[Samba] Samba4 ADC cannot edit GPO with W2K3

steve steve at steve-ss.com
Fri Sep 28 09:27:20 MDT 2012 

On 28/09/12 13:27, felix at epepm.cupet.cu wrote:

>
> Try:
> /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>
> and if it yields some error then:
> /usr/local/samba/bin/samba-tool ntacl sysvolreset
>
>
> It worked for me.
>
Hi
Exactly the same GPO creation error here.

Here are the outputs from the samba4 git build today:

samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/usr/local/samba/var/locks/sysvol/hh3.site/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) 
does not match expected value 
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) 
from GPO object
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 170, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
line 245, in run
     lp)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1578, in checksysvolacl
     direct_db_access)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1530, in check_gpos_acl
     domainsid, direct_db_access)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1480, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))


and:
samba-tool ntacl sysvolreset
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
ERROR(runtime): uncaught exception - (-1073741734, 
'NT_STATUS_INVALID_OWNER')
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 170, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
line 214, in run
     lp, use_ntvfs=use_ntvfs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1468, in setsysvolacl
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1405, in set_gpos_acl
     str(domainsid), use_ntvfs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1369, in set_dir_acl
     setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
   File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", 
line 108, in setntacl
     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)

Do we have to reprovision in this case?
Cheers,
Steve

More information about the samba mailing list