Web lists-archives.com

Re: [Samba] samba-tool domain backup ERROR




Hai Tim,  

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Tim 
> Beale via samba
> Verzonden: donderdag 28 februari 2019 21:53
> Aan: Stefan Kania; samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] samba-tool domain backup ERROR
> 
> On 1/03/19 1:46 AM, Stefan Kania via samba wrote:
> >
> > ....
> > Committing SAM database
> > Setting isSynchronized and dsServiceName
> > Cloned domain LF (SID S-1-5-21-2842440679-1648109622-3732055899)
> > ERROR(<type 'exceptions.IndexError'>): uncaught exception - 
> list index
> > out of range
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 177, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line
> > 237, in run
> >     new_sid = get_sid_for_restore(remote_sam)
> >   File
> > 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line
> > 73, in get_sid_for_restore
> >     rid = int(res[0].get('rIDNextRID')[0])
> >
> So, I've seen this before when you try to back up a DC that hasn't
> initialized its RID pool yet. I thought it was just a corner-case that
> only happens if you try to backup a brand new DC. I'm 
> guessing the same
> thing could happen though if all the RID allocations have 
> taken place on
> the primary DC and you try to back up the secondary DC.
> 
> Creating/deleting a temporary user on that DC should force a RID
> allocation. See:
> https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba
> _AD_DC#Troubleshooting
> 


This backup problem might not be all related to sysvol ACL problems. 

I have currently 1 GPO with errors out but the backup runs fine in my case. 
Stefan's setup and mine differences, RID (stefan) and AD (me) backends.

More liky to me here, that there is an AD-object that is having an incorrect
acl. 

Just my idea about this one, i've compaired my error with stefan's and these
are diffent. 
Which is good, since our outcome is also different. I did run before the
backup.

samba-tool dbcheck  ( 0 error, --cross-nc 0 errors ) 
samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/sysvol/internal.domain.tld/Policies/{AD54EF7F-A136-4A28-95CE-EC2D35
BD7341}
O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;
;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;
AU)(A;OICI;0x001200a9;;;ED) does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a
9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270,
in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1836, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1787, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1734, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

samba-tool ntacl sysvolreset 
samba-tool ntacl sysvolcheck same error as above. 

Then i did run the backup again. 
samba-tool domain backup online --server=rtd-dc1 --targetdir=./ 

And this resulted in a good backup. 


> Most likely you'll just hit the second sysvol problem though.
> 
> > ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A
> > process has requested access to an object but has not been granted
> > those access rights.')
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 177, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line
> > 243, in run
> >     backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 508,
> > in backup_online
> >     ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 331,
> > in get_acl
> >     smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
> >
> We've seen this problem once before, see thread:
> https://lists.samba.org/archive/samba/2019-January/220353.html
> 
> That thread has got some tips on trying to get debug out 
> about what file
> is causing the problem. Note that you need to enable the debug on the
> samba server (i.e. smbd).
> 
> We need better debug in the tool itself when this happens. I'll try to
> improve it.
> 
> Another work-around for this sysvol problem would be to 
> upgrade to 4.10
> once it's released and use the new 'backup offline' option.
> 
> Cheers,
> Tim


Greetz, 

Louis


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba