Web lists-archives.com

[Samba] Online backup results using 4.10.2




Hello,

    I would like to share some info on how I was able to successfully run an online backup after several failed attempts. I would constantly get the following error when attempting to run an online backup.

ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.')

Looking through the list, I seen  a post by Tim that led me to resolve the issue.

https://lists.samba.org/archive/samba/2019-January/220361.html

 He indicated the issue was due to ACL rights on a sysvol object.  Running samba-tool sysvolreset did not resolve the issue.  I decided to increase the log level per Tim to 3.

I opened two SSH connections to my DC and tailed the samba log(tail -f /usr/local/samba/var/log.samba) on one. The other I ran the online backup command with log level 5( -d5)

I could see on the SSH I was tailing, the GPO of the unique ID throwing the error as soon as the online backup command failed. Logging into Group Policy Management(RSAT) I was able to identify the GPO  in the details pane by verifying the unique ID.  The GPO was created years ago. I wanted to try and set(samba-tool ntacl set) the ACL on this object, but didn't know what the default should be. I decided to delete the GPO seeing as it was no longer in use and not needed.

Deleting the GPO allowed for the online backup to succeed without error. It would be nice if someone could post what the default ACL should be, in hopes of  resolving this issue in the future where I may actually need to keep the GPO.

I did decide to get the ACL on the offending GPO in hopes someone with more knowledge then I could possibly spot the issue. See below.


root@pfdc1:~# samba-tool ntacl get /usr/local/samba/var/locks/sysvol/domain.local/Policies/{AB0F05DC-D6EB-44B3-BED1-3E2F19F9A9AC}

lp_load_ex: refreshing parameters

Initialising global parameters

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

Processing section "[global]"

Processing section "[netlogon]"

Processing section "[sysvol]"

Processing section "[backup$]"

Initialising default vfs hooks

Initialising custom vfs hooks from [/[Default VFS]/]

Initialising custom vfs hooks from [acl_xattr]

load_module_absolute_path: Module '/usr/local/samba/lib/vfs/acl_xattr.so' loaded

Initialising custom vfs hooks from [dfs_samba4]

connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)

security_descriptor: struct security_descriptor

revision: SECURITY_DESCRIPTOR_REVISION_1 (1)

type: 0x9114 (37140)

0: SEC_DESC_OWNER_DEFAULTED

0: SEC_DESC_GROUP_DEFAULTED

1: SEC_DESC_DACL_PRESENT

0: SEC_DESC_DACL_DEFAULTED

1: SEC_DESC_SACL_PRESENT

0: SEC_DESC_SACL_DEFAULTED

0: SEC_DESC_DACL_TRUSTED

0: SEC_DESC_SERVER_SECURITY

1: SEC_DESC_DACL_AUTO_INHERIT_REQ

0: SEC_DESC_SACL_AUTO_INHERIT_REQ

0: SEC_DESC_DACL_AUTO_INHERITED

0: SEC_DESC_SACL_AUTO_INHERITED

1: SEC_DESC_DACL_PROTECTED

0: SEC_DESC_SACL_PROTECTED

0: SEC_DESC_RM_CONTROL_VALID

1: SEC_DESC_SELF_RELATIVE

owner_sid: *

owner_sid: S-1-5-21-940051827-2291820289-3341758437-512

group_sid: *

group_sid: S-1-5-21-940051827-2291820289-3341758437-512

sacl: NULL

dacl: *

dacl: struct security_acl

revision: SECURITY_ACL_REVISION_ADS (4)

size: 0x00c4 (196)

num_aces: 0x00000007 (7)

aces: ARRAY(7)

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0024 (36)

access_mask: 0x001f01ff (2032127)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-21-940051827-2291820289-3341758437-512

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0024 (36)

access_mask: 0x001f01ff (2032127)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-21-940051827-2291820289-3341758437-519

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x0b (11)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

1: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0014 (20)

access_mask: 0x001f01ff (2032127)

object: union security_ace_object_ctr(case 0)

trustee: S-1-3-0

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0024 (36)

access_mask: 0x001f01ff (2032127)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-21-940051827-2291820289-3341758437-512

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0014 (20)

access_mask: 0x001f01ff (2032127)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-18

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0014 (20)

access_mask: 0x001200a9 (1179817)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-9

aces: struct security_ace

type: SEC_ACE_TYPE_ACCESS_ALLOWED (0)

flags: 0x03 (3)

1: SEC_ACE_FLAG_OBJECT_INHERIT

1: SEC_ACE_FLAG_CONTAINER_INHERIT

0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT

0: SEC_ACE_FLAG_INHERIT_ONLY

0: SEC_ACE_FLAG_INHERITED_ACE

0x03: SEC_ACE_FLAG_VALID_INHERIT (3)

0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS

0: SEC_ACE_FLAG_FAILED_ACCESS

size: 0x0014 (20)

access_mask: 0x001200a9 (1179817)

object: union security_ace_object_ctr(case 0)

trustee: S-1-5-11



--James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba