[Samba] GPO problems on a 4.1.6 AD, classicupgraded, uncaught exception

mourik jan heupink - merit heupink at merit.unu.edu
Tue May 13 11:39:32 MDT 2014 

I've added a bugreport here:

https://bugzilla.samba.org/show_bug.cgi?id=10606

On 5/13/2014 16:56, mourik jan heupink - merit wrote:
> Wow Marc, you're quick. :-)
>
> Thanks for your reassuring words.
>
> I created a backup and ran samba-tool ntacl sysvolreset, and that solved
> the issue. :-)
>
> Strange that such a recent installation (4.1.6) needs a sysvolreset...
>
> Anyway, thanks for your QUICK help. :-)
>
> MJ
>
> On 5/13/2014 17:49, Marc Muehlfeld wrote:
>> Hello Mourik,
>>
>> Am 13.05.2014 15:39, schrieb mourik jan heupink - merit
>>> Taken from the mailinglist, I tried  samba-tool ntacl sysvolcheck, and
>>> it fails miserably and SCARY, with an uncaught exception:
>>>
>>> root at dc1:~# samba-tool ntacl sysvolcheck
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>> (16384)
>>> Processing section "[netlogon]"
>>> Processing section "[sysvol]"
>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>>> ProvisioningError: DB ACL on GPO directory
>>> /var/lib/samba/sysvol/samba.merit.unu.edu/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
>>>
>>>
>>> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>
>>>
>>> does not match expected value
>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>
>>>
>>> from GPO object
>>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>>      return self.run(*args, **kwargs)
>>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>>> 249, in run
>>>      lp)
>>>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1695, in checksysvolacl
>>>      direct_db_access)
>>>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1646, in check_gpos_acl
>>>      domainsid, direct_db_access)
>>>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1593, in check_dir_acl
>>>      raise ProvisioningError('%s ACL on GPO directory %s %s does not
>>> match expected value %s from GPO object' % (acl_type(direct_db_access),
>>> path, fsacl_sddl, acl))
>>>
>>> Since everything looks so scary, I wanted to verify with you guys,
>>> before attempting a 'samba-tool ntacl sysvolreset'...
>>
>>
>> You should file a bug report about that. But sysvolcheck has some
>> uncaught exceptions (e. g.
>> https://bugzilla.samba.org/show_bug.cgi?id=10321).
>>
>> sysvolreset should work fine. But backup is never a bad idea ;-)
>>
>>
>>
>>
>>> Perhaps related, I occasionally get these as well:
>>>
>>> May 13 16:34:24 dc1 samba[2436]:   Failed to modify SPNs on
>>> CN=p002544,CN=Computers,DC=samba,DC=domain: error in module acl:
>>> Constraint violation (19)
>>
>> This is something different:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=9316
>>
>>
>>
>> Regards,
>> Marc

More information about the samba mailing list