[email protected]
[Top] [All Lists]

Re: Corrupted GPO

Subject: Re: Corrupted GPO
From: Matthieu Patou
Date: Tue, 29 Jun 2010 20:17:51 +0400
 On 29/06/2010 19:09, George Lazar wrote:

Matthieu Patou-7 wrote:
   On 29/06/2010 18:39, George Lazar wrote:

Matthieu Patou-7 wrote:
    Hi Georges,

Regarding the output, the GPO I was creating when I started to
"there is not enough space" is record no. 13... (Themes Enabled GPO)

The content of /usr/local/samba/var/locks/.. doesn't seems not
have there all the policies owned by 3000008 as before.
Yes but I need it to see if all the policy object declared in the
Policies container are also here on the filesystem.

See attached policies.png

More specifically can you show the content of
{391F2562-1AB9-4CA5-BC87-4BD72929CC5E} folder ?
Can you access
Do you see a file called gpt.ini and two folders MACHINE and USER ?
If no can create the folder and the file with the following content:

See attached policy.png http://old.nabble.com/file/p29022853/GPO.JPG
GPO.JPG  http://old.nabble.com/file/p29022853/polcies.PNG polcies.PNG
http://old.nabble.com/file/p29022853/policy.PNG policy.PNG
It's the fist time I see such things but I'm not the most experienced
with gpo.

Ok let's try to nuke the GPO:
do a tdbbackup on all the ldb files in /usr/local/samba/private then


ldbedit -H ldap:/localhost -b

You should have three objects, remove them.

It doesn't let me delete them, I got:
failed to delete
- LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -<00002098: insufficient
access rights>   <>

I'm doing this as root but should I stop samba first?

no You have to get authenticated: ldbedit -H .... -U DOMAIN\\User

with authentication I got another error:
  LDAP error 66 LDAP_NOT_ALLOWED_ON_NON_LEAF -<00002015: Not allowed on
Hum ok let's try to do it on the ldb files directly:

ldbedit -H /usr/local/samba/private/sam.ldb -b CN={391F2562-1AB9-4CA5-BC87-4BD72929CC5E},CN=Policies,CN=System,DC=domain,DC=eu

ps: can you join #samba-technical it would be easier for realtime debug.

Matthieu Patou
Samba Team        http://samba.org

<Prev in Thread] Current Thread [Next in Thread>