[Samba] SYSVOL ACLs and GPOs

Andrew Bartlett abartlet at samba.org
Fri Oct 26 04:20:40 MDT 2012


On Fri, 2012-10-26 at 11:09 +0100, Alex Matthews wrote:
> On 26/10/2012 11:03, Andrew Bartlett wrote:
> > On Fri, 2012-10-26 at 10:44 +0100, Alex Matthews wrote:
> >
> >> I'm assuming because of the way I laid my directory tree out I could
> >> also just provision as normal and run the tests? Just makes it difficult
> >> to "un-provision".
> >>
> >> I did a bit of testing last night and sysvolcheck returns no errors
> >> until the point that run the gpmc.msc on the XP domain member and click
> >> ok to "fix" the inconsistent ACLs. At that point it returns the same
> >> error. Running sysvolreset does not fix it either.
> > OK.  This is more interesting.  Can you show me first the output, and
> > then the level 10 log of that sysvolcheck command?
> >
> > I'm particularly curious that a sysvolreset can't fix it.
> >
> > A network capture of what gpmc does may be instructive also.
> >
> >> This is true, atleast, for the master branch, I haven't tested the
> >> aclfix branch yet.
> > OK.
> >
> > Given this info on the essential components involved (running gpmc.msc
> > once seems key), I think I have the steps to reproduce this here, which
> > I'll try tonight or tomorrow.
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
> 
> # bin/samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
> ProvisioningError: VFS ACL on GPO directory 
> /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;;0x00120089;;;ED)(A;;0x00120089;;;DA)(A;;0x00120089;;;EA)(A;;0x00120089;;;AU)(A;;0x00120089;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001200a9;;;ED)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001200a9;;;AU)(A;OICIIO;0x001f01ff;;;SY) 
> does not match expected value 
> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) 
> from GPO object
>    File 
> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
> line 245, in run
>      lp)
>    File 
> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1574, in checksysvolacl
>      direct_db_access)
>    File 
> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1526, in check_gpos_acl
>      domainsid, direct_db_access)
>    File 
> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1476, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not 
> match expected value %s from GPO object' % (acl_type(direct_db_access), 
> path, fsacl_sddl, acl))
> 
> 
> Level 10 sysvolcheck log: http://pastebin.com/QBHTKkqL
> 
> Do you want a wireshark packet log of GPMC or a samba level 10 log?

Both if possible, please.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list