[Samba] GPO Editor leads to wrong ACL entries in sysvol?

[Pluess, Tobias]

Good day,

I just noticed today that, whenever I use the GPO editor, the

samba-tool ntacl sysvolcheck

reports lots of errors. I can then fix them, using

samba-tool ntacl sysvolreset

and then it stays OK, until I use the GPO editor for the next time, then
the permissions/ACLs are again screwed up. Why is this? is it OK to leave
it as-is or shall I regularly run the sysvolcheck? at least I noticed, so
far, no problems with the GPOs as they seem to be applied correctly. I even
made a report using

gpresult /h gpo.html

on a Windows 10 machine that is joined to the Samba AD DC; the reported
GPOs are correct and correspond exactly to what I expect. Therefore I am
confused why this sysvolcheck prints an error message. I have pasted below
one example of the error that is reported by sysvolcheck.

Thanks,
best
Tobias



# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
samdom.example.org/Policies/{1F808146-306E-4E68-8737-EC41AAD74842}
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object