[Samba] GPO Create error

Ryan Bair ryandbair at gmail.com
Tue Apr 22 07:25:04 MDT 2014 

Thanks Iñigo,

I assumed you mean sysvolreset instead of sysvol. Both commands ran
successfully however I am still unable to create new GPOs. Sysvolcheck
fails with a new error though:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
ad.mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line
249, in run
    lp)
  File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py",
line 1695, in checksysvolacl
    direct_db_access)
  File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py",
line 1646, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py",
line 1593, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

Looking at the Posix ACLs on that file, it looks like they may not have
been reset:

user::rwx
user:root:rwx
user:15001:rwx
user:15002:r-x
user:15007:r-x
group::rwx
group:TSLITHO\134Domain\040Admins:rwx
group:15001:rwx
group:15002:r-x
group:15007:r-x
group:TSLITHO\134Enterprise\040Admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:15001:rwx
default:user:15002:r-x
default:user:15007:r-x
default:group::---
default:group:TSLITHO\134Domain\040Admins:rwx
default:group:15001:rwx
default:group:15002:r-x
default:group:15007:r-x
default:group:TSLITHO\134Enterprise\040Admins:rwx
default:mask::rwx
default:other::---



On Tue, Apr 22, 2014 at 6:40 AM, Iñigo Martinez Lasala <
imartinez at vector-ignite.com> wrote:

> Try:
>
> samba-tool gpo aclcheck
>
> And then
> samba-tool ntacl sysvol --use-s3fs
> samba-tool ntacl sysvol --use-ntvfs
>
> Hope this will fix your problem.
>
>
>
> On 21/04/14 23:30, Ryan Bair wrote:
>
>> I have a domain that I upgraded from a Samba 3/LDAP set up about a year
>> ago. I haven't done anything too interesting with it and it's generally
>> been working OK.
>>
>> I attempted to create a new GPO for my domain. From a Win 7 client I get
>> an
>> error "This security ID may not be assigned as the owner of this object".
>>
>> Thinking this was an issue with sysvol acls, I ran "samba-tool ntacl
>> sysvolcheck" which exploded with:
>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No data
>> available')
>>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>> line
>> 175, in _run
>>      return self.run(*args, **kwargs)
>>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line
>> 249, in run
>>      lp)
>>    File "/usr/lib64/python2.6/site-packages/samba/provision/__init__.py",
>> line 1686, in checksysvolacl
>>      fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access,
>> service=SYSVOL_SERVICE)
>>    File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", line 73, in
>> getntacl
>>      xattr.XATTR_NTACL_NAME)
>>
>> After reading some other peoples experiences I tried doing a sysvolrepair
>> which completed, but did not fix either of the issues.
>>
>> I also tried creating the GPO with "samba-tool gpo create 'New GPO'" which
>> gave an error that smells similar to the error Win 7 GPO Management
>> reported:
>> ERROR(runtime): uncaught exception - (-1073741734,
>> 'NT_STATUS_INVALID_OWNER')
>>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>> line
>> 175, in _run
>>      return self.run(*args, **kwargs)
>>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/gpo.py", line
>> 1000,
>> in run
>>      conn.set_acl(sharepath, fs_sd, sio)
>>
>> I'm running 4.1.6-SerNet-RedHat-7.el6 on Centos 6.5.
>>
>> Any ideas where to look next?
>>
>
>
> --
> Iñigo Martínez Lasala
> Director de IT
> ____________________________
> Tel.: (+34) 91 183 03 00
>
> Camino del Cerro de los Gamos, 1 – Edificio 6
> 28224 Pozuelo de Alarcón
> Madrid - España
> ____________________________
> Vector Software Factory
> www.vectorsf.com
>
> Condiciones de Confidencialidad
>
>

More information about the samba mailing list