TCP_NODELAY
idmap config *:backend = tdb
idmap config *:range = 30001-40000
idmap config DOMAINOF:backend = ad
idmap config DOMAINOF:schema_mode = rfc2307
idmap config DOMAINOF:range = 1000-20000
idmap_ldb:use rfc2307 = yes
load printers = no
printcap name = /dev/null
template shell = /bin/bash
# ca.pem - /etc/ssl/certs/sambaca.pem, cert.pem
/etc/ssl/certs/samba.pem
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/dc.domain.of.key.pem
tls certfile = /var/lib/samba/private/tls/dc.domain.of.cert.pem
tls cafile = /var/lib/samba/private/tls/dc.domain.of.chain.pem
[netlogon]
path = /var/lib/samba/sysvol/domain.of/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
>>> If the security stuff inside the AD is messed up, too, I have no
>>> idea, if you don't give more information and if we aren't allowed to
>>> ask to find out what happened and what exactly is broken. ;-)
>
>
> Regards,
> Marc
Rowland Penny
Jan 16, 2015, 12:02:33 PM1/16/15
to
member server smb.conf, I would suggest that you remove these lines:
nt acl support = yes
inherit acls = yes
wins support = yes
#security = ads
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = true
kerberos method = secrets and keytab
socket options = TCP_NODELAY
idmap config *:backend = tdb
idmap config *:range = 30001-40000
idmap config DOMAINOF:backend = ad
idmap config DOMAINOF:schema_mode = rfc2307
idmap config DOMAINOF:range = 1000-20000
Rowland
0 new messages