[Samba] GPO Permissions _AGAIN_

Alex Matthews qoole.samba at lillimoth.com
Wed Oct 9 09:41:40 MDT 2013 

Hi all,

I'm afraid I'm back to my old issue of GPO permissions.

I have two ADDCs providing an AD Domain (internal.stmaryscollege.co.uk 
(short-name 'SMC')). Servers are called 'ad-01' and 'tainan'. ad-01 is 
'Version 4.0.10' and tainan is 'Version 4.1.0rc4' (the latest version in 
the package repos of the respective OSs (arch and gentoo))
I have set up a script that synchronises the two sysvol shares (using 
rsync) that I run manually when I make a change to a GPO.
However I have found that even after running `samba-tool ntacl 
sysvolreset` I still get 'Access Denied' or the more long winded: 
'Configuration information could not be read from the domain controller, 
either because the machine is unavailable or access has been denied.' 
when accessing some 'gpt.ini' files.

For reference here is the getfacl output for the GPT.INI file in 
question from the two servers:

TAINAN:
getfacl GPT.INI
# file: GPT.INI
# owner: SMC\134administrator
# group: SMC\134Domain\040Admins
user::rwx
user:SMC\134administrator:rwx
group::rwx
group:SMC\134Domain\040Admins:rwx
group:3000002:rwx
group:3000003:r-x
group:SMC\134Enterprise\040Admins:rwx
group:3000011:r-x
mask::rwx
other::---

AD-01:
getfacl GPT.INI
# file: GPT.INI
# owner: SMC\134administrator
# group: SMC\134Domain\040Admins
user::rwx
user:SMC\134administrator:rwx
group::rwx
group:SMC\134Domain\040Admins:rwx
group:SMC\134Enterprise\040Admins:rwx
group:3000008:r-x
group:3000016:rwx
group:3000018:r-x
mask::rwx
other::---


I would assume the inconsisteny is due to idmap being different, I'm not 
sure.

The output of `samba-tool ntacl sysvolcheck` from the two servers is as 
follows:

tainan:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} 
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 
249, in run
     lp)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1695, in checksysvolacl
     direct_db_access)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1646, in check_gpos_acl
     domainsid, direct_db_access)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1593, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))


ad-01:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/srv/samba/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} 
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 
245, in run
     lp)
   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1685, in checksysvolacl
     direct_db_access)
   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1636, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1586, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))

Would it also be possible, as an update to sysvolcheck, to not throw an 
uncaught exception but more gracefully give the errors and continue 
after the first one?

Thanks,

Alex

More information about the samba mailing list