[Samba] sysvolcheck

Bo Kersey bo at vircio.com
Fri Nov 7 14:42:32 MST 2014 

I see the same thing with Version 4.1.13-SerNet-Ubuntu-9.precise
but it has not caused me any problems.  Again, I'm just a user :)


----- Original Message -----
> From: "Harry Jede" <walk2sun at arcor.de>
> To: "samba" <samba at lists.samba.org>, "ray klassen" <julius_ahenobarbus at yahoo.co.uk>
> Sent: Friday, November 7, 2014 2:58:32 PM
> Subject: Re: [Samba] sysvolcheck

> On 21:16:21 wrote ray klassen:
>> I get this error when I run samba-tool ntacl sysvolcheck
>> ProvisioningError('%s ACL on GPO directory %s %s does not match
>> expected value %s from GPO object' % (acl_type(direct_db_access),
>> path, fsacl_sddl, acl))
>> 
>> 
>> There are two GPO directories.
>> One is the Default Domain Controllers Policy
>> and one is the Default Domain Policy
>> 
>> It looks like it's the Default Domain Policy that's giving me the
>> problem -- the directory name matches the dn and sysvolcheck doesn't
>> mention the other Policy directory at all
>> 
>> I have run samba-tool ntacl sysvolreset which reports nothing.
>> You'd think sysvolreset would fix or report unfixable an acl problem
>> that sysvolcheck detects. what can I do? delete and recreate? once I
>> start using GPO's I will rsync this directory to my other domain
>> controllers as directed, but I don't want to do it or start using
>> GPO's until this is fixed.
> I see the same error with
> # samba -V
> Version 4.1.11-Debian
> 
> I think it is harmless (sure, should be fixed).
> ACL Syntax is in "sddl" Syntax and for me it looks like that the acl for
> the "Default Domain Controllers Policy" is set for
> "LA"  Local administrator
> 
> but expected from sysvolcheck for
> "DA"  Domain administrators
> 
> How to Read a SDDL String:
> http://networkadminkb.com/KB/a152/how-to-read-a-sddl-string.aspx
> 
> 1. ACL looked up with smbcacls
> 2. ACL expected from sysvolcheck
> 
> For better readability:
> 
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)
> 
> (A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)
> (A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)
> 
> (A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)
> (A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)
> 
> (A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> (A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> 
> I have not seen any problems with this, but I am only a samba user, not
> a developer.
> 
> --
> 
> Regards
>	Harry Jede
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
Bo Kersey 
VirCIO - managed network solutions 
4314 Avenue C 
Austin, TX 78751 
phone: (512)374-0500

More information about the samba mailing list