[Samba] Wrong ACL on GPO [solved]
Stefan Kania
stefan at kania-online.de
Mon Dec 28 12:57:07 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 28.12.2015 um 12:44 schrieb Thomas Rosenstein:
> Hi,
>
> to chime in here, I had the same problem! I added the `samba-tool
> ntacl sysvolcheck` to my rsync script which fixed all issues for
> me.
>
For me too.
> Not sure if you got problems with the GPO besides the check, mine
> failed and the computers didn't have access to them.
Yes, that's the way I will go.
Stefan
>
> Thomas
>
> On 28 Dec 2015, at 12:22, Rowland penny wrote:
>
>> On 28/12/15 10:07, L.P.H. van Belle wrote:
>>> Hai Stefan,
>>>
>>> If you look from within windows, are you sysvol rights ok? If
>>> so, just ignore these message. There think there is nothing
>>> wrong with your sysvol rights, old bug imo.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht----- Van: samba
>>>> [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania
>>>> Verzonden: maandag 28 december 2015 10:56 Aan:
>>>> samba at lists.samba.org Onderwerp: [Samba] Wrong ACL on GPO
>>>>
> Hello,
>
> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my
> self or install tehe SerNet-Packages ;-) Everytime I craete a new
> GPO or change something in an existing GPO, the test with
> "samba-tool ntacl sysvolcheck" fails with the following Error:
> ---------------- ERROR(<class
> 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C
87
>
> CD150568}
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO
;0
>
>
> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI
;0
>
> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match expected
> value
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO
;0
>
>
> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI
;0
>
> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) from GPO object File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249,
> in run lp) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1733, in checksysvolacl direct_db_access) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1684, in check_gpos_acl domainsid, direct_db_access) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1631, in check_dir_acl raise ProvisioningError('%s ACL on GPO
> directory %s %s does not match expected value %s from GPO object'
> % (acl_type(direct_db_access), path, fsacl_sddl, acl))
> ---------------- Running "samba-tool gpo aclcheck" exits with the
> following error: ---------------- ERROR(<type
> 'exceptions.KeyError'>): uncaught exception - 'No such element'
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150,
> in run ds_sd_ndr = m['nTSecurityDescriptor'][0] ----------------
>
> Running "samba-tool ntacl sysvolcheck" fixes all the Problems.
>
> I manage the GPOs with RSAT on a Windows 10 Machine. I have two
> DCs replicated with rsync: Here are the smb.conf ----dc1------ #
> Global parameters [global] workgroup = EXAMPLE realm = EXAMPLE.NET
> comment = Samba 4.3.2 netbios name = SAMBABUCH server role = active
> directory domain controller dns forwarder = 8.8.8.8 interfaces =
> 192.168.56.11 bind interfaces only = yes
>
> [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read
> only = No
>
> [sysvol] path = /var/lib/samba/sysvol read only = No -------------
>
> -----dc2----- # Global parameters [global] workgroup = EXAMPLE
> realm = example.net netbios name = SAMBABUCH-DC2 server role =
> active directory domain controller dns forwarder = 8.8.8.8
> interfaces = 192.168.56.21 bind interfaces only = yes
>
> [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read
> only = yes
>
> [sysvol] path = /var/lib/samba/sysvol read only = yes
> ------------- This is the replication-command: ------------- rsync
> -XAavz --delete-after --password-file=/etc/samba/rsync.pass
> rsync://sysvol-repl@sambabuch/sysvol/ /var/lib/samba/sysvol/
> ------------- I can reproduce this on any installation on any
> distribution.
>
> So is it a bug?
>
> Stefan
>
>
>>>>
>>>> -- To unsubscribe from this list go to the following URL and
>>>> read the instructions:
>>>> https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>> As Louis says, this is nothing to worry about. The error message
>> tells you that the policy ACL doesn't match what is expected, but
>> if you examine what the difference is. You will find this:
>> O:DAG:DAD:PAI against the expected O:DAG:DAD:PAR, everything else
>> is the same. If we break this down we get the owner O:DA (Domain
>> Admins), group G:DA (Domain Admins) and the DACL's D:PAI & D:PAR,
>> we can break these down further:
>>
>> D = DACL P = Protected against inheriting AI = Automatically
>> propagate the ACL to child objects (assuming P not set deeper),
>> AR = same as AR but checks if the file system supports automatic
>> propagation of inheritable ACE's (eg. NT4)
>>
>> So, as you can see, AR is expected, but you have got AI instead
>> and I don't think it really matters.
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the instructions: https://lists.samba.org/mailman/options/samba
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlaBMaMACgkQ2JOGcNAHDTbguwCbBoe8eC2nIZRRnu2DkhGFkJfB
+N4AoM5ON5RaoHvP56BaWPGQ5H6VHBth
=M2oi
-----END PGP SIGNATURE-----
More information about the samba
mailing list