[Samba] Samba4 policies acl corruption

Iñigo Martinez Lasala imartinez at vector-ignite.com
Tue Apr 8 05:11:37 MDT 2014


We managed to fix this issue.

samba-tool ntacl sysvolreset --use-s3fs
samba-tool ntacl sysvolreset --use-ntvfs

And resync sysvol shares (via rsync) with all DCs.

We had to wait for a few minutes until replication (both sysvol shares 
via rsync and internal DCs) finished.


On 08/04/14 10:54, Iñigo Martinez Lasala wrote:
> Hi everybody.
>
> One month ago me migrated from samba 3.6 classic domain to samba4.
>
> After solving some minor problems, we have found ourselves with a ACL 
> corruption and we don't know how to deal with this.
> When accesing to our sysvol shared (for example, 
> \\domain.local\sysvol) from both Samba or Windows clients, we are 
> refused to connect.
>
> Domain=[VECTORSF] OS=[Unix] Server=[Samba 4.1.4]
> session setup failed: NT_STATUS_CONNECTION_REFUSED
>
> However we can access our sysvol shares directly (for example 
> \\dc01.domain.local\sysvol or \\dc02.domain.local\sysvol).
> The problem raised after one tech ENFORCED one policy from GPO windows 
> tool.
>
> After searching in forums, we managed to locate the problem. There is 
> some problem with GPO ACLs.
>
> root at DC01:/tmp/policy# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception 
> - ProvisioningError: DB ACL on GPO directory 
> /usr/local/samba/var/locks/sysvol/vectorsf.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} 
> O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> does not match expected value 
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> from GPO object
>   File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>
> As you can see, the only difference is with O:LAG / O:DAG.
>
> Of course we have reset ACLs via samba-tool ntacl sysvolreset.
>
> We have also read something similar in this bugzilla.
> https://bugzilla.samba.org/show_bug.cgi?id=9483
>
> Changing owner (an resync) to match UID 512 for each Policy does not 
> fix the problem.
>
> Thanks in advance!
>


-- 
Iñigo Martínez Lasala
Director de IT
____________________________
Tel.: (+34) 91 183 03 00

Camino del Cerro de los Gamos, 1 – Edificio 6
28224 Pozuelo de Alarcón
Madrid - España
____________________________
Vector Software Factory
www.vectorsf.com

Condiciones de Confidencialidad



More information about the samba mailing list