This has been broken for me for some time, and I haven't had any luck debugging this via the mailing list: http://www.spinics.net/lists/samba/msg137116.html When running samba-tool ntacl sysvolreset, this fails with the following error (I'm on 4.5.0): user@dc2:~ $ sudo /usr/local/samba/bin/samba-tool ntacl sysvolreset set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL. ERROR(runtime): uncaught exception - (-1073741789, 'Buffer too small') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run lp, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1606, in setsysvolacl passdb=s4_passdb, service=SYSVOL_SERVICE) File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) I'm not really sure what might be causing this.. I have a '-d10' trace, and the last section before the exception is as follows: get_nt_acl_internal: name=/usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:107) parse_acl_blob: ndr_pull_xattr_NTACL failed: Buffer Size Error validate_nt_acl_blob: parse_acl_blob returned NT_STATUS_BUFFER_TOO_SMALL get_nt_acl_internal: ACL validation for [/usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine] failed set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL. delete_lock_ref_count for file /usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine I think I have followed the trail via the following items that call or refer to each other in turn: - python samba-tool ntacl sysvolreset - source3/smbd/pysmbd.c: SMB_VFS_FSET_NT_ACL( fsp, security_info_sent, sd); - source3/include/vfs_macros.h:#define SMB_VFS_FSET_NT_ACL smb_vfs_call_fset_nt_acl - source3/smbd/vfs.c:NTSTATUS smb_vfs_call_fset_nt_acl [which calls fset_nt_acl_fn] - source3/modules/vfs_acl_xattr.c: .fset_nt_acl_fn = fset_nt_acl_common - source3/modules/vfs_acl_common.c:static NTSTATUS fset_nt_acl_common - source3/modules/vfs_acl_common.c: parse_acl_blob() [which seems to be where the error occurs] However it appears that I'm now trying to debug the VFS modules in Samba, which isn't quite where I thought I would end up when I started looking into this error :) (For the above, I am presuming I'm using vfs_acl_xattr - I have nothing explicitly set in smb.conf, and I'm running on ext4 with setfacl/getfacl working fine) If I can provide any further information, please let me know - I'm feeling the pain of my GPOs not functioning at the moment :-( 'samba-tool ntacl sysvolreset' runs for a while but after a few hundred files it hits this problem and just stops.
FYI (and so I don't lose it, also!) I have been using this as a bit of a 'hack' workaround. It doesn't always work - it's hit and miss whether a client will go to the right DC - but it has worked a few times. Clearly it doesn't fix the root problem, but it gets me working if I need to get a new GPO rolled out. $ sudo setfacl -R -m d:o:rx -m o:rx /usr/local/samba/var/locks/sysvol/mydomain.org.uk/
It looks like the root cause for this specific issue does not come from within 'ntacl sysvolreset' itself, but rather some file on the filesystem that the filesharing part of Samba also doesn't like. Following LPH's suggestion of how he fixes GPO issues (see his email 20 December 2016 at 10:20; Subject: Re: [Samba] GPO Security Filtering "Access Denied") I decided to follow the same route. However, when copying the contents of sysvol to my local Windows machine, I was prevented from copying one directory (and only one directory). The error message is shown below; the same was shown as a pop-up dialog box in Windows Explorer but it's easier to cut and paste the error from a command prompt window: C:\> robocopy /s \\dc1\sysvol c:\tmp\sysvol [lots of successful file copies] [...] 2017/04/15 00:29:47 ERROR 122 (0x0000007A) Scanning Source Directory \\dc1\sysvol\mydomain.org.uk\Policies\{D4D44444-5555-6666-7777-888888888888}\Machine\Preferences\ The data area passed to a system call is too small. I removed this directory entirely (after first backing up the files contained within), and re-created it. I have now been able to successfully run "samba-tool ntacl sysvolreset" with no errors. I do still have issues with Windows clients not consistently being able to run gpupdate without errors, but at least I can declare progress on this issue. Does this give any clue as to where the underlying issue might lie behind this, and how it could be detected / fixed in the future? I guess this specific issue could be considered resolved seeing as I have worked around the issue by deleting this problem file, although I think we should be able to come up with better error handling messages. At least this bug report should give some pointers to others who encounter this again in the future..