[Samba] sysvol acl's broken beyond repair

Krutskikh Ivan stein.hak at gmail.com
Fri Oct 2 23:50:47 UTC 2015 

Hi everyone.

I ran into notorios gpo error on windows clients. When I go to my dc
controller and run
samba-tool ntacl sysvolcheck

I get an error:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/tsnr.mtt/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
249, in run
    lp)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
    direct_db_access)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

I assume, that is the problem. Now I try to fix it with

samba-tool ntacl sysvolreset

It finishes with no output or errors, but if I run sysvolcheck once again-
the same problem is still there, not to mention that gpo's are still not
working.

My samba version is 4.2.0, the setup is a bit complicated since a use samba
in a lxc container on a zfs fs (although posixacls are supported and common
tasks such as domain provision, logon, dns and even gpo upon first
modifications work)

How can I fix this error or should I rebuild my domain from scratch?

Thanks in advance!

More information about the samba mailing list