[Samba] sysvol permissions

L.P.H. van Belle belle at bazuin.nl
Thu Sep 17 10:49:29 UTC 2015 

Mourik-Jan, 

Look this is what i get. ( sernet samba 4.2.4 ) 

samba-tool ntacl sysvolcheck -U Administrator  ( kinit Administrator first ) 
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /home/samba/sysvol/rotterdam.bazuin.nl/Policies/{EAF212FE-4718-4693-BD18-6B4FC8A0513A} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1730, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1681, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1628, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))

i do have the line : 
acl_xattr:ignore system acls = yes 
also, this is only used for windows pc's. 
Im ignoring above errors also. 


Domain Admins, are member of Local Admins. 
Check your windows pc's eventlogs for GPO errors, if you dont have any, 
your ok, and if you do, post the errors, we have a look at it. 

I have everything in GPO's and its all working ok, even with above errors. 
Policies, printer distributions etc, als logon the share rights and security rights in windows are ok, your fine. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: donderdag 17 september 2015 12:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] sysvol permissions
> 
> On 17/09/15 10:34, mourik jan heupink wrote:
> > Hi,
> >
> > We're running samba 4.1.17-SerNet-Debian-10.wheezy, AD mode, and we
> > seem to have permission problems on our sysvol:
> >
> >> root at DC2:/var/lib/samba# samba-tool ntacl sysvolcheck
> >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> >> exception - ProvisioningError: DB ACL on GPO directory
> >> /var/lib/samba/sysvol/samba.domain.com/Policies/{A577A789-8C39-447A-
> 8555-42B247B9943C}
> >>
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> >> does not match expected value
> >>
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> >> from GPO object
> >>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> >> line 175, in _run
> >>     return self.run(*args, **kwargs)
> >>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
> >> 249, in run
> >>     lp)
> >>   File
> >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> >> 1726, in checksysvolacl
> >>     direct_db_access)
> >>   File
> >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> >> 1677, in check_gpos_acl
> >>     domainsid, direct_db_access)
> >>   File
> >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> >> 1624, in check_dir_acl
> >>     raise ProvisioningError('%s ACL on GPO directory %s %s does not
> >> match expected value %s from GPO object' %
> >> (acl_type(direct_db_access), path, fsacl_sddl, acl))
> >
> > Running
> > > root at DC2:/var/lib/samba# samba-tool ntacl sysvolreset
> > finishes without any output, so I'm guessing that means: success....
> > but afterwards sysvolcheck still reports the same error.
> >
> > Is this some bug in 4.1.17..? We could of course try upgrading...?
> >
> > MJ
> >
> 
> Hi, if you look carefully at the diffrences, it is only this:
> Got: O:LAG:DAD:P
> Wanted: O:DAG:DAD:P
> 
> Or to break it down even further, it is owned by (O:LA) Local
> Administrators and should be owned by (O:DA) Domain Administrators,
> personally I don't think it matters, is there anything that doesn't work?
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list