[Samba] Wrong ACL on GPO

Stefan Kania stefan at kania-online.de
Mon Dec 28 12:55:37 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 28.12.2015 um 11:07 schrieb L.P.H. van Belle:
> Hai Stefan,
> 
> If you look from within windows, are you sysvol rights ok?
Yes , I checkt it and everything is OK here.
> If so, just ignore these message. There think there is nothing
> wrong with your sysvol rights, old bug imo.
I didn't see this befor. Might be a combination from Windows 10 and Samb
a.

Stefan
> 
> Greetz,
> 
> Louis
> 
> 
> 
> 
>> -----Oorspronkelijk bericht----- Van: samba
>> [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania 
>> Verzonden: maandag 28 december 2015 10:56 Aan:
>> samba at lists.samba.org Onderwerp: [Samba] Wrong ACL on GPO
>> 
> Hello,
> 
> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my 
> self or install tehe SerNet-Packages ;-) Everytime I craete a new
> GPO or change something in an existing GPO, the test with
> "samba-tool ntacl sysvolcheck" fails with the following Error: 
> ---------------- ERROR(<class
> 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C
87
>
> 
CD150568}
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO
;0
>
> 
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match expected
> value 
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO
;0
>
> 
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) from GPO object File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249,
> in run lp) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1733, in checksysvolacl direct_db_access) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1684, in check_gpos_acl domainsid, direct_db_access) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1631, in check_dir_acl raise ProvisioningError('%s ACL on GPO
> directory %s %s does not match expected value %s from GPO object'
> % (acl_type(direct_db_access), path, fsacl_sddl, acl)) 
> ---------------- Running "samba-tool gpo aclcheck" exits with the
> following error: ---------------- ERROR(<type
> 'exceptions.KeyError'>): uncaught exception - 'No such element' 
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 175, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150,
> in run ds_sd_ndr = m['nTSecurityDescriptor'][0] ----------------
> 
> Running "samba-tool ntacl sysvolcheck" fixes all the Problems.
> 
> I manage the GPOs with RSAT on a Windows 10 Machine. I have two
> DCs replicated with rsync: Here are the smb.conf ----dc1------ #
> Global parameters [global] workgroup = EXAMPLE realm = EXAMPLE.NET 
> comment = Samba 4.3.2 netbios name = SAMBABUCH server role = active
> directory domain controller dns forwarder = 8.8.8.8 interfaces =
> 192.168.56.11 bind interfaces only = yes
> 
> [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read
> only = No
> 
> [sysvol] path = /var/lib/samba/sysvol read only = No -------------
> 
> -----dc2----- # Global parameters [global] workgroup = EXAMPLE 
> realm = example.net netbios name = SAMBABUCH-DC2 server role =
> active directory domain controller dns forwarder = 8.8.8.8 
> interfaces = 192.168.56.21 bind interfaces only = yes
> 
> [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read
> only = yes
> 
> [sysvol] path = /var/lib/samba/sysvol read only = yes 
> ------------- This is the replication-command: ------------- rsync
> -XAavz --delete-after --password-file=/etc/samba/rsync.pass 
> rsync://sysvol-repl@sambabuch/sysvol/ /var/lib/samba/sysvol/ 
> ------------- I can reproduce this on any installation on any
> distribution.
> 
> So is it a bug?
> 
> Stefan
> 
> 
>> 
>> -- To unsubscribe from this list go to the following URL and read
>> the instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 

- -- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schl├╝ssel liegt auf

hkp://subkeys.pgp.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlaBMUkACgkQ2JOGcNAHDTZvGACgykRv9EKRzTCtx2kTQAXQoFGl
wiIAoKu+jQughf+0lGgnCuS0SP7f4dmY
=o/vI
-----END PGP SIGNATURE-----



More information about the samba mailing list