[Samba] GPO aclcheck and sysvolcheck error while applying GPO

Wed Sep 9 12:43:42 UTC 2015

# ls -la /usr/local/samba/var/locks/sysvol/publicacoes.online/Policies/
total 24
drwxrwx---+ 5 root          BUILTIN\administrators 4096 Set  9 08:14 .
drwxrwx---+ 4 root          BUILTIN\administrators   35 Jul 16 16:15 ..
drwxrwx---+ 4 domain admins domain admins            45 Jul 16 16:15
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 domain admins domain admins            45 Set  9 08:14
{4A2053FD-433E-4439-965B-6C828D20F5DD}
drwxrwx---+ 4 domain admins domain admins            45 Jul 16 16:15
{6AC1786C-016F-11D2-945F-00C04FB984F9}

# samba-tool gpo aclcheck -U Administrator
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.PUBLICACOES.ONLINE<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.PUBLICACOES.ONLINE<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>
Password for [POL\Administrator]:
resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>
ERROR: Invalid GPO ACL
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
on path
(publicacoes.online\Policies\{4A2053FD-433E-4439-965B-6C828D20F5DD}),
should be
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

# samba-tool ntacl sysvolcheck -U Administrator
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/publicacoes.online/Policies/{4A2053FD-433E-4439-965B-6C828D20F5DD}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 249, in run
    lp)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
    direct_db_access)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

I'll try with "acl_xattr:ignore system acls = yes" to see if anything
changes.
Anyway, at least everything seems to be working just fine so far, even with
these errors...

On Wed, Sep 9, 2015 at 9:25 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:

> Whats the output of :
> samba-tool gpo aclcheck -U Administrator
>
> and
> samba-tool ntacl sysvolcheck -U Administrator
>
> but, if you add :
> acl_xattr:ignore system acls = yes
> to the sysvol share
>
> And you set the correct rights on the share.
> Then you can safely ignore these errors/warnings
>
> I did, since GPO on only applies on the windows computers, i just ignore
> these messages.
>
> For me i get the same messages as you do.
> ls -al /var/lib/samba/sysvol/internal.domain.tld/Policies/
>
> and i see things like
> drwxrwx---+  4 root          BUILTIN\administrators
> drwxrwx---+  4 domain admins domain admins
> drwxrwx---+  4 root          domain admins
>
> depending on the user i used for setting the GPO's.
>
> and i dont have any problems with my GPOs.
>
> i think this : acl_xattr:ignore system acls = yes
> is the best option samba has :-)
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guilherme Boing
> > Verzonden: woensdag 9 september 2015 14:11
> > Aan: samba
> > Onderwerp: [Samba] GPO aclcheck and sysvolcheck error while applying GPO
> >
> > Hello,
> >
> > Running Samba 4.2.3 from source, using CentOS 7.0, two DCs.
> > I have checked and the GPO is properly working, but these errors doesn't
> > look... intended.
> >
> > # samba-tool gpo aclcheck
> > ldb_wrap open of secrets.ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'sasl-DIGEST-MD5' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > _ldap._tcp.PUBLICACOES.ONLINE<0x0>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > _ldap._tcp.PUBLICACOES.ONLINE<0x0>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > steve.publicacoes.online<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > steve.publicacoes.online<0x20>
> > ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> > element'
> >   File
> >
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
> line
> > 1150, in run
> >     ds_sd_ndr = m['nTSecurityDescriptor'][0]
> >
> > # samba-tool ntacl sysvolcheck
> > ....
> > ldb_wrap open of idmap.ldb
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> > ProvisioningError: DB ACL on GPO directory
> > /usr/local/samba/var/locks/sysvol/publicacoes.online/Policies/{4A2053FD-
> > 433E-4439-965B-6C828D20F5DD}
> >
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x0
> >
> 01f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001
> > 200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > does not match expected value
> >
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> >
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> > 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > from GPO object
> >   File
> >
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
> > line 249, in run
> >     lp)
> >   File
> > "/usr/local/samba/lib64/python2.7/site-
> > packages/samba/provision/__init__.py",
> > line 1730, in checksysvolacl
> >     direct_db_access)
> >   File
> > "/usr/local/samba/lib64/python2.7/site-
> > packages/samba/provision/__init__.py",
> > line 1681, in check_gpos_acl
> >     domainsid, direct_db_access)
> >   File
> > "/usr/local/samba/lib64/python2.7/site-
> > packages/samba/provision/__init__.py",
> > line 1628, in check_dir_acl
> >     raise ProvisioningError('%s ACL on GPO directory %s %s does not match
> > expected value %s from GPO object' % (acl_type(direct_db_access), path,
> > fsacl_sddl, acl))
> >
> >
> > When I didn't have any GPOs created, I had no issues with sysvolcheck.
> > Any ideas ?
> >
> > smb.conf:
> > # Global parameters
> > [global]
> >         workgroup = POL
> >         realm = PUBLICACOES.ONLINE
> >         netbios name = STEVE
> >         server role = active directory domain controller
> >         dns forwarder = 192.168.22.180
> >         log level = 3
> >         template shell = /bin/bash
> >         idmap_ldb:use rfc2307 = yes
> >
> > [netlogon]
> >         path =
> > /usr/local/samba/var/locks/sysvol/publicacoes.online/scripts
> >         read only = No
> >
> > [sysvol]
> >         path = /usr/local/samba/var/locks/sysvol
> >         read only = No
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>