[PATCH] Re: [Samba] SYSVOL ACLs and GPOs

Luiz Gustavo dos S. Costa luizgustavo at mundounix.com.br
Sun Oct 28 21:03:25 MDT 2012 

---------- Forwarded message ----------
From: Luiz Gustavo dos S. Costa <luizgustavo at mundounix.com.br>
Date: 2012/10/29
Subject: Re: [PATCH] Re: [Samba] SYSVOL ACLs and GPOs
To: Andrew Bartlett <abartlet at samba.org>


2012/10/28 Andrew Bartlett <abartlet at samba.org>:
> On Sun, 2012-10-28 at 15:59 -0200, Luiz Gustavo dos S. Costa wrote:
>> Hi Andrew,
>>
>> more other error with this patch ... LOL...
>>
>> root at samba4:/usr/local/samba # bin/samba-tool ntacl sysvolcheck -d3
>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>> params.c:pm_process() - Processing configuration file
>> "/usr/local/samba/etc/smb.conf"
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> max_open_files: increasing sysctl_max (3405) to minimum Windows limit (16384)
>> rlimit_max: increasing rlimit_max (3405) to minimum Windows limit (16384)
>> params.c:pm_process() - Processing configuration file
>> "/usr/local/samba/etc/smb.conf"
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[devel]"
>> Processing section "[publico]"
>> ldb_wrap open of idmap.ldb
>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (87,
>> 'Attribute not found')
>>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 245, in run
>>     lp)
>>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1574, in checksysvolacl
>>     direct_db_access)
>>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1526, in check_gpos_acl
>>     domainsid, direct_db_access)
>>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1473, in check_dir_acl
>>     fsacl = getntacl(lp, path, direct_db_access=direct_db_access)
>>   File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
>> line 73, in getntacl
>>     xattr.XATTR_NTACL_NAME)
>
> My guess is that one of the files in sysvol doesn't have an NT ACL set.
>
> bin/samba-tool ntacl sysvolreset
>
> should fix that.

Thanks Andrew,

I did exactly as you suggested .. apparently the problem has evolved.
I put everything in tinypaste.

http://tny.cz/0ec346e9

In resume, this is the error:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: VFS ACL on GPO directory
/usr/local/samba/var/locks/sysvol/ad.mundounix.com.br/Policies/{F8562CF5-518A-4E06-9BAA-8B2135F8624C}
O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;;0x00120089;;;DA)(A;;0x00120089;;;EA)(A;;0x00120089;;;AU)(A;;0x00120089;;;SY)(A;;0x00120089;;;ED)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001200a9;;;ED)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001200a9;;;AU)(A;OICIIO;0x001f01ff;;;SY)
does not match expected value
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
from GPO object
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 245, in run
    lp)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1574, in checksysvolacl
    direct_db_access)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1526, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1476, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))


>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>



--
Luiz Gustavo Costa (Powered by BSD)
*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+
mundoUnix - Consultoria em Software Livre
http://www.mundounix.com.br
ICQ: 2890831 / MSN: contato at mundounix.com.br
Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407
Blog: http://www.luizgustavo.pro.br

More information about the samba-technical mailing list