Samb4 GPO Issues

Mike Howard mike at dewberryfields.co.uk
Fri Jun 14 02:54:44 MDT 2013 

On 14/06/2013 09:29, Mike Howard wrote:
> Hi All,
>
> I'm having problems with the Default GPO in that it can't be applied. 
> I'm using samba Version 4.0.5, build from Git a few months back. It's 
> only the Default Domain Policy that is causing problems and has 
> always, until now, been blank. Only now that it is no longer empty, 
> the problem has become apparent. Other GPOs are applied ok.
>
> The error from a Win XP client is;
>
> Windows cannot access the file gpt.ini for GPO 
> cn={BD961E94-0103-437A-B37D-2A0D67B76FA7},cn=policies,cn=system,DC=mydomain,DC=co,DC=uk. 
> The file must be present at the location 
> <\\mydomain\SysVol\mydomain.co.uk\Policies\{BD961E94-0103-437A-B37D-2A0D67B76FA7}\gpt.ini>. 
> (Access is denied. ). Group Policy processing aborted.
>
> I've tried to match up the permissions using 'setfacl' (using a 
> working GPO as the template), I've even tried chmod -R 777, just to 
> see if access really is the issue, but still no go.
>
> 'samba-tool gpo aclcheck' gives me;
>
> ERROR: Invalid GPO ACL 
> O:DAG:DAD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG)(A;OICIIO;;;;WD) 
> on path 
> (mydomain.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}), 
> should be 
> O:DAG:DAD:PAR(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)
>
> but I can't see in samba-tool how to fix this.
>
> I would be happy to delete and recreate the GPO but Windows tools 
> tells me that 'The server is unwilling to process the request' and 
> 'samba-tool gpo del {31B2F340-016D-11D2-945F-00C04FB984F9}' gives me;
>
> ERROR(ldb): uncaught exception - LDAP error 53 
> LDAP_UNWILLING_TO_PERFORM -  <00002035: objectclass: Cannot delete 
> CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=co,DC=uk, 
> it isn't permitted!> <>
>   File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", 
> line 1083, in run
>     self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)))
>
> Anybody any ideas?
>
> Cheers,
>
Apologies, copy and paste error.

The Win XP error message above pertains to 
{31B2F340-016D-11D2-945F-00C04FB984F9} (the Default GPO) not 
{BD961E94-0103-437A-B37D-2A0D67B76FA7} as stated above.

--

More information about the samba-technical mailing list