[Samba] sysvol acl's broken beyond repair

mourik jan heupink heupink at merit.unu.edu
Sat Oct 3 08:54:14 UTC 2015 

This very same issue was discussed here a few weeks ago.

Consensus seemed to be: this can be ignored, because many of us (if not 
all?) see this. Perhaps search the archive to check that you are seeing 
the exact same issue.

Hope that helps.
MJ
On 10/03/2015 01:50 AM, Krutskikh Ivan wrote:
> Hi everyone.
>
> I ran into notorios gpo error on windows clients. When I go to my dc
> controller and run
> samba-tool ntacl sysvolcheck
>
> I get an error:
>
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory
> /usr/local/samba/var/locks/sysvol/tsnr.mtt/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
> 249, in run
>      lp)
>    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1730, in checksysvolacl
>      direct_db_access)
>    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1681, in check_gpos_acl
>      domainsid, direct_db_access)
>    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1628, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
>
> I assume, that is the problem. Now I try to fix it with
>
> samba-tool ntacl sysvolreset
>
> It finishes with no output or errors, but if I run sysvolcheck once again-
> the same problem is still there, not to mention that gpo's are still not
> working.
>
> My samba version is 4.2.0, the setup is a bit complicated since a use samba
> in a lxc container on a zfs fs (although posixacls are supported and common
> tasks such as domain provision, logon, dns and even gpo upon first
> modifications work)
>
> How can I fix this error or should I rebuild my domain from scratch?
>
> Thanks in advance!
>

More information about the samba mailing list