[Samba] Samba 4.4.2 "samba-tool ntacl sysvolreset" is not working correctly
Rowland penny
rpenny at samba.org
Sat Apr 23 07:23:31 UTC 2016
On 22/04/16 23:50, Miguel Medalha wrote:
> Samba 4.4.2
>
> I was doing some maintenance work and I noticed that sysvolcheck gave
> some error. I ran "samba-tool ntacl sysvolreset". Running sysvolcheck
> again still gives errors. I tried with several sysvol backups and the
> result is always the same. The affected policies are always "Default
> Domain Policy" and "Default Domain Controllers Policy". These policies
> were originally created under Samba 4.2.x. I noticed that some
> relevant Python scripts have been modified since then.
>
> The persistent error is this one (I separated the lines for easier
> reading):
>
> ProvisioningError: DB ACL on GPO directory (...)
>
> O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001200a9;;;AU)
>
>
> does not match expected value
>
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001200a9;;;AU)
>
>
> from GPO object
>
>
> The difference between the two is at the beginning of the lines:
>
> "O:LAG:" versus "O:DAG:"
>
> sysvolreset is unable to solve this mismatch.
>
> Does anyone have any idea on how to solve this? Thank you.
>
It is actually 'O:LA' versus 'O:DA'
'O' is 'owner'
'LA' is 'Local Admins'
'DA' is 'Domain Admins'
You can ignore this, it should still work.
Rowland
More information about the samba
mailing list