[Samba] gpo failure

mourik jan c heupink heupink at merit.unu.edu
Tue Oct 6 17:50:57 UTC 2015 

Hi Marc,

Ok, I apologise, I was unsure if the number 
{31B2F340-016D-11D2-945F-00C04FB984F9} was something sensitive 
password-like or not, so i changed it slightly.... Sorry..! The number 
is actually the number as you quote it below for the Default Domain Policy.

> The two GUID directories, that exist on every AD DC, are
>
> {6AC1786C-016F-11D2-945F-00C04FB984F9} = Default Domain Controller Policy
> {31B2F340-016D-11D2-945F-00C04FB984F9} = Default Domain Policy
>
> So yours is a GPO, you had created.
Again...apologies: no it really is the default domain policy.

> That's normal. If you create a new GPO, the GPMC only created the GUID
> folder, that contains an empty Machine and User folder and the GPT.INI
> file. Nothing else.
But in case of the default domain policy..? Is it also normal?

I guess perhaps not...? And how to solve this..?

> Have you verified, that the error "Access is denied" is correct?
I can access the UNC
\\samba.company.com\sysvol\samba.company.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\User\ 

So I guess "access denied" is NOT the problem.
(though I'm trying as a user, and perhaps GPO runs as a machine account...)

samba-tool ntacl sysvolcheck crashes with the well-known error:

> root at DC2:~# samba-tool ntacl sysvolcheck
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ldb_wrap open of idmap.ldb
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/samba.company.com/Policies/{A577A789-8C39-447A-8555-42B247B9943C} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
>     lp)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1730, in checksysvolacl
>     direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1681, in check_gpos_acl
>     domainsid, direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1628, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
> root at DC2:~#

In a thread a few weeks ago I was told that this is quite normal. Most 
of us see this. A few weeks ago I ran sysvolreset as well.

Anyway: that running sysvolreset again will not give me a registry.pol 
file in that location...

What to do..? Do I have a problem?

MJ

More information about the samba mailing list