[Samba] Error in samba-tool ntacl sysvolcheck

Stefan Kania stefan at kania-online.de
Thu Oct 19 16:08:16 UTC 2023 

That's not a problem its just a ACL provisioning message as you can see 
the result was "DAG:DAD:PAI" but expected was "O:DAG:DAD:PAR" that's 
"normal" ;-) just ignore it or do a "samba-tool ntacl sysvolreset"

Am 19.10.23 um 17:27 schrieb bd730c5053df9efb via samba:
> Hi!
> 
> I executed the command "samba-tool ntacl sysvolcheck" on a DC and I got the following I pasted below. The first DC was provisioned migrating from a samba NT4 PDC with an LDAP backend using the classic upgrade procedure. I haven't detected any problem but I wanted to make sure there isn't any problem I might not be seeing yet.
> 
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/samdom.com/Policies/{725C8FA6-3CC1-4A37-9C70-4DE6C4793F53} O:DAG:DAD:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1039)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1054)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1152)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1305)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1390)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1536)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1578)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-21970)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-22166)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:
>   DAD:PAR(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1039)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1054)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1152)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1305)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1390)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1536)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1578)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-21970)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-22166)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1039)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1054)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1
>   -5-21-2172607237-3276034063-696894390-1152)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1305)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1390)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1536)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1578)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-21970)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-22166) from GPO object
>    File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line 230, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py", line 449, in run
>      provision.checksysvolacl(samdb, netlogon, sysvol,
>    File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1876, in checksysvolacl
>      check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>    File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1826, in check_gpos_acl
>      check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>    File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1769, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> Thanks in advance.
> Best regards,
> Dave.
>

More information about the samba mailing list