[Samba] sysvol permissions

Rowland Penny rowlandpenny241155 at gmail.com
Thu Sep 17 10:09:46 UTC 2015 

On 17/09/15 10:34, mourik jan heupink wrote:
> Hi,
>
> We're running samba 4.1.17-SerNet-Debian-10.wheezy, AD mode, and we 
> seem to have permission problems on our sysvol:
>
>> root at DC2:/var/lib/samba# samba-tool ntacl sysvolcheck
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught 
>> exception - ProvisioningError: DB ACL on GPO directory 
>> /var/lib/samba/sysvol/samba.domain.com/Policies/{A577A789-8C39-447A-8555-42B247B9943C} 
>> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>> does not match expected value 
>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>> from GPO object
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
>> line 175, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
>> 249, in run
>>     lp)
>>   File 
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 
>> 1726, in checksysvolacl
>>     direct_db_access)
>>   File 
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 
>> 1677, in check_gpos_acl
>>     domainsid, direct_db_access)
>>   File 
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 
>> 1624, in check_dir_acl
>>     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
>> match expected value %s from GPO object' % 
>> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>
> Running
> > root at DC2:/var/lib/samba# samba-tool ntacl sysvolreset
> finishes without any output, so I'm guessing that means: success.... 
> but afterwards sysvolcheck still reports the same error.
>
> Is this some bug in 4.1.17..? We could of course try upgrading...?
>
> MJ
>

Hi, if you look carefully at the diffrences, it is only this:
Got: O:LAG:DAD:P
Wanted: O:DAG:DAD:P

Or to break it down even further, it is owned by (O:LA) Local 
Administrators and should be owned by (O:DA) Domain Administrators, 
personally I don't think it matters, is there anything that doesn't work?

Rowland

More information about the samba mailing list