[Samba] Wrong ACL on GPO
Stefan Kania
stefan at kania-online.de
Mon Dec 28 12:55:37 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 28.12.2015 um 11:07 schrieb L.P.H. van Belle:
> Hai Stefan,
>
> If you look from within windows, are you sysvol rights ok?
Yes , I checkt it and everything is OK here.
> If so, just ignore these message. There think there is nothing
> wrong with your sysvol rights, old bug imo.
I didn't see this befor. Might be a combination from Windows 10 and Samb
a.
Stefan
>
> Greetz,
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht----- Van: samba
>> [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania
>> Verzonden: maandag 28 december 2015 10:56 Aan:
>> samba at lists.samba.org Onderwerp: [Samba] Wrong ACL on GPO
>>
> Hello,
>
> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my
> self or install tehe SerNet-Packages ;-) Everytime I craete a new
> GPO or change something in an existing GPO, the test with
> "samba-tool ntacl sysvolcheck" fails with the following Error:
> ---------------- ERROR(<class
> 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C
87
>
>
CD150568}
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO
;0
>
>
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match expected
> value
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO
;0
>
>
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) from GPO object File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249,
> in run lp) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1733, in checksysvolacl direct_db_access) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1684, in check_gpos_acl domainsid, direct_db_access) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1631, in check_dir_acl raise ProvisioningError('%s ACL on GPO
> directory %s %s does not match expected value %s from GPO object'
> % (acl_type(direct_db_access), path, fsacl_sddl, acl))
> ---------------- Running "samba-tool gpo aclcheck" exits with the
> following error: ---------------- ERROR(<type
> 'exceptions.KeyError'>): uncaught exception - 'No such element'
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150,
> in run ds_sd_ndr = m['nTSecurityDescriptor'][0] ----------------
>
> Running "samba-tool ntacl sysvolcheck" fixes all the Problems.
>
> I manage the GPOs with RSAT on a Windows 10 Machine. I have two
> DCs replicated with rsync: Here are the smb.conf ----dc1------ #
> Global parameters [global] workgroup = EXAMPLE realm = EXAMPLE.NET
> comment = Samba 4.3.2 netbios name = SAMBABUCH server role = active
> directory domain controller dns forwarder = 8.8.8.8 interfaces =
> 192.168.56.11 bind interfaces only = yes
>
> [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read
> only = No
>
> [sysvol] path = /var/lib/samba/sysvol read only = No -------------
>
> -----dc2----- # Global parameters [global] workgroup = EXAMPLE
> realm = example.net netbios name = SAMBABUCH-DC2 server role =
> active directory domain controller dns forwarder = 8.8.8.8
> interfaces = 192.168.56.21 bind interfaces only = yes
>
> [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read
> only = yes
>
> [sysvol] path = /var/lib/samba/sysvol read only = yes
> ------------- This is the replication-command: ------------- rsync
> -XAavz --delete-after --password-file=/etc/samba/rsync.pass
> rsync://sysvol-repl@sambabuch/sysvol/ /var/lib/samba/sysvol/
> ------------- I can reproduce this on any installation on any
> distribution.
>
> So is it a bug?
>
> Stefan
>
>
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the instructions: https://lists.samba.org/mailman/options/samba
>
>
>
- --
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org
Mein Schlüssel liegt auf
hkp://subkeys.pgp.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlaBMUkACgkQ2JOGcNAHDTZvGACgykRv9EKRzTCtx2kTQAXQoFGl
wiIAoKu+jQughf+0lGgnCuS0SP7f4dmY
=o/vI
-----END PGP SIGNATURE-----
More information about the samba
mailing list