[Samba] Change/modify on GPO doesn't apply all necessary ACL
Guilherme Boing
kolt+samba at frag.com.br
Wed Sep 9 11:18:00 UTC 2015
Same thing happens here.
sysvolcheck was just fine without any GPOs created.
Now, I've just tried to create a GPO, didn't add any configuration/rule to
it, and sysvolcheck already returns the same error:
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/my.domain/Policies/{4A2053FD-433E-4439-965B-6C828D20F5DD}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 249, in run
lp)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))
I have two DCs, and the other DC was also returning no errors on
sysvolcheck, however after creating a GPO it now returns "No such file or
directory"
ldb_wrap open of idmap.ldb
ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such
file or directory')
Running self compiled Samba 4.2.3.
On Wed, Sep 9, 2015 at 5:56 AM, MORILLO Jordi <
J.Morillo at educationetformation.fr> wrote:
> Hello everybody!
>
> When i add a new GPO, or change settings in existing one, samba-tool ntacl
> syscheck failed :
>
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO file /var/lib/samba/sysvol/
> test.mydomain.com/Policies/{7318560E-9AD3-4242-8A86-B5DE61BC64DD}/User/Registry.pol
> O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249,
> in run
> lp)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1726, in checksysvolacl
> direct_db_access)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1677, in check_gpos_acl
> domainsid, direct_db_access)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1634, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO file %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access),
> os.path.join(root, name), fsacl_sddl, acl))
>
> GPO is created /modified from Windows 7 with administrator (domain admins)
> account.
>
> Problem is resolved when i launch sysvolreset after each GPO's
> modification.
> Is there any way to bypass this process ?
>
> Thanks for all
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list