[Samba] Samba 4.2.14 GPO issue

Min Wai Chan dcmwai at gmail.com
Wed Aug 3 02:44:41 UTC 2016


Dear Sébastien,

Sorry for the delay,

Please check on the log below.
As for the word "存取被拒。"  it should translate to Access Deny...

Please help.


- <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
<http://schemas.microsoft.com/win/2004/08/events/event>*">
- <System>
  <Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
*{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
  <EventID>1055</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>0</Task>
  <Opcode>1</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="*2016-08-03T02:25:58.236569500Z*" />
  <EventRecordID>237427</EventRecordID>
  <Correlation ActivityID="*{20A9F83F-172B-4F62-8B1A-5732474FD71D}*" />
  <Execution ProcessID="*1156*" ThreadID="*1872*" />
  <Channel>System</Channel>
  <Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
  <Security UserID="*S-1-5-18*" />
  </System>
- <EventData>
  <Data Name="*SupportInfo1*">1</Data>
  <Data Name="*SupportInfo2*">2052</Data>
  <Data Name="*ProcessingMode*">0</Data>
  <Data Name="*ProcessingTimeInMilliseconds*">3495</Data>
  <Data Name="*ErrorCode*">5</Data>
  <Data Name="*ErrorDescription*">存取被拒。</Data>
  </EventData>
  </Event>


- <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
<http://schemas.microsoft.com/win/2004/08/events/event>*">
- <System>
  <Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
*{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
  <EventID>1053</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>0</Task>
  <Opcode>1</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="*2016-08-03T02:25:58.220969800Z*" />
  <EventRecordID>237426</EventRecordID>
  <Correlation ActivityID="*{81CBE41A-C06F-4C33-9A59-DA9418903184}*" />
  <Execution ProcessID="*1156*" ThreadID="*4516*" />
  <Channel>System</Channel>
  <Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
  <Security UserID="*S-1-5-21-3560897929-3766931875-2087304217-2002*" />
  </System>
- <EventData>
  <Data Name="*SupportInfo1*">1</Data>
  <Data Name="*SupportInfo2*">2052</Data>
  <Data Name="*ProcessingMode*">0</Data>
  <Data Name="*ProcessingTimeInMilliseconds*">3541</Data>
  <Data Name="*ErrorCode*">5</Data>
  <Data Name="*ErrorDescription*">存取被拒。</Data>
  </EventData>
  </Event>




On Mon, Jul 25, 2016 at 2:51 AM, Sébastien Le Ray <sebastien-samba at orniz.org
> wrote:

> Hi,
>
> That's look more like a gpupdate output than an event log entry :-)
>
>
>
> Le 24/07/2016 à 20:46, Min Wai Chan a écrit :
>
>> Hello Sébastien Le Ray,
>>
>> The PC reply the following...
>>
>> The processing of Group Policy failed. Windows could not resolve the user
>> name. This could be caused by one or more of the following:
>> a) Name Resolution failure on the current domain controller.
>> b) Active Directory Replication Latency (an account created on another
>> domain controller has not replicated to the current domain controller).
>>
>> The processing of Group Policy failed. Windows could not resolve the
>> computer name. This could be caused by one of more of the following:
>> a) Name Resolution failure on the current domain controller.
>> b) Active Directory Replication Latency (an account created on another
>> domain controller has not replicated to the current domain controller).
>>
>> To diagnose the failure, review the event log or run GPRESULT /H
>> GPReport.html from
>> the command line to access information about Group Policy results.
>>
>> On Sun, Jul 24, 2016 at 3:56 PM, Sébastien Le Ray <
>> sebastien-samba at orniz.org
>>
>>> wrote:
>>> Hi,
>>>
>>> Do you have any specific error message in Windows events log concerning
>>> GPO?
>>>
>>> Regards
>>>
>>>
>>> Le 24/07/2016 à 05:40, Min Wai Chan a écrit :
>>>
>>> Dear All,
>>>> I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that
>>>> GPO
>>>> are having issue
>>>>
>>>> Specifically when I'm adding new using they *never *got the gpupdate
>>>>
>>>> success fully.
>>>>
>>>> When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset
>>>>
>>>> But don't seem to got it fix..
>>>>
>>>> Any suggestion?
>>>>
>>>> Thank in advance.
>>>>
>>>> #samba-tool ntacl sysvolcheck
>>>> Processing section "[netlogon]"
>>>> Processing section "[sysvol]"
>>>> Processing section "[dfs]"
>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>>>> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
>>>> kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>> <http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-00C04FB984F9%7D>
>>>> <
>>>> http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-00C04FB984F9%7D
>>>> >
>>>>
>>>>
>>>> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>> does not match expected value
>>>>
>>>>
>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>> from GPO object
>>>>     File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>>>> line
>>>> 175, in _run
>>>>       return self.run(*args, **kwargs)
>>>>     File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>> line
>>>> 249, in run
>>>>       lp)
>>>>     File
>>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1730, in checksysvolacl
>>>>       direct_db_access)
>>>>     File
>>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1681, in check_gpos_acl
>>>>       domainsid, direct_db_access)
>>>>     File
>>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1628, in check_dir_acl
>>>>       raise ProvisioningError('%s ACL on GPO directory %s %s does not
>>>> match
>>>> expected value %s from GPO object' % (acl_type(direct_db_access), path,
>>>> fsacl_sddl, acl))
>>>>
>>>> Regards,
>>>> Min Wai
>>>>
>>>>
>>>
>


More information about the samba mailing list