Multiple subcommands of samba-tool do not provide an descent error when a GPO is missing on the filesystem but still available in LDAP. In addition when trying to remove the (partial) GPO with "samba-tool gpo del" it says the GPO does not exist instead of removing the remainders of it from LDAP. samba-tool ntacl sysvolcheck ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or directory') File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 443, in run provision.checksysvolacl(samdb, netlogon, sysvol, File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1876, in checksysvolacl check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1826, in check_gpos_acl check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1766, in check_dir_acl fsacl = getntacl(lp, path, session_info, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 112, in getntacl attribute = samba.xattr_native.wrap_getxattr(file strace samba-tool ntacl sysvolcheck <removed lots of output> getxattr("/var/lib/samba/sysvol/samdom.net/Policies/{75991237-941B-47B9-AF67-853781EA44B3}", "security.NTACL", NULL, 0) = -1 ENOENT (No such file or directory) write(2, "ERROR(<class 'TypeError'>): unca"..., 82ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or directory') ) = 82 <removed rest of output> samba-tool ntacl sysvolreset Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' Could not find opname rename, logging all Could not find opname rename, logging all Could not find opname rename, logging all Could not find opname rename, logging all Could not find opname rename, logging all set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.') File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 412, in run provision.setsysvolacl(samdb, netlogon, sysvol, File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1754, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1641, in set_gpos_acl set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1604, in set_dir_acl setntacl(lp, path, acl, domsid, session_info, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 228, in setntacl smbd.set_nt_acl( samba-tool gpo listall GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} display name : Default Domain Controllers Policy path : \\samdom.net\sysvol\samdom.net\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9} dn : CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=net version : 0 flags : NONE GPO : {75991237-941B-47B9-AF67-853781EA44B3} ERROR(<class 'KeyError'>): uncaught exception - 'No such element' File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 477, in run self.outf.write("display name : %s\n" % m['displayName'][0]) Trying to delete to leftovers of the GPO returns: samba-tool gpo del '{75991237-941B-47B9-AF67-853781EA44B3}' ERROR: GPO '{75991237-941B-47B9-AF67-853781EA44B3}' does not exist - Kees
Much of this is a dupe of https://bugzilla.samba.org/show_bug.cgi?id=14937 (thus fixed in master), but the "samba-tool gpo del" bit probably remains.