Web lists-archives.com

Re: [Samba] samba-tool domain backup ERROR




Thanks Louis. I'm not sure that sysvolcheck error is related though -
that command appears to have had problems for a while, e.g.
https://bugzilla.samba.org/show_bug.cgi?id=13288
https://bugzilla.samba.org/show_bug.cgi?id=12236

The other thing to note is that in Samba 4.10, the underlying SMB client
python bindings that's being used here has been completely reworked.
Samba v4.9 is using the source4 client bindings, whereas 4.10 now uses
the source3 python bindings (which should be the same
implementation-wise as smbclient). So there is a small chance the
problem may have resolved itself in 4.10.

So Stefan, could you please try the online backup on 4.10 once it's
released, to see if you still get the problem? Note that with the online
backup, you don't have to run the command on the DC itself (unlike the
offline backup). So you don't have to upgrade the DC to 4.10 in order to
try this out.

The other thing to check would be whether you can read all the sysvol
ACLs successfully using smbclient, e.g.

smbclient //$SERVER/sysvol -U$USERNAME%$PASSWORD
smb: \> showacls
smb: \> l

On 1/03/19 10:15 PM, L. van Belle wrote:
> Hai Tim,  
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Tim 
>> Beale via samba
>> Verzonden: donderdag 28 februari 2019 21:53
>> Aan: Stefan Kania; samba@xxxxxxxxxxxxxxx
>> Onderwerp: Re: [Samba] samba-tool domain backup ERROR
>>
>> On 1/03/19 1:46 AM, Stefan Kania via samba wrote:
>>> ....
>>> Committing SAM database
>>> Setting isSynchronized and dsServiceName
>>> Cloned domain LF (SID S-1-5-21-2842440679-1648109622-3732055899)
>>> ERROR(<type 'exceptions.IndexError'>): uncaught exception - 
>> list index
>>> out of range
>>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 177, in _run
>>>     return self.run(*args, **kwargs)
>>>   File
>>>
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line
>>> 237, in run
>>>     new_sid = get_sid_for_restore(remote_sam)
>>>   File
>>>
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line
>>> 73, in get_sid_for_restore
>>>     rid = int(res[0].get('rIDNextRID')[0])
>>>
>> So, I've seen this before when you try to back up a DC that hasn't
>> initialized its RID pool yet. I thought it was just a corner-case that
>> only happens if you try to backup a brand new DC. I'm 
>> guessing the same
>> thing could happen though if all the RID allocations have 
>> taken place on
>> the primary DC and you try to back up the secondary DC.
>>
>> Creating/deleting a temporary user on that DC should force a RID
>> allocation. See:
>> https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba
>> _AD_DC#Troubleshooting
>>
>
> This backup problem might not be all related to sysvol ACL problems. 
>
> I have currently 1 GPO with errors out but the backup runs fine in my case. 
> Stefan's setup and mine differences, RID (stefan) and AD (me) backends.
>
> More liky to me here, that there is an AD-object that is having an incorrect
> acl. 
>
> Just my idea about this one, i've compaired my error with stefan's and these
> are diffent. 
> Which is good, since our outcome is also different. I did run before the
> backup.
>
> samba-tool dbcheck  ( 0 error, --cross-nc 0 errors ) 
> samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory
> /var/lib/sysvol/internal.domain.tld/Policies/{AD54EF7F-A136-4A28-95CE-EC2D35
> BD7341}
> O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;
> ;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;
> AU)(A;OICI;0x001200a9;;;ED) does not match expected value
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a
> 9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 177, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270,
> in run
>     lp)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1836, in checksysvolacl
>     direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1787, in check_gpos_acl
>     domainsid, direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1734, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
>
> samba-tool ntacl sysvolreset 
> samba-tool ntacl sysvolcheck same error as above. 
>
> Then i did run the backup again. 
> samba-tool domain backup online --server=rtd-dc1 --targetdir=./ 
>
> And this resulted in a good backup. 
>
>
>> Most likely you'll just hit the second sysvol problem though.
>>
>>> ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A
>>> process has requested access to an object but has not been granted
>>> those access rights.')
>>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 177, in _run
>>>     return self.run(*args, **kwargs)
>>>   File
>>>
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line
>>> 243, in run
>>>     backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
>>>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 508,
>>> in backup_online
>>>     ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
>>>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 331,
>>> in get_acl
>>>     smb_path, SECURITY_SECINFO_FLAGS, SECURITY_SEC_FLAGS)
>>>
>> We've seen this problem once before, see thread:
>> https://lists.samba.org/archive/samba/2019-January/220353.html
>>
>> That thread has got some tips on trying to get debug out 
>> about what file
>> is causing the problem. Note that you need to enable the debug on the
>> samba server (i.e. smbd).
>>
>> We need better debug in the tool itself when this happens. I'll try to
>> improve it.
>>
>> Another work-around for this sysvol problem would be to 
>> upgrade to 4.10
>> once it's released and use the new 'backup offline' option.
>>
>> Cheers,
>> Tim
>
> Greetz, 
>
> Louis
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba