[Samba] GPO Permissions _AGAIN_

Alex Matthews qoole at lillimoth.com
Thu Oct 10 09:01:51 MDT 2013


On 09/10/2013 16:41, Alex Matthews wrote:
> Hi all,
>
> I'm afraid I'm back to my old issue of GPO permissions.
>
> I have two ADDCs providing an AD Domain (internal.stmaryscollege.co.uk 
> (short-name 'SMC')). Servers are called 'ad-01' and 'tainan'. ad-01 is 
> 'Version 4.0.10' and tainan is 'Version 4.1.0rc4' (the latest version 
> in the package repos of the respective OSs (arch and gentoo))
> I have set up a script that synchronises the two sysvol shares (using 
> rsync) that I run manually when I make a change to a GPO.
> However I have found that even after running `samba-tool ntacl 
> sysvolreset` I still get 'Access Denied' or the more long winded: 
> 'Configuration information could not be read from the domain 
> controller, either because the machine is unavailable or access has 
> been denied.' when accessing some 'gpt.ini' files.
>
> For reference here is the getfacl output for the GPT.INI file in 
> question from the two servers:
>
> TAINAN:
> getfacl GPT.INI
> # file: GPT.INI
> # owner: SMC\134administrator
> # group: SMC\134Domain\040Admins
> user::rwx
> user:SMC\134administrator:rwx
> group::rwx
> group:SMC\134Domain\040Admins:rwx
> group:3000002:rwx
> group:3000003:r-x
> group:SMC\134Enterprise\040Admins:rwx
> group:3000011:r-x
> mask::rwx
> other::---
>
> AD-01:
> getfacl GPT.INI
> # file: GPT.INI
> # owner: SMC\134administrator
> # group: SMC\134Domain\040Admins
> user::rwx
> user:SMC\134administrator:rwx
> group::rwx
> group:SMC\134Domain\040Admins:rwx
> group:SMC\134Enterprise\040Admins:rwx
> group:3000008:r-x
> group:3000016:rwx
> group:3000018:r-x
> mask::rwx
> other::---
>
>
> I would assume the inconsisteny is due to idmap being different, I'm 
> not sure.
>
> The output of `samba-tool ntacl sysvolcheck` from the two servers is 
> as follows:
>
> tainan:
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception 
> - ProvisioningError: DB ACL on GPO directory 
> /vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} 
> O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> does not match expected value 
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> from GPO object
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", 
> line 249, in run
>     lp)
>   File 
> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
> 1695, in checksysvolacl
>     direct_db_access)
>   File 
> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
> 1646, in check_gpos_acl
>     domainsid, direct_db_access)
>   File 
> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
> 1593, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
> match expected value %s from GPO object' % 
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>
>
> ad-01:
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception 
> - ProvisioningError: DB ACL on GPO directory 
> /srv/samba/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} 
> O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> does not match expected value 
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> from GPO object
>   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 
> 245, in run
>     lp)
>   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1685, in checksysvolacl
>     direct_db_access)
>   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1636, in check_gpos_acl
>     domainsid, direct_db_access)
>   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1586, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
> match expected value %s from GPO object' % 
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>
> Would it also be possible, as an update to sysvolcheck, to not throw 
> an uncaught exception but more gracefully give the errors and continue 
> after the first one?
>
> Thanks,
>
> Alex
>
Hi all,

Just a quick follow up.
I found a GPO entitled 'sysvol share compatibility' which has the 
following blurb:

This setting controls whether or not the Sysvol share created by the Net 
Logon service on a domain controller (DC) should support compatibility 
in file sharing semantics with earlier applications.
When this setting is enabled, the Sysvol share will honor file sharing 
semantics that grant requests for exclusive read access to files on the 
share even when the caller has only read permission.
When this setting is disabled or not configured, the Sysvol share will 
grant shared read access to files on the share when exclusive access is 
requested and the caller has only read permission.
By default, the Sysvol share will grant shared read access to files on 
the share when exclusive access is requested.
Note: The Sysvol share is a share created by the Net Logon service for 
use by Group Policy clients in the domain. The default behavior of the 
Sysvol share ensures that no application with only read permission to 
files on the sysvol share can lock the files by requesting exclusive 
read access, which might prevent Group Policy settings from being 
updated on clients in the domain. When this setting is enabled, an 
application that relies on the ability to lock files on the Sysvol share 
with only read permission will be able to deny Group Policy clients from 
reading the files, and in general the availability of the Sysvol share 
on the domain will be decreased.

The last part is the most interesting (after 'Note:'). Is this how samba 
works too when it comes to providing the sysvol share?


Thanks,

Alex


More information about the samba mailing list