[Samba] SYSVOL ACLs and GPOs
Andrew Bartlett
abartlet at samba.org
Fri Oct 26 04:20:40 MDT 2012
On Fri, 2012-10-26 at 11:09 +0100, Alex Matthews wrote:
> On 26/10/2012 11:03, Andrew Bartlett wrote:
> > On Fri, 2012-10-26 at 10:44 +0100, Alex Matthews wrote:
> >
> >> I'm assuming because of the way I laid my directory tree out I could
> >> also just provision as normal and run the tests? Just makes it difficult
> >> to "un-provision".
> >>
> >> I did a bit of testing last night and sysvolcheck returns no errors
> >> until the point that run the gpmc.msc on the XP domain member and click
> >> ok to "fix" the inconsistent ACLs. At that point it returns the same
> >> error. Running sysvolreset does not fix it either.
> > OK. This is more interesting. Can you show me first the output, and
> > then the level 10 log of that sysvolcheck command?
> >
> > I'm particularly curious that a sysvolreset can't fix it.
> >
> > A network capture of what gpmc does may be instructive also.
> >
> >> This is true, atleast, for the master branch, I haven't tested the
> >> aclfix branch yet.
> > OK.
> >
> > Given this info on the essential components involved (running gpmc.msc
> > once seems key), I think I have the steps to reproduce this here, which
> > I'll try tonight or tomorrow.
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
>
> # bin/samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: VFS ACL on GPO directory
> /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;;0x00120089;;;ED)(A;;0x00120089;;;DA)(A;;0x00120089;;;EA)(A;;0x00120089;;;AU)(A;;0x00120089;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001200a9;;;ED)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001200a9;;;AU)(A;OICIIO;0x001f01ff;;;SY)
> does not match expected value
> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> from GPO object
> File
> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 245, in run
> lp)
> File
> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1574, in checksysvolacl
> direct_db_access)
> File
> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1526, in check_gpos_acl
> domainsid, direct_db_access)
> File
> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1476, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' % (acl_type(direct_db_access),
> path, fsacl_sddl, acl))
>
>
> Level 10 sysvolcheck log: http://pastebin.com/QBHTKkqL
>
> Do you want a wireshark packet log of GPMC or a samba level 10 log?
Both if possible, please.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list