Problem

The scheduled cron job /usr/sbin/univention-samba4-backup fails with an exception during the offline NT ACL backup of the SYSVOL share. The following error is written to the cron mail or log output:

ERROR(): uncaught exception - [Errno 2] No such file or directory:
'/var/lib/samba/sysvol/<subdomain>.example.com'
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 353, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain/backup.py", line 1189, in run
    backup_offline(paths.sysvol, sysvol_tar, samdb, paths.smbconf)
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 580, in backup_offline
    ntacl_sddl_str = ntacls_helper.getntacl(src, session_info, as_sddl=True)
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 466, in getntacl
    ntacl_sd = getntacl(
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, in getntacl
    return smbd.get_nt_acl(file, ...)
univention-samba4-backup: ERROR: samba-tool domain backup failed

The same error can be reproduced manually by executing:

/usr/bin/samba-tool domain backup offline --targetdir=/var/univention-backup/samba

Investigation

In the affected environment, the SYSVOL directory is structured as follows:

$ ls -ahl /var/lib/samba/sysvol/
bremen.univention.de   -> univention.de/
muenchen.univention.de -> univention.de/
univention.de

The customer operates a single primary SYSVOL directory, while additional subdomains used for different locations are provided through symbolic links that point to the SYSVOL of the primary domain.

"/usr/bin/samba-tool" "domain" "backup" "offline" "--targetdir=/var/univention-backup/samba" throws the following error:

running offline ntacl backup of sysvol
ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No such file or directory: '/var/lib/samba/sysvol/muenchen.univention.de'
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 230, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py", line 1180, in run
    backup_offline(paths.sysvol, sysvol_tar, samdb, paths.smbconf)
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 580, in backup_offline
    ntacl_sddl_str = ntacls_helper.getntacl(src, session_info, as_sddl=True)
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 469, in getntacl
    service=self.service)
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 128, in getntacl
    service=service)

During the offline backup, samba-tool iterates over the entries in /var/lib/samba/sysvol/ and attempts to read the NT ACL of every entry via:

ntacl_sddl_str = ntacls_helper.getntacl(src, session_info, as_sddl=True)

Because the symbolic link itself does not carry an NT ACL, the underlying smbd.get_nt_acl() call fails with FileNotFoundError (errno 2), which aborts the entire backup.

Root Cause

The upstream implementation of samba-tool domain backup offline does not handle symbolic links inside the SYSVOL directory. There is no NT ACL attached to a symlink, and the code path in /usr/lib/python3/dist-packages/samba/ntacls.py does not skip such entries, resulting in the exception shown above.

The issue is tracked in the Univention Bugzilla:

• Bug #56866 – samba-tool offline backup: handle symlinked SYSVOL entries
• Bug #57947 – comment #2 (workaround patch)

Workaround

Until the fix from Bug #56866 is available in an official package update, the patch provided in Bugzilla attachment #11283 can be applied manually. The patch adjusts ntacls.py so that symlinked entries within the SYSVOL directory are handled correctly (either backed up or skipped) instead of aborting the backup.

Note: The patch modifies a file that is part of the samba package. The change will be overwritten on the next update of the samba package and must then be re-applied until the official fix has been released.

1. Create a backup of the original file:

   cp -a /usr/lib/python3/dist-packages/samba/ntacls.py /root/ntacls.py.bak
   

2. Download the patch:

   wget "https://forge.univention.org/bugzilla/attachment.cgi?id=11283" -O /root/ntacls.patch
   

3. Apply the patch:

   patch -p1 /usr/lib/python3/dist-packages/samba/ntacls.py < /root/ntacls.patch
   

4. Verify the backup works by running it manually:

   /usr/sbin/univention-samba4-backup
   

   The run should now complete without the FileNotFoundError exception, and a SYSVOL backup archive should be created in /var/univention-backup/samba/.

Additional notes

• The Samba/AD replication model assumes that each Active Directory domain has its own independent SYSVOL. Replacing per-domain SYSVOL directories with symbolic links to a single primary SYSVOL is not a supported configuration and may lead to further side effects (e.g. when Group Policy Objects are modified, during SYSVOL replication, or on DC promotion/demotion). It is recommended to review the setup and, where possible, move to a standard SYSVOL layout.
• After the official fix from Bug #56866 is released via errata, the manual patch should be reverted (by reinstalling the samba package or restoring the backup of ntacls.py) so that the officially maintained version is in use.

References

• Univention Bugzilla: Bug #56866
• Univention Bugzilla: Bug #57947, comment #2
• Patch: https://forge.univention.org/bugzilla/attachment.cgi?id=11283