[Samba] DC2 denies access when saving through the Group Policy Management Co

Sat Nov 1 13:21:38 MDT 2014

> Rowland wrote:
> You can check the ACL's on sysvol with:
> samba-tool ntacl sysvolcheck
Hi Rowland,

when I execute that command on either DC1 or DC2 I get following uncaught exception error :-(

$ samba-tool ntacl sysvolcheck
ERROR(): uncaught exception - ProvisioningError: DB ACL on GPO file /var/lib/samba/sysvol/mydom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Documents & Settings/fdeploy.ini O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1634, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

Why that? Do I have to worry about that error? Is this a known bug or something like that? I am running Samba 4.1.12/sernet on Debian Wheezy.

> You are using winbind on the server, it is either built into the samba 
> daemon, or if you are running 4.2, it is now called 'winbindd' and is 
> started by the samba daemon.

as I am on 4.1.12 I am still using the old built-in version of winbind. My /etc/default/sernet-samba is set to "ad" mode and "ps aux |grep -i winbind" return no output, so I don't see any winbind process. I hope that's ok and normal behaviour.

> I think that your problem is that when you join another DC to the 
> domain, idmap.ldb is not replicated, so when you sync sysvol from the 
> first DC to the second the 'xidnumbers' i.e. '3000000' do not match what 
> is in idmap.ldb on the second DC, so the permissions are not correct, 
> the cure is to copy idmap.ldb from the first DC to any other DC's.
I cannot imagine why, because according to the wiki (I did read it somewhere on the tutorial when configured DC2) I did manually copy the mentioned idmap.ldb from dc1 to dc2. But right now I checked the two files, they were different (I ran "diff idmap.ldb.from.dc1 idmap.ldb.from.dc2" after I copied them onto a temporary directory). So I again copied the file dc1:/var/lib/samba/private/idmap.ldb to dc2:/var/lib/samba/private/idmap.ldb to ensure they are both the same.

After that action I rechecked, but the problem still exists. I can describe the issue more detailled: I can create a new GPO on DC1 and name it "new-test-gpo-created-on-dc1". Inside this GPO I choose the setting "something" and ENABLE it. After 5 minutes this GPO is replicated to DC2. I see the change there.

When I connect to DC2 through GPMC and create a new GPO called "new-test-gpo-created-on-dc2" and set the configuration "foobar" to DISABLE and wait 5minutes, then this GPO "new-test-gpo-created-on-dc2" cannot be edited on DC1 or DC2. I get the error "System cannot find the specified path" (Note: I translated on my own into english, so this might not be the original error message).

I guess that the problem is related to the uniscon bidirection sync I configured according to https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication
The logfile created by sysvol-sync looks like that:

[...]
2014/11/01 20:10:02 [27755] .d..t...... sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/
2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Documents & Settings/
2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/
2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/Logoff/
2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/Logon/
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
2014/11/01 20:10:02 [27755] sent 7802 bytes  received 50 bytes  5234.67 bytes/sec
2014/11/01 20:10:02 [27755] total size is 0  speedup is 0.00
UNISON 2.40.65 started propagating changes at 20:10:02.45 on 01 Nov 2014
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
[BGN] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI from /var/lib/samba to //dc2//var/lib/samba
[END] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI
[BGN] Copying sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol from /var/lib/samba to //dc2//var/lib/samba
/usr/bin/rsync -XAavz --rsh='ssh -p 22' --inplace --compress '/var/lib/samba/sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol' 'root at dc2:'\''/var/lib/samba/sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/.unison.Registry.pol.a3c7ed9ae723707cd04ca2e02a97e300.unison.tmp'\'''
[END] Copying sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol
UNISON 2.40.65 finished propagating changes at 20:10:02.60 on 01 Nov 2014
Synchronization complete at 20:10:02  (2 items transferred, 3 skipped, 0 failed)
  skipped: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
  skipped: sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
  skipped: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
2014/11/01 20:15:02 [27956] building file list
2014/11/01 20:15:02 [27956] done
2014/11/01 20:15:02 [27956] .d..t...... sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/
2014/11/01 20:15:02 [27956] .d..t...... sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
2014/11/01 20:15:02 [27956] sent 5902 bytes  received 18 bytes  3946.67 bytes/sec
2014/11/01 20:15:02 [27956] total size is 0  speedup is 0.00
UNISON 2.40.65 started propagating changes at 20:15:02.29 on 01 Nov 2014
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
[BGN] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI from /var/lib/samba to //dc2//var/lib/samba
[END] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI
UNISON 2.40.65 finished propagating changes at 20:15:02.30 on 01 Nov 2014
Synchronization complete at 20:15:02  (1 item transferred, 3 skipped, 0 failed)
  skipped: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
  skipped: sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
  skipped: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}

Mirco.

[Samba] DC2 denies access whe­n sa­ving through the Gro­up Po­licy Management Co

[Samba] DC2 denies access when saving through the Group Policy Management Co