[Samba] sysvol permissions

mourik jan heupink heupink at merit.unu.edu
Thu Sep 17 09:34:25 UTC 2015


We're running samba 4.1.17-SerNet-Debian-10.wheezy, AD mode, and we seem 
to have permission problems on our sysvol:

> root at DC2:/var/lib/samba# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/samba.domain.com/Policies/{A577A789-8C39-447A-8555-42B247B9943C} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
>     lp)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
>     direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
>     domainsid, direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1624, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))

 > root at DC2:/var/lib/samba# samba-tool ntacl sysvolreset
finishes without any output, so I'm guessing that means: success.... but 
afterwards sysvolcheck still reports the same error.

Is this some bug in 4.1.17..? We could of course try upgrading...?


More information about the samba mailing list