[Samba] GPO aclcheck and sysvolcheck error while applying GPO

L.P.H. van Belle belle at bazuin.nl
Wed Sep 9 12:25:11 UTC 2015 

Whats the output of : 
samba-tool gpo aclcheck -U Administrator

and 
samba-tool ntacl sysvolcheck -U Administrator

but, if you add : 
acl_xattr:ignore system acls = yes   
to the sysvol share

And you set the correct rights on the share.
Then you can safely ignore these errors/warnings

I did, since GPO on only applies on the windows computers, i just ignore these messages.

For me i get the same messages as you do. 
ls -al /var/lib/samba/sysvol/internal.domain.tld/Policies/

and i see things like 
drwxrwx---+  4 root          BUILTIN\administrators
drwxrwx---+  4 domain admins domain admins
drwxrwx---+  4 root          domain admins

depending on the user i used for setting the GPO's. 

and i dont have any problems with my GPOs. 

i think this : acl_xattr:ignore system acls = yes   
is the best option samba has :-) 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guilherme Boing
> Verzonden: woensdag 9 september 2015 14:11
> Aan: samba
> Onderwerp: [Samba] GPO aclcheck and sysvolcheck error while applying GPO
> 
> Hello,
> 
> Running Samba 4.2.3 from source, using CentOS 7.0, two DCs.
> I have checked and the GPO is properly working, but these errors doesn't
> look... intended.
> 
> # samba-tool gpo aclcheck
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'sasl-DIGEST-MD5' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> resolve_lmhosts: Attempting lmhosts lookup for name
> _ldap._tcp.PUBLICACOES.ONLINE<0x0>
> resolve_lmhosts: Attempting lmhosts lookup for name
> _ldap._tcp.PUBLICACOES.ONLINE<0x0>
> resolve_lmhosts: Attempting lmhosts lookup for name
> steve.publicacoes.online<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> steve.publicacoes.online<0x20>
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> element'
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line
> 1150, in run
>     ds_sd_ndr = m['nTSecurityDescriptor'][0]
> 
> # samba-tool ntacl sysvolcheck
> ....
> ldb_wrap open of idmap.ldb
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory
> /usr/local/samba/var/locks/sysvol/publicacoes.online/Policies/{4A2053FD-
> 433E-4439-965B-6C828D20F5DD}
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x0
> 01f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001
> 200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 249, in run
>     lp)
>   File
> "/usr/local/samba/lib64/python2.7/site-
> packages/samba/provision/__init__.py",
> line 1730, in checksysvolacl
>     direct_db_access)
>   File
> "/usr/local/samba/lib64/python2.7/site-
> packages/samba/provision/__init__.py",
> line 1681, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
> "/usr/local/samba/lib64/python2.7/site-
> packages/samba/provision/__init__.py",
> line 1628, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
> 
> 
> When I didn't have any GPOs created, I had no issues with sysvolcheck.
> Any ideas ?
> 
> smb.conf:
> # Global parameters
> [global]
>         workgroup = POL
>         realm = PUBLICACOES.ONLINE
>         netbios name = STEVE
>         server role = active directory domain controller
>         dns forwarder = 192.168.22.180
>         log level = 3
>         template shell = /bin/bash
>         idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>         path =
> /usr/local/samba/var/locks/sysvol/publicacoes.online/scripts
>         read only = No
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list