[Samba] sysvolcheck

[Harry Jede]

On 21:16:21 wrote ray klassen:
> I get this error when I run samba-tool ntacl sysvolcheck
> ProvisioningError('%s ACL on GPO directory %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access),
> path, fsacl_sddl, acl))
> 
> 
> There are two GPO directories.
> One is the Default Domain Controllers Policy
> and one is the Default Domain Policy
> 
> It looks like it's the Default Domain Policy that's giving me the
> problem -- the directory name matches the dn and sysvolcheck doesn't
> mention the other Policy directory at all
> 
> I have run samba-tool ntacl sysvolreset which reports nothing.
> You'd think sysvolreset would fix or report unfixable an acl problem
> that sysvolcheck detects. what can I do? delete and recreate? once I
> start using GPO's I will rsync this directory to my other domain
> controllers as directed, but I don't want to do it or start using
> GPO's until this is fixed. 
I see the same error with 
# samba -V
Version 4.1.11-Debian

I think it is harmless (sure, should be fixed).
ACL Syntax is in "sddl" Syntax and for me it looks like that the acl for  
the "Default Domain Controllers Policy" is set for
"LA"  Local administrator

but expected from sysvolcheck for
"DA"  Domain administrators

How to Read a SDDL String:
http://networkadminkb.com/KB/a152/how-to-read-a-sddl-string.aspx

1. ACL looked up with smbcacls
2. ACL expected from sysvolcheck

For better readability:

O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)

(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)
(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)

(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)
(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)

(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

I have not seen any problems with this, but I am only a samba user, not 
a developer.

-- 

Regards
	Harry Jede