[Samba] Wrong ACL on GPO

Rowland penny rpenny at samba.org
Mon Dec 28 11:22:13 UTC 2015 

On 28/12/15 10:07, L.P.H. van Belle wrote:
> Hai Stefan,
>
> If you look from within windows, are you sysvol rights ok?
> If so, just ignore these message.
> There think there is nothing wrong with your sysvol rights, old bug imo.
>
> Greetz,
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania
>> Verzonden: maandag 28 december 2015 10:56
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Wrong ACL on GPO
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello,
>>
>> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my
>> self or install tehe SerNet-Packages ;-)
>> Everytime I craete a new GPO or change something in an existing GPO,
>> the test with "samba-tool ntacl sysvolcheck" fails with the following
>> Error:
>> - ----------------
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
>> - - ProvisioningError: DB ACL on GPO directory
>> /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87
>> CD150568}
>> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
>> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
>> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
>> does not match expected value
>> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
>> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
>> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
>> from GPO object
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>>      return self.run(*args, **kwargs)
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>> 249, in run
>>      lp)
>>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1733, in checksysvolacl
>>      direct_db_access)
>>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1684, in check_gpos_acl
>>      domainsid, direct_db_access)
>>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1631, in check_dir_acl
>>      raise ProvisioningError('%s ACL on GPO directory %s %s does not
>> match expected value %s from GPO object' %
>> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>> - ----------------
>> Running "samba-tool gpo aclcheck" exits with the following error:
>> - ----------------
>> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
>> element'
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>>      return self.run(*args, **kwargs)
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
>> 1150, in run
>>      ds_sd_ndr = m['nTSecurityDescriptor'][0]
>> - ----------------
>>
>> Running "samba-tool ntacl sysvolcheck" fixes all the Problems.
>>
>> I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs
>> replicated with rsync:
>> Here are the smb.conf
>> - ----dc1------
>> # Global parameters
>> [global]
>>          workgroup = EXAMPLE
>>          realm = EXAMPLE.NET
>>          comment = Samba 4.3.2
>>          netbios name = SAMBABUCH
>>          server role = active directory domain controller
>>          dns forwarder = 8.8.8.8
>>          interfaces = 192.168.56.11
>>          bind interfaces only = yes
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/example.net/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> - -------------
>>
>> - -----dc2-----
>> # Global parameters
>> [global]
>>          workgroup = EXAMPLE
>>          realm = example.net
>>          netbios name = SAMBABUCH-DC2
>>          server role = active directory domain controller
>>          dns forwarder = 8.8.8.8
>>          interfaces = 192.168.56.21
>>          bind interfaces only = yes
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/example.net/scripts
>>          read only = yes
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = yes
>> - -------------
>> This is the replication-command:
>> - -------------
>> rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass
>> rsync://sysvol-repl@sambabuch/sysvol/ /var/lib/samba/sysvol/
>> - -------------
>> I can reproduce this on any installation on any distribution.
>>
>> So is it a bug?
>>
>> Stefan
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (GNU/Linux)
>>
>> iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t
>> S9oAn0bOKhDXp35r6bu2d9AX43uyAose
>> =gdCy
>> -----END PGP SIGNATURE-----
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

As Louis says, this is nothing to worry about. The error message tells 
you that the policy ACL doesn't match what is expected, but if you 
examine what the difference is. You will find this: O:DAG:DAD:PAI 
against the expected O:DAG:DAD:PAR, everything else is the same. If we 
break this down we get the owner O:DA (Domain Admins), group G:DA 
(Domain Admins) and the DACL's D:PAI & D:PAR, we can break these down 
further:

D = DACL
P = Protected against inheriting
AI = Automatically propagate the ACL to child objects (assuming P not 
set deeper),
AR = same as AR but checks if the file system supports automatic 
propagation of inheritable ACE's (eg. NT4)

So, as you can see, AR is expected, but you have got AI instead and I 
don't think it really matters.

Rowland

More information about the samba mailing list