[Samba] DC2 denies access whe­n sa­ving through the Gro­up Po­licy Management Co

Rowland Penny rowlandpenny at googlemail.com
Sat Nov 1 13:55:24 MDT 2014 

On 01/11/14 19:21, ?icro MEGAS wrote:
>> Rowland wrote:
>> You can check the ACL's on sysvol with:
>> samba-tool ntacl sysvolcheck
> Hi Rowland,
>
> when I execute that command on either DC1 or DC2 I get following uncaught exception error :-(
>
> $ samba-tool ntacl sysvolcheck
> ERROR(): uncaught exception - ProvisioningError: DB ACL on GPO file /var/lib/samba/sysvol/mydom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Documents & Settings/fdeploy.ini O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
>      lp)
>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
>      direct_db_access)
>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
>      domainsid, direct_db_access)
>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1634, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
>
> Why that? Do I have to worry about that error? Is this a known bug or something like that? I am running Samba 4.1.12/sernet on Debian Wheezy.

OK, make sure that the two idmap.ldb files match and then run 
'samba-tool ntacl sysvolreset' on both machines and see if this cured 
this problem.

>
>> You are using winbind on the server, it is either built into the samba
>> daemon, or if you are running 4.2, it is now called 'winbindd' and is
>> started by the samba daemon.
> as I am on 4.1.12 I am still using the old built-in version of winbind. My /etc/default/sernet-samba is set to "ad" mode and "ps aux |grep -i winbind" return no output, so I don't see any winbind process. I hope that's ok and normal behaviour.

As it is built into the samba daemon, you will not see a separate process.

>> I think that your problem is that when you join another DC to the
>> domain, idmap.ldb is not replicated, so when you sync sysvol from the
>> first DC to the second the 'xidnumbers' i.e. '3000000' do not match what
>> is in idmap.ldb on the second DC, so the permissions are not correct,
>> the cure is to copy idmap.ldb from the first DC to any other DC's.
> I cannot imagine why, because according to the wiki (I did read it somewhere on the tutorial when configured DC2) I did manually copy the mentioned idmap.ldb from dc1 to dc2. But right now I checked the two files, they were different (I ran "diff idmap.ldb.from.dc1 idmap.ldb.from.dc2" after I copied them onto a temporary directory). So I again copied the file dc1:/var/lib/samba/private/idmap.ldb to dc2:/var/lib/samba/private/idmap.ldb to ensure they are both the same.
I would suggest that you restart samba on both machines, this should 
ensure that any changes will take effect.

> After that action I rechecked, but the problem still exists. I can describe the issue more detailled: I can create a new GPO on DC1 and name it "new-test-gpo-created-on-dc1". Inside this GPO I choose the setting "something" and ENABLE it. After 5 minutes this GPO is replicated to DC2. I see the change there.
>
> When I connect to DC2 through GPMC and create a new GPO called "new-test-gpo-created-on-dc2" and set the configuration "foobar" to DISABLE and wait 5minutes, then this GPO "new-test-gpo-created-on-dc2" cannot be edited on DC1 or DC2. I get the error "System cannot find the specified path" (Note: I translated on my own into english, so this might not be the original error message).

This may just be because the two machines are using the wrong 
information from cache.

Rowland

> I guess that the problem is related to the uniscon bidirection sync I configured according to https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication
> The logfile created by sysvol-sync looks like that:
>
> [...]
> 2014/11/01 20:10:02 [27755] .d..t...... sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/
> 2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Documents & Settings/
> 2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/
> 2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/Logoff/
> 2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/Logon/
> 2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
> 2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
> 2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
> 2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
> 2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
> 2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
> 2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
> 2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
> 2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
> 2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
> 2014/11/01 20:10:02 [27755] sent 7802 bytes  received 50 bytes  5234.67 bytes/sec
> 2014/11/01 20:10:02 [27755] total size is 0  speedup is 0.00
> UNISON 2.40.65 started propagating changes at 20:10:02.45 on 01 Nov 2014
> [CONFLICT] Skipping sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
> [CONFLICT] Skipping sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
> [CONFLICT] Skipping sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
> [BGN] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI from /var/lib/samba to //dc2//var/lib/samba
> [END] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI
> [BGN] Copying sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol from /var/lib/samba to //dc2//var/lib/samba
> /usr/bin/rsync -XAavz --rsh='ssh -p 22' --inplace --compress '/var/lib/samba/sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol' 'root at dc2:'\''/var/lib/samba/sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/.unison.Registry.pol.a3c7ed9ae723707cd04ca2e02a97e300.unison.tmp'\'''
> [END] Copying sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol
> UNISON 2.40.65 finished propagating changes at 20:10:02.60 on 01 Nov 2014
> Synchronization complete at 20:10:02  (2 items transferred, 3 skipped, 0 failed)
>    skipped: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
>    skipped: sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
>    skipped: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
> 2014/11/01 20:15:02 [27956] building file list
> 2014/11/01 20:15:02 [27956] done
> 2014/11/01 20:15:02 [27956] .d..t...... sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/
> 2014/11/01 20:15:02 [27956] .d..t...... sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/
> 2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
> 2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
> 2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
> 2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
> 2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
> 2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
> 2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
> 2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
> 2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
> 2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
> 2014/11/01 20:15:02 [27956] sent 5902 bytes  received 18 bytes  3946.67 bytes/sec
> 2014/11/01 20:15:02 [27956] total size is 0  speedup is 0.00
> UNISON 2.40.65 started propagating changes at 20:15:02.29 on 01 Nov 2014
> [CONFLICT] Skipping sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
> [CONFLICT] Skipping sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
> [CONFLICT] Skipping sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
> [BGN] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI from /var/lib/samba to //dc2//var/lib/samba
> [END] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI
> UNISON 2.40.65 finished propagating changes at 20:15:02.30 on 01 Nov 2014
> Synchronization complete at 20:15:02  (1 item transferred, 3 skipped, 0 failed)
>    skipped: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
>    skipped: sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
>    skipped: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
>
> Mirco.

More information about the samba mailing list