Everything so far has been working pretty good on the samba 4 installation. There is still the DNS issue I need to fix but other than that everything has been running fine. About a month ago now I was going to implement a policy to restrict some options for IE (like it running!). When I went in to add a policy it told me "The system cannot open the device or file specified" and wouldn't allow me to create a new one. I messed around with it a little and noticed that the default policy had a red icon on it if im not mistaken so I thought I would remove it because I read on a post it may be a corrupted policy. I just removed it and didn't delete it. Unfortunately, to my suprise this didn't work and I couldn't add any new policies or even re-link any policies. The only thing that I can still do to my group policies is edit the policies I already have. You can also see all the policies that are linked. This can hold up for a little while but eventually I am going to need to have this ability back to push out new policies. I can include some screen shots to help with the evaluation, if you want them just ask. There is nothing in the syslogs on anything. I am really hoping that you have seen this before and its a quick fix. I appreciate your help and if you need anything please let me know.
Created attachment 5820 [details] screen shots of the group policy management screen screen shot
Created attachment 5821 [details] screen shot 2 screen shot 2
Created attachment 5822 [details] screen shot 3 screen shot 3
Created attachment 5823 [details] screen shot 4 screen shot 4
Is no one going to take a look at this bug. I desperately need help resolving this and no one has even taken a glance at it yet after almost a month. Am I doing something wrong?
I suggest you mention it on the mailing list, so this finds a wider audience.
Robert, Sorry for not jumping on this bug earlier, even if my life is driven by bugzilla I don't check it as I should. Well in your situation, it seems that the removal of default gpo (and not in your situation btw) was the best solution. My understanding of your current situation is that in gpmc, when you click on group policy object you receive the message "the system cannot open the device or file specified" ? Can you do an extraction of policies stored in your ad: "ldbsearch -H ldap://localhost -b CN=Policies,CN=System,DC=yourdomain,DC=tld displayname" And attach it to this bug. Also I would like to see ls -1 /usr/local/samba/var/locks/sysvol/yourdomain.tld/Policies/
(In reply to comment #7) > Robert, > > Sorry for not jumping on this bug earlier, even if my life is driven by > bugzilla I don't check it as I should. > > Well in your situation, it seems that the removal of default gpo (and not in > your situation btw) was the best solution. > > My understanding of your current situation is that in gpmc, when you click on > group policy object you receive the message "the system cannot open the device > or file specified" ? > > Can you do an extraction of policies stored in your ad: > "ldbsearch -H ldap://localhost -b CN=Policies,CN=System,DC=yourdomain,DC=tld > displayname" > > And attach it to this bug. > > Also I would like to see ls -1 > /usr/local/samba/var/locks/sysvol/yourdomain.tld/Policies/ > [/usr/local/samba/private]# ldbsearch -H ldap://localhost -b CN=Policies,CN=System,DC=CASINC,DC=com unable to load ldap from /usr/lib/ldb/ldap.so: /usr/lib/ldb/ldap.so: cannot open shared object file: No such file or directory Unable to find backend for 'ldap://localhost' Failed to connect to ldap://localhost - (null) [/usr/local/samba/private]# ls -l /usr/local/samba/var/locks/sysvol/cas-online.com/Policies/ total 120 drwxr-xr-x 5 3000008 users 4096 2010-04-01 12:36 {0AC2BEF7-FB8A-40B3-ADD0-AC3AE84B5ACD} drwxr-xr-x 5 3000008 users 4096 2010-04-01 16:43 {3AEC54C6-873D-4AC0-B744-D6FEF7D2F0F6} drwxr-xr-x 5 root adm 4096 2010-05-17 16:55 {3BB4EEF5-AD61-4C51-B739-8F599C272558} drwxr-xr-x 5 3000008 users 4096 2010-04-01 16:42 {427DCE66-57A7-446E-A1A9-94984C43FEC0} drwxr-xr-x 5 3000008 users 4096 2010-04-01 16:51 {621F5A49-AC83-477F-B439-8883991F9C3B} drwxr-xr-x 5 3000008 users 4096 2010-03-26 17:10 {6C004C01-6893-4FD8-992E-B0A70B19143D} drwxr-xr-x 5 3000008 users 4096 2010-04-01 16:49 {6D75CCEE-9B61-4881-BC5A-DAFC4E82B6DD} drwxr-xr-x 5 3000008 users 4096 2010-05-13 12:58 {8B94B0F9-6017-47AE-9DF1-4B956275B7DE} drwxr-xr-x 4 3000008 users 4096 2010-04-15 17:14 {9BC26236-BF77-4866-975B-D406ADDA9036} drwxr-xr-x 5 3000008 users 4096 2010-04-01 16:35 {BDEED978-2CEE-48BB-A7DA-B49AFAAA87FE} drwxr-xr-x 5 3000008 users 4096 2010-04-21 08:30 {C2AE88BD-2BF0-4E30-B90A-5D6EF1FB95AC} drwxr-xr-x 4 3000008 users 4096 2010-04-15 12:01 {EBA2F6FA-3E57-4151-AA00-C8391C6F5E38} drwxr-xr-x 4 3000008 users 4096 2010-04-15 11:52 {EF36DC7B-A28F-41F9-A99F-AB0DFA2CB8B4} drwxr-xr-x 5 3000008 users 4096 2010-04-01 16:46 {F45AC139-AF50-4195-BCCF-818EAED764A6} drwxr-xr-x 5 3000008 users 4096 2010-04-01 16:53 {FEFB3F64-71CA-4881-97DC-83516CBED5BD}
> [/usr/local/samba/private]# ldbsearch -H ldap://localhost -b > CN=Policies,CN=System,DC=CASINC,DC=com > unable to load ldap from /usr/lib/ldb/ldap.so: /usr/lib/ldb/ldap.so: cannot > open shared object file: No such file or directory > Unable to find backend for 'ldap://localhost' > Failed to connect to ldap://localhost - (null) Ok this is not good are you sure you typed ldbsearch and not ldapsearch ? Can you try /usr/local/samba/bin/ldbsearch -H ... ?
(In reply to comment #9) > > [/usr/local/samba/private]# ldbsearch -H ldap://localhost -b > > CN=Policies,CN=System,DC=CASINC,DC=com > > unable to load ldap from /usr/lib/ldb/ldap.so: /usr/lib/ldb/ldap.so: cannot > > open shared object file: No such file or directory > > Unable to find backend for 'ldap://localhost' > > Failed to connect to ldap://localhost - (null) > Ok this is not good are you sure you typed ldbsearch and not ldapsearch ? > > Can you try /usr/local/samba/bin/ldbsearch -H ... ? > Yes, that is the command I ran. The post above is directly from my terminal screen. What does this mean?
Correction! I got this to run correctly, the full path fixed it. I will attach the log file.
Created attachment 5878 [details] ldbsearch results Very relieved that this ran after your initial reaction.
Ok you 18 gpos in the AD and 16 in the file system ... The two missing are: EA952CA0-CF3C-4655-BCCF-61177EA892E8 -> Default Domain Policy 567BD29F-A593-48A2-9FDD-D08A9D4F8C50 -> ftp_login I propose to try to recreate manualy the struct to see if it helps so in sysvol share through windows as an administrator you create: in \\server\sysvol\domain\Policies\ a folder called {ea952ca0-cf3c-4655-bccf-61177eA892e8} and another called {567bd29f-a593-48a2-9fdd-d08a9d4f8C50} In each folder create create two subfolders called MACHINE and USER (case matter). Then in {ea952ca0-cf3c-4655-bccf-61177eA892e8} create a file GPT.INI with this two lines: [General] Version=196629 Then in {ea952ca0-cf3c-4655-bccf-61177eA892e8} create a file GPT.INI with this two lines: [General] Version=131072 also can you do this /usr/local/samba/bin/ldbsearch -H ldap://localhost '(gPLink=*)' gPLink
I ran the other lbsearch and am going to post the results. I created the file structure that you asked as well, should I restart samba now and try the GPOs? I am also figuring that in your previous statement the second GPT should be the second one I created, let me know if thats not correct.
Created attachment 5879 [details] gplink search results
I have reacreated those GPOs and have restarted samba since then and it has not fixed the problem. I actually am running into some errors on the domain PCs about the policies I created. Did you end up finding anything worth mentioning on that last list of ldbsearch? The time gap is shrinking and I need to try and get a resolution for this issue as soon as possible. Let me know anything you want me to try and I will do everything I can to get this resolved.
(In reply to comment #16) > I have reacreated those GPOs and have restarted samba since then and it has not > fixed the problem. I actually am running into some errors on the domain PCs > about the policies I created. Did you end up finding anything worth mentioning > on that last list of ldbsearch? The time gap is shrinking and I need to try > and get a resolution for this issue as soon as possible. Let me know anything > you want me to try and I will do everything I can to get this resolved. > Ok robert, I was in vacation, so I had a few problem to follow it. Can you make a wireshark/tcpdump trace on the samba4 server like this: tcpdump -i <interface> host <ip_windows_workstation> -s 16000 -w /tmp/trace_gpo -v And attach it zipped. Use the information from -v to see the packet number when you are really starting the gpmc. Please do not hesitate to give a full capture but with the detailed information of what happened to which packet!
Sorry I have been getting slammed with other stuff recently. I took the tcpdump and then opened up the administrative tools on the xp machine during the capture, I assume thats what you wanted me to do. Please tell me whatever else you need from me. I have attached the dump.
Created attachment 5981 [details] gp object trace dump
In looking at the packet captues it only appears that it fails or cannot load an object twice. Both times it fails on an ldap search of 'CN=builtinDomain-Display,CN=409,CN=displaySpecifiers,CN=Configuration,DC=cas-online,DC=com' Now if I filter the capture by just 'builtinDomain-Display' these are the only ones that pop up in the results. Is it possible this got corrupted or removed, if so how can I get it back or replace it so we can get this up and running again.
Hi Robert, (In reply to comment #20) > In looking at the packet captues it only appears that it fails or cannot load > an object twice. Both times it fails on an ldap search of > 'CN=builtinDomain-Display,CN=409,CN=displaySpecifiers,CN=Configuration,DC=cas-online,DC=com' We should provide this object. > Now if I filter the capture by just 'builtinDomain-Display' these are the > only ones that pop up in the results. Is it possible this got corrupted or > removed, if so how can I get it back or replace it so we can get this up and > running again. Probably you could use "upgradeprovision" - but it's better to ask Matthieu.
Robert, any news on this ? Have you tried upgradeprovision lately ?
(In reply to comment #22) > Robert, > any news on this ? > > Have you tried upgradeprovision lately ? > I have not tried this as I am too quick to jump on something it is in production and I have been swamped with other crap, but now I am focusing on trying to resolve outstanding issues, and this is numero uno. I am running alpha 12. Has there been a newer version that has come out? If so what are some precautions that I should take so that things do not blow up in my face as to I can resort back if something shall go wrong? Looking forward to resolving this issue soon.
(In reply to comment #22) > Robert, > any news on this ? > > Have you tried upgradeprovision lately ? > I am also assuming that you are wanting me to do a "--full" on the upgradeprovision.
Hi Robert, you should know that we still do not provide production releases. Generally we suggest our users to try GIT checkouts since they are quite always a big step ahead to our alpha releases, which aren't prepared so often. Since we are now using "autobuild", a development tool which checks all branch merges against our unit tests, the quality of the "master" releases improved a lot. Therefore please make use of this possibility and report if the problem still exists. (In reply to comment #23) > (In reply to comment #22) > > Robert, > > any news on this ? > > > > Have you tried upgradeprovision lately ? > > > > I have not tried this as I am too quick to jump on something it is in > production and I have been swamped with other crap, but now I am focusing on > trying to resolve outstanding issues, and this is numero uno. I am running > alpha 12. Has there been a newer version that has come out? If so what are > some precautions that I should take so that things do not blow up in my face as > to I can resort back if something shall go wrong? Looking forward to resolving > this issue soon. >
Robert, does the problem persist?
I am going to update provision probably wednesday of next week and I will let you know the results. > Robert, does the problem persist? >
Tried to do upgrade provision tonight and kept getting errors when running the script. I am running alpha 12 and did a git pull earlier today to update everything for tonight. After I stopped samba and backed up everything I ran [/samba-master/source4/scripting/upgradeprovision --full -s /usr/local/samba/etc/smb.conf] and I get this in return. Traceback (most recent call last): File "./scripting/bin/upgradeprovision", line 46, in <module> from samba import param, dsdb, Ldb ImportError: cannot import name dsdb Any suggestions? I couldn't get a hold of anyone on samba-technical and nothing on here. If I don't have an answer in 10-15 minutes I am going to stop and regress to old installation and wait for a reply.
Well, as you know from the process last night I was not able to get to upgrade provision as it failed out. Not before resolving our pesky BDC problem. We finally update and ran the provision --full and we ended up getting a double free error. talloc: double free error - first free may be at ../dsdb/samdb/ldb_modules/descriptor.c:548 Bad talloc magic value - double free Aborted I ran that through the gdb and got some output which is on pastebin at http://samba.pastebin.com/BeCxg4G0 and I have attached here. I think we almost got it we just need to get through this provision.
Created attachment 6138 [details] gdb debug output
This could have been fixed, try another checkout: http://gitweb.samba.org/samba.git/?p=samba.git;a=commitdiff;h=25163380239abbad28f1656c42e6fab1b92473d9 If it's still there then please inform us! (In reply to comment #29) > Well, as you know from the process last night I was not able to get to upgrade > provision as it failed out. Not before resolving our pesky BDC problem. We > finally update and ran the provision --full and we ended up getting a double > free error. > > talloc: double free error - first free may be at > ../dsdb/samdb/ldb_modules/descriptor.c:548 > Bad talloc magic value - double free > Aborted > > I ran that through the gdb and got some output which is on pastebin at > http://samba.pastebin.com/BeCxg4G0 and I have attached here. I think we > almost got it we just need to get through this provision. >
So I just have to replace that one file with this one and try and run it again? (In reply to comment #31) > This could have been fixed, try another checkout: > http://gitweb.samba.org/samba.git/?p=samba.git;a=commitdiff;h=25163380239abbad28f1656c42e6fab1b92473d9 >
I would simply perform a "git pull" if you are using GIT - otherwise, as you've said replace it manually. (In reply to comment #32) > So I just have to replace that one file with this one and try and run it again? > > (In reply to comment #31) > > This could have been fixed, try another checkout: > > http://gitweb.samba.org/samba.git/?p=samba.git;a=commitdiff;h=25163380239abbad28f1656c42e6fab1b92473d9 > > >
Well I did all of that last night. Git-pull, reinstall, then upgradeprovision. So the Git-pull makes no difference.
Now we've fixed another bug. Please try another "git pull"!
(In reply to comment #35) > Now we've fixed another bug. Please try another "git pull"! > doing another attempt at upgrade in the next 10 minutes and see how it goes.
This is the latest bundle of fun I got as a return when running the upgrade provision --full Creating a reference provision Copy privilege Update base samdb by searching difference with reference one Starting update of samdb There are 96 missing objects Reloading a merged schema, it might trigger reindexing so please be patient Schema reloaded ! Traceback (most recent call last): File "./scripting/bin/upgradeprovision", line 1708, in <module> schema, schemareloadclosure): File "./scripting/bin/upgradeprovision", line 1324, in update_samdb schema, highestUSN, prereloadfunc) File "./scripting/bin/upgradeprovision", line 1100, in update_partition provisionUSNs, names.invocation) File "./scripting/bin/upgradeprovision", line 812, in update_present scope=SCOPE_SUBTREE, controls=controls) _ldb.LdbError: (1, None) A transaction is still active in ldb context [0x8546f38] on /usr/local/samba/private/sam.ldb A transaction is still active in ldb context [0x932f480] on /usr/local/samba/private/idmap.ldb A transaction is still active in ldb context [0x9285478] on /usr/local/samba/private/secrets.ldb A transaction is still active in ldb context [0x946d660] on /usr/local/samba/private/privilege.ldb A transaction is still active in ldb context [0xa261ad0] on /usr/local/samba/private/referenceprovisionfyE0t9/private/sam.ldb A transaction is still active in ldb context [0xa13e4c8] on /usr/local/samba/private/referenceprovisionfyE0t9/private/idmap.ldb A transaction is still active in ldb context [0x99c8390] on /usr/local/samba/private/referenceprovisionfyE0t9/private/secrets.ldb A transaction is still active in ldb context [0x9064318] on /usr/local/samba/private/referenceprovisionfyE0t9/private/privilege.ldb what the hell does that mean??
Hard to say, there is a problem, but without a more detailed output (--debugall) it will be hard to understand
I have the debug from the error, but its like 325MB and even compressed I cant post it here. I will scan over it today and then I will post the relevant data in the log.
Well unfortunately I am busy as hell as I imagine everyone is, but I did get a chance to look at some of the full log of the failure and it looks like its failing when looking for an object of some kind. Now with these objects should I recreate them or what is the next move?
And of which kind are these objects? How are there DNs called? So we could make us an idea in which component it is failing. (In reply to comment #40) > Well unfortunately I am busy as hell as I imagine everyone is, but I did get a > chance to look at some of the full log of the failure and it looks like its > failing when looking for an object of some kind. Now with these objects should > I recreate them or what is the next move? >
(In reply to comment #41) > And of which kind are these objects? How are there DNs called? > > So we could make us an idea in which component it is failing. > > (In reply to comment #40) > > Well unfortunately I am busy as hell as I imagine everyone is, but I did get a > > chance to look at some of the full log of the failure and it looks like its > > failing when looking for an object of some kind. Now with these objects should > > I recreate them or what is the next move? > > Sorry I have been slammed at work and building new servers and I finally have a chance to get back to this. As I am looking at the end of the fail log it looks like it runs EOF on a certain CN. Upon looking up the CN is appears it IS there and its the group policy container. Default domain controllers policy. Now I am not sure about if this is what it errored out on, but from the first look of this log from what I CAN make out this is the only thing resembling an error right now.
I am going to go back to this now because we desperately need to get this upgraded, resolved, and up to the most current running version. I still have the faillog from the last upgrade attempt. I will look through this and post the things that stick out to me that look like they're not working correctly. Is there anything else that I need to look for specifically?
{lpcfg_servicenumber: couldn't find ldb Sorting rpmd with attid exception 3 rDN=CN DN=CN={3BB4EEF5-AD61-4C51-B739-8F599C272558},CN=Policies,CN=System,DC=cas-online,DC=com ndr_pull_error(13): value out of range Sorting rpmd with attid exception 3 rDN=CN DN=CN=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=cas-online,DC=com lpcfg_servicenumber: couldn't find ldb Reloading a merged schema, it might trigger reindexing so please be patient Schema reloaded ! } After skimming over the faillog of the upgrade of samba I found these 3 things that jumped out at me that looked like errors or doing something they shouldn't be doing. Does any of this look like it would be the issue I am having with the upgrade?
Robert, I need the output of the upgradeprovision in order to be able to help you. If you are concerned for your privacy you can try to send me the log directly From your error there is really 1 that is important, you can ignore: lpcfg_servicenumber: couldn't find ldb , it just mean that you don't have a [ldb] section in your smb.conf The real problem is ndr_pull_error(13): value out of range, but we have to understand from where the problem came
(In reply to comment #45) > Robert, > I need the output of the upgradeprovision in order to be able to help you. > > If you are concerned for your privacy you can try to send me the log directly > > From your error there is really 1 that is important, you can ignore: > lpcfg_servicenumber: couldn't find ldb > , it just mean that you don't have a [ldb] section in your smb.conf > > The real problem is ndr_pull_error(13): value out of range, but we have to > understand from where the problem came Ok, after being pulled off of fixing this several times I am tasked to finally get this fixed and finalized. My question is this however. I need to upgrade OS and hardware on this box right now. Would it be possible to rebuild a new box to say 12.04 server on Ubuntu on new hardware and then import all my information from the current server without fixing the current issue and not breaking the new one? If this is possible to do I think we should quit wasting time trying to fix the old issue and build a new box and migrate if possible, now if this is not possible then I will send you the upgradeprovision information so we can get this issue resolved.
I have been tasked to move forward back on this project so I need to know what I need for you guys so we can start to try and move forward on this project to get my DC fixed and upgraded and working again.