[Samba] samba-tool ntacl sysvolcheck and sysvolreset
Viktor Trojanovic
viktor at troja.ch
Mon Nov 16 12:13:03 UTC 2015
On my small, one DC AD setup, where I just followed the wiki and did not
(!) make any other changes except for working on the AD through the
RSAT, I ran samba-tool ntacl sysvolcheck and got the following output:
--------------------snip--------------------
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup
O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1733, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1684, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1650, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
os.path.join(root, name), fsacl_sddl, acl))
--------------------snip--------------------
The GP container it complains about is the default domain policy. The
specific subfolder is empty (!). I checked the ACLs manually and, on
first sight, they seem ok to me, the Administrators group owns all
folders and files.
Anyway, I then ran samba-tool ntacl sysvolreset. It took about 15
minutes to finish (is that normal?) and it did so without any notice or
error message, I also checked the logs.
Another run of samba-tool ntacl sysvolcheck still gives me an error
message, slightly different this time.
--------------------snip--------------------
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1733, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1684, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1631, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
--------------------snip--------------------
Is this a bug or is something wrong with my setup? I am on Samba 4.3.1.
Viktor
More information about the samba
mailing list