[Samba] SYSVOL ACLs and GPOs

Alex Matthews qoole.samba at lillimoth.com
Fri Oct 26 04:09:12 MDT 2012

On 26/10/2012 11:03, Andrew Bartlett wrote:
> On Fri, 2012-10-26 at 10:44 +0100, Alex Matthews wrote:
>> I'm assuming because of the way I laid my directory tree out I could
>> also just provision as normal and run the tests? Just makes it difficult
>> to "un-provision".
>> I did a bit of testing last night and sysvolcheck returns no errors
>> until the point that run the gpmc.msc on the XP domain member and click
>> ok to "fix" the inconsistent ACLs. At that point it returns the same
>> error. Running sysvolreset does not fix it either.
> OK.  This is more interesting.  Can you show me first the output, and
> then the level 10 log of that sysvolcheck command?
> I'm particularly curious that a sysvolreset can't fix it.
> A network capture of what gpmc does may be instructive also.
>> This is true, atleast, for the master branch, I haven't tested the
>> aclfix branch yet.
> OK.
> Given this info on the essential components involved (running gpmc.msc
> once seems key), I think I have the steps to reproduce this here, which
> I'll try tonight or tomorrow.
> Thanks,
> Andrew Bartlett

# bin/samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: VFS ACL on GPO directory 
does not match expected value 
from GPO object
line 175, in _run
     return self.run(*args, **kwargs)
line 245, in run
line 1574, in checksysvolacl
line 1526, in check_gpos_acl
     domainsid, direct_db_access)
line 1476, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))

Level 10 sysvolcheck log: http://pastebin.com/QBHTKkqL

Do you want a wireshark packet log of GPMC or a samba level 10 log?



More information about the samba mailing list