[Samba] GPO aclcheck and sysvolcheck error while applying GPO

Guilherme Boing kolt+samba at frag.com.br
Wed Sep 9 12:11:15 UTC 2015


Hello,

Running Samba 4.2.3 from source, using CentOS 7.0, two DCs.
I have checked and the GPO is properly working, but these errors doesn't
look... intended.

# samba-tool gpo aclcheck
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.PUBLICACOES.ONLINE<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.PUBLICACOES.ONLINE<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line
1150, in run
    ds_sd_ndr = m['nTSecurityDescriptor'][0]

# samba-tool ntacl sysvolcheck
....
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/publicacoes.online/Policies/{4A2053FD-433E-4439-965B-6C828D20F5DD}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 249, in run
    lp)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
    direct_db_access)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))


When I didn't have any GPOs created, I had no issues with sysvolcheck.
Any ideas ?

smb.conf:
# Global parameters
[global]
        workgroup = POL
        realm = PUBLICACOES.ONLINE
        netbios name = STEVE
        server role = active directory domain controller
        dns forwarder = 192.168.22.180
        log level = 3
        template shell = /bin/bash
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/publicacoes.online/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


More information about the samba mailing list