Bug 10606 - samba-tool ntacl sysvolcheck | uncaught exception
samba-tool ntacl sysvolcheck | uncaught exception
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools
4.1.6
x64 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-13 15:44 UTC by heupink
Modified: 2014-11-02 13:09 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description heupink 2014-05-13 15:44:55 UTC
Samba-tool ntacl sysvolcheck gives the following output:

root@dc1:~# samba-tool ntacl sysvolcheck
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/samba.merit.unu.edu/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1695, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1646, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1593, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))

Running samba-tool ntacl sysvolreset fixes things.

Background info: This is server running (and classicupgraded with) sernet samba4.1.6. Domain is running very well, but GPO's fail with:
"Windows attempted to read the file  blahblah\gpt.ini
from a domain controller and was not successful".

Note: the sysvol with the error is available on request.
Comment 1 Mirco 2014-11-02 00:40:31 UTC
Hi all,

having a similar error, that probably is related to the particular object number (see error message). I am running Samba 4.1.12/Sernet on Debian Wheezy 64bit. When I run "samba-tool ntacl sysvolreset" I get an empty prompt without error message. But it doesn't fix the issue. Here's the output:

root@dc1:~$ samba-tool ntacl sysvolcheck

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/mydom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1624, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))


root@dc1:/var/lib/samba/sysvol/mydom.example.com/Policies$ ls -lh

insgesamt 144K
drwxrwx---+ 4 root     500 4,0K Nov  1 22:22 {1AC9641E-1234-47C7-8D8C-43A199220635}
drwxrwx---+ 5 root     500 4,0K Okt 25 20:47 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 3 root     500 4,0K Nov  2 00:55 {562AB030-6351-42C1-9850-D5B12BF45570}
drwxrwx---+ 4 root     500 4,0K Nov  1 02:30 {58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}
drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:12 {61160F2C-67CA-4A47-970D-6A02F5550FBA}
drwxrwx---+ 4 root     500 4,0K Okt  6 12:25 {6AC1786C-016F-11D2-945F-00C04FB984F9}
drwxrwx---+ 3 root 3000000 4,0K Nov  1 21:25 {A124ED05-EF3B-44A9-8AD8-950D444B0414}
drwxrwx---+ 3 root     500 4,0K Nov  1 22:30 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7}
drwxrwx---+ 4 root 3000000 4,0K Nov  1 21:25 {C670A447-2A80-4FDC-8940-BA241597F9E5}
drwxrwx---+ 2 root 3000000 4,0K Okt 31 20:10 {C7115EF1-5DD8-47BB-BFFA-5ECE074A3233}
drwxrwxr-x+ 5 root     500 4,0K Okt 31 20:17 {C9E26EE9-6C23-495A-92C2-8D2FBB4B75CB}
drwxrwx---+ 4 root 3000000 4,0K Nov  1 02:50 {D198C658-98FC-49CD-B71C-D07556FF6ADB}
drwxrwx---+ 4 root     500 4,0K Nov  1 22:15 {D55B1C00-2313-4052-AB61-A022B3154D01}
drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:08 {D651BB93-342C-466B-9155-0506988771C9}
drwxrwx---+ 3 root     500 4,0K Nov  2 01:08 {DDA5BF82-3A1C-4D5E-BE56-51229772DF93}
drwxrwx---+ 2 root 3000000 4,0K Nov  1 02:40 {EC6B4379-B7DE-49FC-A504-5BD55D23AEDC}
drwxrwx---+ 3 root 3000000 4,0K Nov  1 22:15 {F80CBDB5-646E-4E69-9935-4C7966079202}
drwxrwx---+ 4 root     500 4,0K Nov  2 01:02 {FB1BD0C7-B22B-4F3C-84E6-61958C733AA4}

Looks like te particular directory "{31B2F340-016D-11D2-945F-00C04FB984F9}" somehow is broken?

I run into the same issue on my second domain controller, but on dc2 another directory is reported as bad, see output here:

root@dc2:~$ samba-tool ntacl sysvolcheck

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/mydom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1624, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))

root@dc2:/var/lib/samba/sysvol/mydom.example.com/Policies$ ls -lh

insgesamt 144K
drwxrwx---+ 4 root     500 4,0K Nov  1 22:22 {1AC9641E-1234-47C7-8D8C-43A199220635}
drwxrwx---+ 5 root     500 4,0K Okt 25 20:47 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 3 root     500 4,0K Nov  2 00:55 {562AB030-6351-42C1-9850-D5B12BF45570}
drwxrwx---+ 4 root     500 4,0K Nov  1 02:30 {58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}
drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:12 {61160F2C-67CA-4A47-970D-6A02F5550FBA}
drwxrwx---+ 4 root     500 4,0K Okt  6 12:25 {6AC1786C-016F-11D2-945F-00C04FB984F9}
drwxrwx---+ 3 root 3000000 4,0K Nov  1 21:25 {A124ED05-EF3B-44A9-8AD8-950D444B0414}
drwxrwx---+ 3 root     500 4,0K Nov  1 22:30 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7}
drwxrwx---+ 4 root 3000000 4,0K Nov  1 21:25 {C670A447-2A80-4FDC-8940-BA241597F9E5}
drwxrwx---+ 2 root 3000000 4,0K Okt 31 20:10 {C7115EF1-5DD8-47BB-BFFA-5ECE074A3233}
drwxrwxr-x+ 5 root     500 4,0K Okt 31 20:17 {C9E26EE9-6C23-495A-92C2-8D2FBB4B75CB}
drwxrwx---+ 4 root 3000000 4,0K Nov  1 02:50 {D198C658-98FC-49CD-B71C-D07556FF6ADB}
drwxrwx---+ 4 root     500 4,0K Nov  1 22:15 {D55B1C00-2313-4052-AB61-A022B3154D01}
drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:08 {D651BB93-342C-466B-9155-0506988771C9}
drwxrwx---+ 3 root     500 4,0K Nov  2 01:08 {DDA5BF82-3A1C-4D5E-BE56-51229772DF93}
drwxrwx---+ 2 root 3000000 4,0K Nov  1 02:40 {EC6B4379-B7DE-49FC-A504-5BD55D23AEDC}
drwxrwx---+ 3 root 3000000 4,0K Nov  1 22:15 {F80CBDB5-646E-4E69-9935-4C7966079202}
drwxrwx---+ 4 root     500 4,0K Nov  2 01:02 {FB1BD0C7-B22B-4F3C-84E6-61958C733AA4}

On DC2 the directory "{6AC1786C-016F-11D2-945F-00C04FB984F9}" seems to be the culprit.

As I said before "samba-tool ntacl sysvolreset" didn't help, neither on DC1 and nore on DC2. Any help appreciated.

Mirco.
Comment 2 Mirco 2014-11-02 13:09:24 UTC
(In reply to Mirco from comment #1)

I did make following experience. I am doing "samba-tool ntacl sysvolreset" on DC2. After that the command "ls -l" inside the sysvol/Policies directory outputs:

drwxrwx---+ 5 root     500 4,0K Okt 25 20:47 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 3 root 3000000 4,0K Nov  2 00:55 {562AB030-6351-42C1-9850-D5B12BF45570}
drwxrwx---+ 4 root     500 4,0K Nov  1 02:30 {58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}
drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:12 {61160F2C-67CA-4A47-970D-6A02F5550FBA}
drwxrwx---+ 4 root     500 4,0K Okt  6 12:25 {6AC1786C-016F-11D2-945F-00C04FB984F9}
drwxrwx---+ 3 root 3000000 4,0K Nov  1 21:25 {A124ED05-EF3B-44A9-8AD8-950D444B0414}
drwxrwx---+ 3 root 3000000 4,0K Nov  1 22:30 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7}
drwxrwx---+ 4 root 3000000 4,0K Nov  1 21:25 {C670A447-2A80-4FDC-8940-BA241597F9E5}
drwxrwx---+ 2 root 3000000 4,0K Okt 31 20:10 {C7115EF1-5DD8-47BB-BFFA-5ECE074A3233}
drwxrwxr-x+ 5 root     500 4,0K Okt 31 20:17 {C9E26EE9-6C23-495A-92C2-8D2FBB4B75CB}
drwxrwx---+ 4 root 3000000 4,0K Nov  1 02:50 {D198C658-98FC-49CD-B71C-D07556FF6ADB}
drwxrwx---+ 4 root 3000000 4,0K Nov  1 22:15 {D55B1C00-2313-4052-AB61-A022B3154D01}
drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:08 {D651BB93-342C-466B-9155-0506988771C9}
drwxrwx---+ 3 root 3000000 4,0K Nov  2 01:08 {DDA5BF82-3A1C-4D5E-BE56-51229772DF93}
drwxrwx---+ 2 root 3000000 4,0K Nov  1 02:40 {EC6B4379-B7DE-49FC-A504-5BD55D23AEDC}
drwxrwx---+ 3 root 3000000 4,0K Nov  1 22:15 {F80CBDB5-646E-4E69-9935-4C7966079202}
drwxrwx---+ 4 root 3000000 4,0K Nov  2 01:02 {FB1BD0C7-B22B-4F3C-84E6-61958C733AA4}

There are 4 directories that have owner=root and group=500. As explained on my last posting, when I run "samba-tool ntacl sysvolcheck" I get an output with that error message:

$ samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/mydom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not
match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1624, in check_dir_acl    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))

He failed at directory {6AC1786C-016F-11D2-945F-00C04FB984F9}. So I though for testing purpose I move these 4 directories which are carrying the group=500 to /root/temp/ and run the "samba-tool ntacl sysvolcheck" command again. Then I get this error message:

$ samba-tool ntacl sysvolcheck
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl
    fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in getntacl
    xattr.XATTR_NTACL_NAME)

Mirco.