Samba 4.0 ntacl sysvolcheck
Gémes Géza
geza at kzsdabas.hu
Sat Dec 29 09:21:56 MST 2012
Hi,
Today I've (finally) upgraded our production DCs from rc3 to 4.0 and
hoping to fix some sysvol acls run samba-tool ntacl sysvolreset on them
(which went fine, without errors), and after that a ntacl sysvolcheck
which produced (on both DCs):
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/kzsdabas.hu/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 245, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1599, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1550, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1500, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
I've added acl:search = false to the smb.conf, have log level = 0 and
using a bind dlz backend the rest is at the default values.
The domain was created by a classicupgrade at beta8 then upgraded to
various rc levels (the last one being rc3) from which today it was
upgraded to 4.0 final.
Please tell me if you need more detail.
Thank you in advance!
Cheers
Geza Gemes
More information about the samba-technical
mailing list