[Samba] Error in samba-tool ntacl sysvolcheck
bd730c5053df9efb
bd730c5053df9efb at proton.me
Thu Oct 19 15:27:47 UTC 2023
Hi!
I executed the command "samba-tool ntacl sysvolcheck" on a DC and I got the following I pasted below. The first DC was provisioned migrating from a samba NT4 PDC with an LDAP backend using the classic upgrade procedure. I haven't detected any problem but I wanted to make sure there isn't any problem I might not be seeing yet.
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/samdom.com/Policies/{725C8FA6-3CC1-4A37-9C70-4DE6C4793F53} O:DAG:DAD:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1039)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1054)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1152)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1305)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1390)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1536)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1578)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-21970)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-22166)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:PAR(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1039)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1054)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1152)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1305)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1390)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1536)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1578)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-21970)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-22166)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1039)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1054)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1152)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1305)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1390)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1536)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1578)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-21970)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-22166) from GPO object
File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line 230, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py", line 449, in run
provision.checksysvolacl(samdb, netlogon, sysvol,
File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1876, in checksysvolacl
check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1826, in check_gpos_acl
check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1769, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
Thanks in advance.
Best regards,
Dave.
More information about the samba
mailing list