[Samba] Change/modify on GPO doesn't apply all necessary ACL

Guilherme Boing kolt+samba at frag.com.br
Wed Sep 9 11:49:58 UTC 2015 

... And suddenly, after logging in with the user that the GPO was applied,
sysvolcheck now returns nothing in both DCs:

[root at dc1 ~]# samba ntacl sysvolcheck
[root at dc1 ~]#

[root at dc2 ~]# samba ntacl sysvolcheck
[root at dc2 ~]#

And the GPO did work.

Is this intended ? Doesn't look like.


On Wed, Sep 9, 2015 at 8:18 AM, Guilherme Boing <kolt+samba at frag.com.br>
wrote:

> Same thing happens here.
> sysvolcheck was just fine without any GPOs created.
>
> Now, I've just tried to create a GPO, didn't add any configuration/rule to
> it, and sysvolcheck already returns the same error:
>
> ldb_wrap open of idmap.ldb
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory
> /usr/local/samba/var/locks/sysvol/my.domain/Policies/{4A2053FD-433E-4439-965B-6C828D20F5DD}
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 249, in run
>     lp)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1730, in checksysvolacl
>     direct_db_access)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1681, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1628, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
>
> I have two DCs, and the other DC was also returning no errors on
> sysvolcheck, however after creating a GPO it now returns "No such file or
> directory"
> ldb_wrap open of idmap.ldb
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such
> file or directory')
>
> Running self compiled Samba 4.2.3.
>
>
> On Wed, Sep 9, 2015 at 5:56 AM, MORILLO Jordi <
> J.Morillo at educationetformation.fr> wrote:
>
>> Hello everybody!
>>
>> When i add a new GPO, or change settings in existing one, samba-tool
>> ntacl syscheck failed :
>>
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>> ProvisioningError: DB ACL on GPO file /var/lib/samba/sysvol/
>> test.mydomain.com/Policies/{7318560E-9AD3-4242-8A86-B5DE61BC64DD}/User/Registry.pol
>> <http://test.mydomain.com/Policies/%7B7318560E-9AD3-4242-8A86-B5DE61BC64DD%7D/User/Registry.pol>
>> O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
>> does not match expected value
>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>> from GPO object
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>> 249, in run
>>     lp)
>>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1726, in checksysvolacl
>>     direct_db_access)
>>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1677, in check_gpos_acl
>>     domainsid, direct_db_access)
>>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1634, in check_dir_acl
>>     raise ProvisioningError('%s ACL on GPO file %s %s does not match
>> expected value %s from GPO object' % (acl_type(direct_db_access),
>> os.path.join(root, name), fsacl_sddl, acl))
>>
>> GPO is created /modified from Windows 7 with administrator (domain
>> admins) account.
>>
>> Problem is resolved when i launch sysvolreset after each GPO's
>> modification.
>> Is there any way to bypass this process ?
>>
>> Thanks for all
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list