[Samba] SYSVOL ACLs and GPOs

Andrew Bartlett abartlet at samba.org
Thu Oct 25 04:48:57 MDT 2012 

On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
> On 25/10/2012 11:30, Andrew Bartlett wrote:
> > On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
> >
> >> samba-tool ntacl sysvolcheck shows:
> >>
> >> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
> >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> >> ProvisioningError: VFS ACL on GPO directory
> >> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> >> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
> >> does not match expected value
> >> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> >> from GPO object
> >>     File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> >> line 175, in _run
> >>       return self.run(*args, **kwargs)
> >>     File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> >> line 245, in run
> >>       lp)
> >>     File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >> line 1574, in checksysvolacl
> >>       direct_db_access)
> >>     File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >> line 1526, in check_gpos_acl
> >>       domainsid, direct_db_access)
> >>     File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >> line 1476, in check_dir_acl
> >>       raise ProvisioningError('%s ACL on GPO directory %s %s does not
> >> match expected value %s from GPO object' % (acl_type(direct_db_access),
> >> path, fsacl_sddl, acl))
> > Drat.
> >
> > So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
> > the issue we have had for a while.  I had (incorrectly in your case)
> > assumed the issue was that IDMAP mappings imported from classic domains
> > were breaking it.  That's why I worked on my patches, which improve the
> > situation by handling some details at a lower level.
> >
> > On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
> > then, if you don't mind, getting me the level 10 debug log would be very
> > helpful.  Set 'log level = 10' in your smb.conf, then re-run and send me
> > (personally) the result compressed with xz.
> >
> > Andrew Bartlett
> >
> Just to be clear, those last two logs were taken from a samba compiled 
> with your fix-acls2 branch.
> It is also a completely blank provisioned domain I have not migrated 
> anything.
> 
> What do you want the logs of? Starting samba + logging in from XP + 
> starting gpmc.msc + altering permissions manually?

Yeah, I was incredibly unclear:  I need level 10 logs of just the
command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
in a very nice, self-contained way. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list