Samb4 GPO Issues

Mike Howard mike at dewberryfields.co.uk
Fri Jun 14 02:29:58 MDT 2013 

Hi All,

I'm having problems with the Default GPO in that it can't be applied. 
I'm using samba Version 4.0.5, build from Git a few months back. It's 
only the Default Domain Policy that is causing problems and has always, 
until now, been blank. Only now that it is no longer empty, the problem 
has become apparent. Other GPOs are applied ok.

The error from a Win XP client is;

Windows cannot access the file gpt.ini for GPO 
cn={BD961E94-0103-437A-B37D-2A0D67B76FA7},cn=policies,cn=system,DC=mydomain,DC=co,DC=uk. 
The file must be present at the location 
<\\mydomain\SysVol\mydomain.co.uk\Policies\{BD961E94-0103-437A-B37D-2A0D67B76FA7}\gpt.ini>. 
(Access is denied. ). Group Policy processing aborted.

I've tried to match up the permissions using 'setfacl' (using a working 
GPO as the template), I've even tried chmod -R 777, just to see if 
access really is the issue, but still no go.

'samba-tool gpo aclcheck' gives me;

ERROR: Invalid GPO ACL 
O:DAG:DAD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG)(A;OICIIO;;;;WD) 
on path 
(mydomain.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}), should 
be 
O:DAG:DAD:PAR(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)

but I can't see in samba-tool how to fix this.

I would be happy to delete and recreate the GPO but Windows tools tells 
me that 'The server is unwilling to process the request' and 'samba-tool 
gpo del {31B2F340-016D-11D2-945F-00C04FB984F9}' gives me;

ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM 
-  <00002035: objectclass: Cannot delete 
CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=co,DC=uk, 
it isn't permitted!> <>
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line 
1083, in run
     self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)))

Anybody any ideas?

Cheers,

--

More information about the samba-technical mailing list