[Samba] Samba4 ADC cannot edit GPO with W2K3

Luis Martinez luimarma at mconesa.com
Fri Sep 28 10:52:53 MDT 2012 

I have made more tests with the information given.

Coming from a fresh provisioning after install I get already an error 
while runing the check:

[root at tesauro ~]# /usr/local/samba/bin/samba-tool ntacl sysvolcheck
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No data 
available')
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 168, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", 
line 247, in run
     lp)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", 
line 1562, in checksysvolacl
     fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py", line 
73, in getntacl
     xattr.XATTR_NTACL_NAME)

After sysvolreset then the error disappears.

Just after creating the GPO then again sysvolcheck raises an error 
although the GPO is created without reporting an error to win2k3.

[root at tesauro ~]# /usr/local/samba/bin/samba-tool ntacl sysvolcheck
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No data 
available')
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 168, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", 
line 247, in run
     lp)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", 
line 1570, in checksysvolacl
     check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
direct_db_access)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", 
line 1523, in check_gpos_acl
     domainsid, direct_db_access)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", 
line 1471, in check_dir_acl
     fsacl = getntacl(lp, path, direct_db_access=direct_db_access)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/ntacls.py", line 
73, in getntacl
     xattr.XATTR_NTACL_NAME)

Any ideas?
Luis
El 28/09/12 18:47, sandy.napoles at eccmg.cupet.cu escribió:
> I have the same error, but I can create perfectly the GPO and it are
> aplicate in my client perfect......then why I have it?
>
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on sysvol directory
> /usr/local/samba/var/locks/sysvol/eccmg.cupet.cu
> O:S-1-5-21-1892862124-1292540316-1938423036-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
> does not match expected value
> O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
> from provision
>    File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> line 170, in _run
>      return self.run(*args, **kwargs)
>    File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/ntacl.py",
> line 247, in run
>      lp)
>    File
> "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py",
> line 1574, in checksysvolacl
>      raise ProvisioningError('%s ACL on sysvol directory %s %s does not
> match expected value %s from provision' % (acl_type(direct_db_access),
> dir_path, fsacl_sddl, SYSVOL_ACL))
>
>
>
>> On 28/09/12 13:27, felix at epepm.cupet.cu wrote:
>>
>>> Try:
>>> /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>>>
>>> and if it yields some error then:
>>> /usr/local/samba/bin/samba-tool ntacl sysvolreset
>>>
>>>
>>> It worked for me.
>>>
>> Hi
>> Exactly the same GPO creation error here.
>>
>> Here are the outputs from the samba4 git build today:
>>
>> samba-tool ntacl sysvolcheck
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>> ProvisioningError: DB ACL on GPO directory
>> /usr/local/samba/var/locks/sysvol/hh3.site/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
>> O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
>> does not match expected value
>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>> from GPO object
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 170, in _run
>>       return self.run(*args, **kwargs)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 245, in run
>>       lp)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1578, in checksysvolacl
>>       direct_db_access)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1530, in check_gpos_acl
>>       domainsid, direct_db_access)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1480, in check_dir_acl
>>       raise ProvisioningError('%s ACL on GPO directory %s %s does not
>> match expected value %s from GPO object' % (acl_type(direct_db_access),
>> path, fsacl_sddl, acl))
>>
>>
>> and:
>> samba-tool ntacl sysvolreset
>> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
>> ERROR(runtime): uncaught exception - (-1073741734,
>> 'NT_STATUS_INVALID_OWNER')
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 170, in _run
>>       return self.run(*args, **kwargs)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 214, in run
>>       lp, use_ntvfs=use_ntvfs)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1468, in setsysvolacl
>>       set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>> use_ntvfs)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1405, in set_gpos_acl
>>       str(domainsid), use_ntvfs)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1369, in set_dir_acl
>>       setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
>>     File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
>> line 108, in setntacl
>>       smbd.set_nt_acl(file, security.SECINFO_OWNER |
>> security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
>> sd)
>>
>> Do we have to reprovision in this case?
>> Cheers,
>> Steve
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list