[Samba] SYSVOL ACLs and GPOs

Alex Matthews qoole.samba at lillimoth.com
Thu Oct 25 04:41:03 MDT 2012 

On 25/10/2012 11:30, Andrew Bartlett wrote:
> On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
>
>> samba-tool ntacl sysvolcheck shows:
>>
>> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>> ProvisioningError: VFS ACL on GPO directory
>> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
>> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
>> does not match expected value
>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>> from GPO object
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>>       return self.run(*args, **kwargs)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 245, in run
>>       lp)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1574, in checksysvolacl
>>       direct_db_access)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1526, in check_gpos_acl
>>       domainsid, direct_db_access)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1476, in check_dir_acl
>>       raise ProvisioningError('%s ACL on GPO directory %s %s does not
>> match expected value %s from GPO object' % (acl_type(direct_db_access),
>> path, fsacl_sddl, acl))
> Drat.
>
> So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
> the issue we have had for a while.  I had (incorrectly in your case)
> assumed the issue was that IDMAP mappings imported from classic domains
> were breaking it.  That's why I worked on my patches, which improve the
> situation by handling some details at a lower level.
>
> On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
> then, if you don't mind, getting me the level 10 debug log would be very
> helpful.  Set 'log level = 10' in your smb.conf, then re-run and send me
> (personally) the result compressed with xz.
>
> Andrew Bartlett
>
Just to be clear, those last two logs were taken from a samba compiled 
with your fix-acls2 branch.
It is also a completely blank provisioned domain I have not migrated 
anything.

What do you want the logs of? Starting samba + logging in from XP + 
starting gpmc.msc + altering permissions manually?

Thanks,

Alex

More information about the samba mailing list