[Samba] samba tool and sysvol/gpo checks error/bugged? ( but it all works ok)

L.P.H. van Belle belle at bazuin.nl
Wed Jun 17 01:15:59 MDT 2015 

Hai, 
 
im running samba 4.2.2 sernet on debian. 
 
when i run : 
samba-tool gpo aclcheck -UAdministrator 
 
im getting : 
ERROR: Invalid GPO ACL 
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
and it tells me it should be
O:DAG:DAD:P  (A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
 
the only difference : O:DAG:DAD:PAI   <>  O:DAG:DAD:P 
 
the strange thing.  it complains about  something.else.tld\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}
 
checked the rights. 
getfacl \{EAF212FE-4718-4693-BD18-6B4FC8A0513A\}/
 
# file: {EAF212FE-4718-4693-BD18-6B4FC8A0513A}/
# owner: domain\040admins
# group: domain\040admins
user::rwx
user:3000002:rwx
user:3000003:r-x
user:enterprise\040admins:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:enterprise\040admins:rwx
group:domain\040admins:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:enterprise\040admins:rwx
default:user:domain\040admins:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:enterprise\040admins:rwx
default:group:domain\040admins:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

and on an other folder
 getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
# file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: domain\040admins
# group: domain\040admins
user::rwx
user:3000002:rwx
user:3000003:r-x
user:enterprise\040admins:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:enterprise\040admins:rwx
group:domain\040admins:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:enterprise\040admins:rwx
default:user:domain\040admins:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:enterprise\040admins:rwx
default:group:domain\040admins:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

 
both have same rights, but only 1 is complaining about incorrect setting.. 
 
And this was AFTER  running : 
samba-tool gpo aclcheck
ERROR: Error connecting to 'dc1.something.else.tld' using SMB

samba-tool gpo aclcheck -UAdministrator
Password for [SOMETHING\Administrator]:
ERROR: Invalid GPO ACL O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)
(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) on path (rotterdam.bazuin.nl\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}), 
should be 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

did we hit a bug here? i done see whats wrong, and all is working as it should. 
 
Greetz, 
 
Louis
 
 

More information about the samba mailing list