[Samba] Wrong ACL on GPO
Stefan Kania
stefan at kania-online.de
Mon Dec 28 09:56:29 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my
self or install tehe SerNet-Packages ;-)
Everytime I craete a new GPO or change something in an existing GPO,
the test with "samba-tool ntacl sysvolcheck" fails with the following
Error:
- ----------------
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87
CD150568}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
from GPO object
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1733, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1684, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1631, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))
- ----------------
Running "samba-tool gpo aclcheck" exits with the following error:
- ----------------
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
element'
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
1150, in run
ds_sd_ndr = m['nTSecurityDescriptor'][0]
- ----------------
Running "samba-tool ntacl sysvolcheck" fixes all the Problems.
I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs
replicated with rsync:
Here are the smb.conf
- ----dc1------
# Global parameters
[global]
workgroup = EXAMPLE
realm = EXAMPLE.NET
comment = Samba 4.3.2
netbios name = SAMBABUCH
server role = active directory domain controller
dns forwarder = 8.8.8.8
interfaces = 192.168.56.11
bind interfaces only = yes
[netlogon]
path = /var/lib/samba/sysvol/example.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
- -------------
- -----dc2-----
# Global parameters
[global]
workgroup = EXAMPLE
realm = example.net
netbios name = SAMBABUCH-DC2
server role = active directory domain controller
dns forwarder = 8.8.8.8
interfaces = 192.168.56.21
bind interfaces only = yes
[netlogon]
path = /var/lib/samba/sysvol/example.net/scripts
read only = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = yes
- -------------
This is the replication-command:
- -------------
rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass
rsync://sysvol-repl@sambabuch/sysvol/ /var/lib/samba/sysvol/
- -------------
I can reproduce this on any installation on any distribution.
So is it a bug?
Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t
S9oAn0bOKhDXp35r6bu2d9AX43uyAose
=gdCy
-----END PGP SIGNATURE-----
More information about the samba
mailing list