Bug 14088 - Access Denied exception recording acl of sysvol during samba-tool domain backup online
Summary: Access Denied exception recording acl of sysvol during samba-tool domain back...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Python (show other bugs)
Version: 4.10.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Douglas Bagnall
QA Contact: Samba QA Contact
Depends on:
Reported: 2019-08-13 16:05 UTC by David Mulder
Modified: 2019-09-09 13:25 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description David Mulder 2019-08-13 16:05:16 UTC
ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.')
The issue was due to ACL rights on a sysvol object.  
Running samba-tool sysvolreset did not resolve the issue.
Deleting the GPO allowed for the online backup to succeed without error.

More details:

The backup tool should really be updated to clearly log what sysvol file is causing it problems.
Comment 1 Amit Kumar 2019-08-31 13:51:54 UTC
(In reply to David Mulder from comment #0)
Hello david,
I believe by default dacl set on sysvol/policies are SEC_ACE_TYPE_ACCESS_ALLOWED and does not gives error on 'online backup'.

On freshly installed samba DC.
# samba-tool domain backup online --server=sambadom.amitexample.com --targetdir=/root -U Administrator 
INFO 2019-08-31 07:48:26,327 pid:2300 /usr/lib64/python3.7/site-packages/samba/netcmd/domain_backup.py #124: Creating backup file /root/samba-backup-samdom.amitexample.com-2019-08-31T07-48-26.219642.tar.bz2...

so, did you set ACL on sysvol/policy/<> using 
# samba-tool ntacl set <>

If yes, can you please provide command so that I can reproduce locally?
Comment 2 David Mulder 2019-09-09 13:25:06 UTC
See commit 4be5ffdca62 to master.
This was probably related to https://bugzilla.samba.org/show_bug.cgi?id=13917 but we needed better error handling anyway.
Sorry it took a while for me to respond here, I've been on leave.