[Samba] Samba4 policies acl corruption

[Iñigo Martinez Lasala]

Hi everybody.

One month ago me migrated from samba 3.6 classic domain to samba4.

After solving some minor problems, we have found ourselves with a ACL 
corruption and we don't know how to deal with this.
When accesing to our sysvol shared (for example, \\domain.local\sysvol) 
from both Samba or Windows clients, we are refused to connect.

Domain=[VECTORSF] OS=[Unix] Server=[Samba 4.1.4]
session setup failed: NT_STATUS_CONNECTION_REFUSED

However we can access our sysvol shares directly (for example 
\\dc01.domain.local\sysvol or \\dc02.domain.local\sysvol).
The problem raised after one tech ENFORCED one policy from GPO windows tool.

After searching in forums, we managed to locate the problem. There is 
some problem with GPO ACLs.

root at DC01:/tmp/policy# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/usr/local/samba/var/locks/sysvol/vectorsf.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} 
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run

As you can see, the only difference is with O:LAG / O:DAG.

Of course we have reset ACLs via samba-tool ntacl sysvolreset.

We have also read something similar in this bugzilla.
https://bugzilla.samba.org/show_bug.cgi?id=9483

Changing owner (an resync) to match UID 512 for each Policy does not fix 
the problem.

Thanks in advance!