[Samba] Samba4 policies acl corruption
Iñigo Martinez Lasala
imartinez at vector-ignite.com
Tue Apr 8 02:54:22 MDT 2014
Hi everybody.
One month ago me migrated from samba 3.6 classic domain to samba4.
After solving some minor problems, we have found ourselves with a ACL
corruption and we don't know how to deal with this.
When accesing to our sysvol shared (for example, \\domain.local\sysvol)
from both Samba or Windows clients, we are refused to connect.
Domain=[VECTORSF] OS=[Unix] Server=[Samba 4.1.4]
session setup failed: NT_STATUS_CONNECTION_REFUSED
However we can access our sysvol shares directly (for example
\\dc01.domain.local\sysvol or \\dc02.domain.local\sysvol).
The problem raised after one tech ENFORCED one policy from GPO windows tool.
After searching in forums, we managed to locate the problem. There is
some problem with GPO ACLs.
root at DC01:/tmp/policy# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/vectorsf.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
As you can see, the only difference is with O:LAG / O:DAG.
Of course we have reset ACLs via samba-tool ntacl sysvolreset.
We have also read something similar in this bugzilla.
https://bugzilla.samba.org/show_bug.cgi?id=9483
Changing owner (an resync) to match UID 512 for each Policy does not fix
the problem.
Thanks in advance!
More information about the samba
mailing list