[Samba] Wrong ACL on GPO [solved]

Stefan Kania stefan at kania-online.de
Mon Dec 28 12:57:07 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 28.12.2015 um 12:44 schrieb Thomas Rosenstein:
> Hi,
> 
> to chime in here, I had the same problem! I added the `samba-tool
> ntacl sysvolcheck` to my rsync script which fixed all issues for
> me.
> 
For me too.
> Not sure if you got problems with the GPO besides the check, mine
> failed and the computers didn't have access to them.
Yes, that's the way I will go.

Stefan

> 
> Thomas
> 
> On 28 Dec 2015, at 12:22, Rowland penny wrote:
> 
>> On 28/12/15 10:07, L.P.H. van Belle wrote:
>>> Hai Stefan,
>>> 
>>> If you look from within windows, are you sysvol rights ok? If
>>> so, just ignore these message. There think there is nothing
>>> wrong with your sysvol rights, old bug imo.
>>> 
>>> Greetz,
>>> 
>>> Louis
>>> 
>>> 
>>> 
>>> 
>>>> -----Oorspronkelijk bericht----- Van: samba
>>>> [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania 
>>>> Verzonden: maandag 28 december 2015 10:56 Aan:
>>>> samba at lists.samba.org Onderwerp: [Samba] Wrong ACL on GPO
>>>> 
> Hello,
> 
> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my 
> self or install tehe SerNet-Packages ;-) Everytime I craete a new
> GPO or change something in an existing GPO, the test with
> "samba-tool ntacl sysvolcheck" fails with the following Error: 
> ---------------- ERROR(<class
> 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C
87
>
>  CD150568} 
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO
;0
>
>  
> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI
;0
>
>  x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match expected
> value 
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO
;0
>
>  
> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI
;0
>
>  x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) from GPO object File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249,
> in run lp) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1733, in checksysvolacl direct_db_access) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1684, in check_gpos_acl domainsid, direct_db_access) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1631, in check_dir_acl raise ProvisioningError('%s ACL on GPO
> directory %s %s does not match expected value %s from GPO object'
> % (acl_type(direct_db_access), path, fsacl_sddl, acl)) 
> ---------------- Running "samba-tool gpo aclcheck" exits with the
> following error: ---------------- ERROR(<type
> 'exceptions.KeyError'>): uncaught exception - 'No such element' 
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 175, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150,
> in run ds_sd_ndr = m['nTSecurityDescriptor'][0] ----------------
> 
> Running "samba-tool ntacl sysvolcheck" fixes all the Problems.
> 
> I manage the GPOs with RSAT on a Windows 10 Machine. I have two
> DCs replicated with rsync: Here are the smb.conf ----dc1------ #
> Global parameters [global] workgroup = EXAMPLE realm = EXAMPLE.NET 
> comment = Samba 4.3.2 netbios name = SAMBABUCH server role = active
> directory domain controller dns forwarder = 8.8.8.8 interfaces =
> 192.168.56.11 bind interfaces only = yes
> 
> [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read
> only = No
> 
> [sysvol] path = /var/lib/samba/sysvol read only = No -------------
> 
> -----dc2----- # Global parameters [global] workgroup = EXAMPLE 
> realm = example.net netbios name = SAMBABUCH-DC2 server role =
> active directory domain controller dns forwarder = 8.8.8.8 
> interfaces = 192.168.56.21 bind interfaces only = yes
> 
> [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read
> only = yes
> 
> [sysvol] path = /var/lib/samba/sysvol read only = yes 
> ------------- This is the replication-command: ------------- rsync
> -XAavz --delete-after --password-file=/etc/samba/rsync.pass 
> rsync://sysvol-repl@sambabuch/sysvol/ /var/lib/samba/sysvol/ 
> ------------- I can reproduce this on any installation on any
> distribution.
> 
> So is it a bug?
> 
> Stefan
> 
> 
>>>> 
>>>> -- To unsubscribe from this list go to the following URL and
>>>> read the instructions:
>>>> https://lists.samba.org/mailman/options/samba
>>> 
>>> 
>> 
>> As Louis says, this is nothing to worry about. The error message
>> tells you that the policy ACL doesn't match what is expected, but
>> if you examine what the difference is. You will find this:
>> O:DAG:DAD:PAI against the expected O:DAG:DAD:PAR, everything else
>> is the same. If we break this down we get the owner O:DA (Domain
>> Admins), group G:DA (Domain Admins) and the DACL's D:PAI & D:PAR,
>> we can break these down further:
>> 
>> D = DACL P = Protected against inheriting AI = Automatically
>> propagate the ACL to child objects (assuming P not set deeper), 
>> AR = same as AR but checks if the file system supports automatic 
>> propagation of inheritable ACE's (eg. NT4)
>> 
>> So, as you can see, AR is expected, but you have got AI instead
>> and I don't think it really matters.
>> 
>> Rowland
>> 
>> -- To unsubscribe from this list go to the following URL and read
>> the instructions:  https://lists.samba.org/mailman/options/samba
> 



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlaBMaMACgkQ2JOGcNAHDTbguwCbBoe8eC2nIZRRnu2DkhGFkJfB
+N4AoM5ON5RaoHvP56BaWPGQ5H6VHBth
=M2oi
-----END PGP SIGNATURE-----



More information about the samba mailing list