[Samba] Samba 4.4.2 "samba-tool ntacl sysvolreset" is not working correctly
Miguel Medalha
medalist at sapo.pt
Fri Apr 22 22:50:46 UTC 2016
Samba 4.4.2
I was doing some maintenance work and I noticed that sysvolcheck gave
some error. I ran "samba-tool ntacl sysvolreset". Running sysvolcheck
again still gives errors. I tried with several sysvol backups and the
result is always the same. The affected policies are always "Default
Domain Policy" and "Default Domain Controllers Policy". These policies
were originally created under Samba 4.2.x. I noticed that some relevant
Python scripts have been modified since then.
The persistent error is this one (I separated the lines for easier reading):
ProvisioningError: DB ACL on GPO directory (...)
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001200a9;;;AU)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001200a9;;;AU)
from GPO object
The difference between the two is at the beginning of the lines:
"O:LAG:" versus "O:DAG:"
sysvolreset is unable to solve this mismatch.
Does anyone have any idea on how to solve this? Thank you.
More information about the samba
mailing list