[Samba] Wrong ACL on GPO

L.P.H. van Belle belle at bazuin.nl
Mon Dec 28 10:07:04 UTC 2015 

Hai Stefan, 

If you look from within windows, are you sysvol rights ok? 
If so, just ignore these message.
There think there is nothing wrong with your sysvol rights, old bug imo. 

Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania
> Verzonden: maandag 28 december 2015 10:56
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Wrong ACL on GPO
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> 
> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my
> self or install tehe SerNet-Packages ;-)
> Everytime I craete a new GPO or change something in an existing GPO,
> the test with "samba-tool ntacl sysvolcheck" fails with the following
> Error:
> - ----------------
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
> - - ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87
> CD150568}
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
> does not match expected value
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
> from GPO object
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
> 249, in run
>     lp)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1733, in checksysvolacl
>     direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1684, in check_gpos_acl
>     domainsid, direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1631, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' %
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
> - ----------------
> Running "samba-tool gpo aclcheck" exits with the following error:
> - ----------------
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> element'
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
> 1150, in run
>     ds_sd_ndr = m['nTSecurityDescriptor'][0]
> - ----------------
> 
> Running "samba-tool ntacl sysvolcheck" fixes all the Problems.
> 
> I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs
> replicated with rsync:
> Here are the smb.conf
> - ----dc1------
> # Global parameters
> [global]
>         workgroup = EXAMPLE
>         realm = EXAMPLE.NET
>         comment = Samba 4.3.2
>         netbios name = SAMBABUCH
>         server role = active directory domain controller
>         dns forwarder = 8.8.8.8
>         interfaces = 192.168.56.11
>         bind interfaces only = yes
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/example.net/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> - -------------
> 
> - -----dc2-----
> # Global parameters
> [global]
>         workgroup = EXAMPLE
>         realm = example.net
>         netbios name = SAMBABUCH-DC2
>         server role = active directory domain controller
>         dns forwarder = 8.8.8.8
>         interfaces = 192.168.56.21
>         bind interfaces only = yes
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/example.net/scripts
>         read only = yes
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = yes
> - -------------
> This is the replication-command:
> - -------------
> rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass
> rsync://sysvol-repl@sambabuch/sysvol/ /var/lib/samba/sysvol/
> - -------------
> I can reproduce this on any installation on any distribution.
> 
> So is it a bug?
> 
> Stefan
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> 
> iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t
> S9oAn0bOKhDXp35r6bu2d9AX43uyAose
> =gdCy
> -----END PGP SIGNATURE-----
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list