Bug 14943 - samba-tool crash on incomplete GPO
Summary: samba-tool crash on incomplete GPO
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: David Mulder
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-10 18:57 UTC by keesvanvloten
Modified: 2022-09-15 04:07 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description keesvanvloten 2022-01-10 18:57:34 UTC
Multiple subcommands of samba-tool do not provide an descent error when a GPO is missing on the filesystem but still available in LDAP.

In addition when trying to remove the (partial) GPO with "samba-tool gpo del" it says the GPO does not exist instead of removing the remainders of it from LDAP.


samba-tool ntacl sysvolcheck
ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or directory')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 443, in run
    provision.checksysvolacl(samdb, netlogon, sysvol,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1876, in checksysvolacl
    check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1826, in check_gpos_acl
    check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1766, in check_dir_acl
    fsacl = getntacl(lp, path, session_info, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 112, in getntacl
    attribute = samba.xattr_native.wrap_getxattr(file


strace samba-tool ntacl sysvolcheck
<removed lots of output>

getxattr("/var/lib/samba/sysvol/samdom.net/Policies/{75991237-941B-47B9-AF67-853781EA44B3}", "security.NTACL", NULL, 0) = -1 ENOENT (No such file or directory)
write(2, "ERROR(<class 'TypeError'>): unca"..., 82ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or directory')
) = 82

<removed rest of output>


samba-tool ntacl sysvolreset
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 412, in run
    provision.setsysvolacl(samdb, netlogon, sysvol,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1754, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1641, in set_gpos_acl
    set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1604, in set_dir_acl
    setntacl(lp, path, acl, domsid, session_info, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 228, in setntacl
    smbd.set_nt_acl(


samba-tool gpo listall
GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path         : \\samdom.net\sysvol\samdom.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn           : CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=net
version      : 0
flags        : NONE

GPO          : {75991237-941B-47B9-AF67-853781EA44B3}
ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 477, in run
    self.outf.write("display name : %s\n" % m['displayName'][0])


Trying to delete to leftovers of the GPO returns:

samba-tool gpo del '{75991237-941B-47B9-AF67-853781EA44B3}'
ERROR: GPO '{75991237-941B-47B9-AF67-853781EA44B3}' does not exist


- Kees
Comment 1 Douglas Bagnall 2022-09-15 04:07:22 UTC
Much of this is a dupe of https://bugzilla.samba.org/show_bug.cgi?id=14937 (thus fixed in master), but the "samba-tool gpo del" bit probably remains.