[Samba] Cannot edit GPO's anymore via RSAT

George Itee george.itee at gmail.com
Fri May 23 14:44:05 MDT 2014 

Hello all,


I have recently discovered that my user cannot edit GPO's anymore. Every
GPO I try to open, gets me the famous window "*The permissions for this GPO
in the SYSVOL folder are inconsistent with those in Active Directory" * and
then I get another window saying "Access is denied".

I believe that this happened when I upgraded to 4.1.7 from 4.1.3, about 3
weeks ago, but during this time, I haven't edited or opened any GPO, we
have been testing different hypervisors like Xen, Vmware, Proxmox, so the
DC was migrated from different platforms and the Domain Controller Level
was raised from 2003 to 2008R2. I must mention that I have 60 people using
this domain controller at the moment.

After the upgrade, I did issue the command samba-tool ntacl sysvolreset. I
have upgraded before, but this never happened.

Trying to add/remove a user in the Security Filtering results in Access is
Denied again. My user is a member of Domain Admins, Group Policy Creator
Owners and Schema Admins groups.

The Administrator account also gets the first error, but he can edit the
GPO' just fine.

samba-tool ntacl sysvolcheck says:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
Provisi oningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/samdom/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:DAG:DAD:P(A;OICI;0x
001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01
ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
 does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x00
1f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff
;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py" ,
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", l
ine 249, in run
    lp)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.
py", line 1726, in checksysvolacl
    direct_db_access)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.
py", line 1677, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.
py", line 1624, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expect ed value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, ac l))


Like I said, running ntacl sysvolreset does not work. Any help with this
problem would be greatly appreciated, as I do not have a backup of the
previous version :(

Thank you !

George

More information about the samba mailing list