[Samba] SYSVOL ACLs and GPOs
Olivier BILHAUT
o.bilhaut at fondation-misericorde.fr
Mon Oct 29 04:34:03 MDT 2012
Hi Andrew,
I Updated our S4 instance this morning with the updated git (master). We
still have a problem with one of our 3 GPO. But if I remove one of them,
the same error is displayed with any of the remaining GPO. I need to
remove them all to completely get rid of this message. I also noticed
that it begins always with a GPO applied to the computers, not the users.
Here's the level 10 log. Sorry if you feel my message imprecise, and
don't hesitate to ask me more information if needed. We'll be pleased to
contribute at our level.
set_conn_connectpath: service (null), connectpath = /
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
vfs_find_backend_entry called for /[Default VFS]/
Successfully loaded vfs module [/[Default VFS]/] with the new modules system
Initialising custom vfs hooks from [acl_xattr]
vfs_find_backend_entry called for acl_xattr
Successfully loaded vfs module [acl_xattr] with the new modules system
Initialising custom vfs hooks from [dfs_samba4]
vfs_find_backend_entry called for dfs_samba4
Successfully loaded vfs module [dfs_samba4] with the new modules system
get_nt_acl_internal:
name=/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
posix_fget_nt_acl: called for file
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
posix_get_nt_acl: called for file
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
uid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512
gid 100 -> sid S-1-5-21-939380553-781147246-4131372059-513
uid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512
gid 3000003 -> sid S-1-5-11
gid 3000010 -> sid S-1-5-21-939380553-781147246-4131372059-519
gid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512
gid 3000026 -> sid S-1-5-18
gid 3000028 -> sid S-1-5-9
canonicalise_acl: Access ace entries before arrange :
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms ---
canon_ace index 1. Type = allow SID = S-1-5-9 gid 3000028 (3000028)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 2. Type = allow SID = S-1-5-18 gid 3000026 (3000026)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 3. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 4. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise
Admins) SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 5. Type = allow SID = S-1-5-11 gid 3000003 (3000003)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 6. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-513 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
canon_ace index 7. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER ace_flags = 0x0 perms rwx
canon_ace index 8. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
canon_ace index 1. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-513 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
canon_ace index 2. Type = allow SID = S-1-5-9 gid 3000028 (3000028)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 3. Type = allow SID = S-1-5-18 gid 3000026 (3000026)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 4. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 5. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise
Admins) SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 6. Type = allow SID = S-1-5-11 gid 3000003 (3000003)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 7. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER ace_flags = 0x0 perms rwx
canon_ace index 8. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms ---
uid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512
gid 3000003 -> sid S-1-5-11
gid 3000010 -> sid S-1-5-21-939380553-781147246-4131372059-519
gid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512
gid 3000026 -> sid S-1-5-18
gid 3000028 -> sid S-1-5-9
canonicalise_acl: Default ace entries before arrange :
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms ---
canon_ace index 1. Type = allow SID = S-1-5-9 gid 3000028 (3000028)
SMB_ACL_GROUP ace_flags = 0x0 perms r-x
canon_ace index 2. Type = allow SID = S-1-5-18 gid 3000026 (3000026)
SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 3. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins)
SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 4. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise
Admins) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 5. Type = allow SID = S-1-5-11 gid 3000003 (3000003)
SMB_ACL_GROUP ace_flags = 0x0 perms r-x
canon_ace index 6. Type = allow SID = S-1-3-1 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
canon_ace index 7. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER ace_flags = 0x0 perms rwx
canon_ace index 8. Type = allow SID = S-1-3-0 uid 3000012 (3000012)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID = S-1-3-0 uid 3000012 (3000012)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
canon_ace index 1. Type = allow SID = S-1-3-1 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
canon_ace index 2. Type = allow SID = S-1-5-9 gid 3000028 (3000028)
SMB_ACL_GROUP ace_flags = 0x0 perms r-x
canon_ace index 3. Type = allow SID = S-1-5-18 gid 3000026 (3000026)
SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 4. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins)
SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 5. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise
Admins) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 6. Type = allow SID = S-1-5-11 gid 3000003 (3000003)
SMB_ACL_GROUP ace_flags = 0x0 perms r-x
canon_ace index 7. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER ace_flags = 0x0 perms rwx
canon_ace index 8. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms ---
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 80000
map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
merge_default_aces: Merging ACE 11 onto ACE 0.
merge_default_aces: Merging ACE 13 onto ACE 6.
get_nt_acl_internal: blob hash does not match for file
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
- returning file system SD mapping.
get_nt_acl_internal: acl for blob hash for
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
is:
pdesc_next: struct security_descriptor
revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
type : 0x9004 (36868)
0: SEC_DESC_OWNER_DEFAULTED
0: SEC_DESC_GROUP_DEFAULTED
1: SEC_DESC_DACL_PRESENT
0: SEC_DESC_DACL_DEFAULTED
0: SEC_DESC_SACL_PRESENT
0: SEC_DESC_SACL_DEFAULTED
0: SEC_DESC_DACL_TRUSTED
0: SEC_DESC_SERVER_SECURITY
0: SEC_DESC_DACL_AUTO_INHERIT_REQ
0: SEC_DESC_SACL_AUTO_INHERIT_REQ
0: SEC_DESC_DACL_AUTO_INHERITED
0: SEC_DESC_SACL_AUTO_INHERITED
1: SEC_DESC_DACL_PROTECTED
0: SEC_DESC_SACL_PROTECTED
0: SEC_DESC_RM_CONTROL_VALID
1: SEC_DESC_SELF_RELATIVE
owner_sid : *
owner_sid :
S-1-5-21-939380553-781147246-4131372059-512
group_sid : *
group_sid :
S-1-5-21-939380553-781147246-4131372059-513
sacl : NULL
dacl : *
dacl: struct security_acl
revision : SECURITY_ACL_REVISION_NT4 (2)
size : 0x015c (348)
num_aces : 0x0000000d (13)
aces: ARRAY(13)
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x03 (3)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x03 (3)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-9
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-18
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-519
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-11
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-3-0
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00080000 (524288)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-3-1
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-9
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-18
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-519
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-11
get_nt_acl_internal: returning acl for
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
is:
psd: struct security_descriptor
revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
type : 0x8004 (32772)
0: SEC_DESC_OWNER_DEFAULTED
0: SEC_DESC_GROUP_DEFAULTED
1: SEC_DESC_DACL_PRESENT
0: SEC_DESC_DACL_DEFAULTED
0: SEC_DESC_SACL_PRESENT
0: SEC_DESC_SACL_DEFAULTED
0: SEC_DESC_DACL_TRUSTED
0: SEC_DESC_SERVER_SECURITY
0: SEC_DESC_DACL_AUTO_INHERIT_REQ
0: SEC_DESC_SACL_AUTO_INHERIT_REQ
0: SEC_DESC_DACL_AUTO_INHERITED
0: SEC_DESC_SACL_AUTO_INHERITED
0: SEC_DESC_DACL_PROTECTED
0: SEC_DESC_SACL_PROTECTED
0: SEC_DESC_RM_CONTROL_VALID
1: SEC_DESC_SELF_RELATIVE
owner_sid : *
owner_sid :
S-1-5-21-939380553-781147246-4131372059-512
group_sid : *
group_sid :
S-1-5-21-939380553-781147246-4131372059-513
sacl : NULL
dacl : *
dacl: struct security_acl
revision : SECURITY_ACL_REVISION_NT4 (2)
size : 0x015c (348)
num_aces : 0x0000000d (13)
aces: ARRAY(13)
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x03 (3)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x03 (3)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-9
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-18
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-519
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-11
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-3-0
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00080000 (524288)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-3-1
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-9
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-18
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-519
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-11
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: VFS ACL on GPO directory
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;;0x00120089;;;ED)(A;;0x00120089;;;SY)(A;;0x00120089;;;DA)(A;;0x00120089;;;EA)(A;;0x00120089;;;AU)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001200a9;;;ED)(A;OICIIO;0x001f01ff;;;SY)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001200a9;;;AU)
does not match expected value
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
from GPO object
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 245, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1575, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1526, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1476, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
-----------------------
*** Olivier BILHAUT
*** Service Informatique
*** Fondation de la Miséricorde
*** Email : o.bilhaut at fondation-misericorde.fr
*** Tel : 02.31.38.50.50
*** Fax : 02.31.38.50.00
Le 26/10/2012 11:48, Andrew Bartlett a écrit :
> On Fri, 2012-10-26 at 09:36 +0200, Olivier BILHAUT wrote:
>> Hi Andrew, Hi Alex,
>>
>> Pleased to see that you figured this out.
>> We've got exactly the same problem from a blank provisioned domain (not
>> a migration), with a setup with 2 gpo. (Ubuntu 12.04 - S4 rc3).
>> Since our instance is in a semi-production environment, we'll wait for
>> your fix. But if needed, we could give you more level 10 logs.
>>
>> Note that when the sysvolreset is launched and that sysvolcheck returns
>> no errors, then the windows clients can't "gpupdate" anymore on some gpo.
>> Note also that when syslvolreset isn't launched at S4 update, the
>> sysvolcheck command return the Alex's error but the client can update
>> their gpo.
> This I think is the umask issue I addressed with this patch. A
> sysvolreset with this patch applied should fix that. steve noticed that
> permissions were missing from the posix ACL that was generated.
>
> (this patch is in master)
>
> Andrew Bartlett
>
More information about the samba
mailing list