[Samba] Wrong ACL on GPO
Thomas Rosenstein
thomas.rosenstein at itdata.at
Mon Dec 28 11:44:26 UTC 2015
Hi,
to chime in here, I had the same problem!
I added the `samba-tool ntacl sysvolcheck` to my rsync script which
fixed all issues for me.
Not sure if you got problems with the GPO besides the check, mine failed
and the computers didn't have access to them.
Thomas
On 28 Dec 2015, at 12:22, Rowland penny wrote:
> On 28/12/15 10:07, L.P.H. van Belle wrote:
>> Hai Stefan,
>>
>> If you look from within windows, are you sysvol rights ok?
>> If so, just ignore these message.
>> There think there is nothing wrong with your sysvol rights, old bug
>> imo.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan
>>> Kania
>>> Verzonden: maandag 28 december 2015 10:56
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] Wrong ACL on GPO
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hello,
>>>
>>> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my
>>> self or install tehe SerNet-Packages ;-)
>>> Everytime I craete a new GPO or change something in an existing GPO,
>>> the test with "samba-tool ntacl sysvolcheck" fails with the
>>> following
>>> Error:
>>> - ----------------
>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>>> exception
>>> - - ProvisioningError: DB ACL on GPO directory
>>> /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87
>>> CD150568}
>>> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
>>> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
>>> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
>>> does not match expected value
>>> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
>>> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
>>> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
>>> from GPO object
>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>> return self.run(*args, **kwargs)
>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>>> 249, in run
>>> lp)
>>> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1733, in checksysvolacl
>>> direct_db_access)
>>> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1684, in check_gpos_acl
>>> domainsid, direct_db_access)
>>> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1631, in check_dir_acl
>>> raise ProvisioningError('%s ACL on GPO directory %s %s does not
>>> match expected value %s from GPO object' %
>>> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>>> - ----------------
>>> Running "samba-tool gpo aclcheck" exits with the following error:
>>> - ----------------
>>> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
>>> element'
>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>> return self.run(*args, **kwargs)
>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
>>> 1150, in run
>>> ds_sd_ndr = m['nTSecurityDescriptor'][0]
>>> - ----------------
>>>
>>> Running "samba-tool ntacl sysvolcheck" fixes all the Problems.
>>>
>>> I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs
>>> replicated with rsync:
>>> Here are the smb.conf
>>> - ----dc1------
>>> # Global parameters
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = EXAMPLE.NET
>>> comment = Samba 4.3.2
>>> netbios name = SAMBABUCH
>>> server role = active directory domain controller
>>> dns forwarder = 8.8.8.8
>>> interfaces = 192.168.56.11
>>> bind interfaces only = yes
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/example.net/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>> - -------------
>>>
>>> - -----dc2-----
>>> # Global parameters
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = example.net
>>> netbios name = SAMBABUCH-DC2
>>> server role = active directory domain controller
>>> dns forwarder = 8.8.8.8
>>> interfaces = 192.168.56.21
>>> bind interfaces only = yes
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/example.net/scripts
>>> read only = yes
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = yes
>>> - -------------
>>> This is the replication-command:
>>> - -------------
>>> rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass
>>> rsync://sysvol-repl@sambabuch/sysvol/ /var/lib/samba/sysvol/
>>> - -------------
>>> I can reproduce this on any installation on any distribution.
>>>
>>> So is it a bug?
>>>
>>> Stefan
>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.22 (GNU/Linux)
>>>
>>> iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t
>>> S9oAn0bOKhDXp35r6bu2d9AX43uyAose
>>> =gdCy
>>> -----END PGP SIGNATURE-----
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
> As Louis says, this is nothing to worry about. The error message tells
> you that the policy ACL doesn't match what is expected, but if you
> examine what the difference is. You will find this: O:DAG:DAD:PAI
> against the expected O:DAG:DAD:PAR, everything else is the same. If we
> break this down we get the owner O:DA (Domain Admins), group G:DA
> (Domain Admins) and the DACL's D:PAI & D:PAR, we can break these down
> further:
>
> D = DACL
> P = Protected against inheriting
> AI = Automatically propagate the ACL to child objects (assuming P not
> set deeper),
> AR = same as AR but checks if the file system supports automatic
> propagation of inheritable ACE's (eg. NT4)
>
> So, as you can see, AR is expected, but you have got AI instead and I
> don't think it really matters.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list