[Samba] Samba 4.2.14 GPO issue

Wed Aug 3 06:14:46 UTC 2016

Hai Min Wai, 

Please read these links, MS change some things in GPO. 

MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398

The following page explains the issues and the corrective measures. 
https://support.microsoft.com/en-gb/kb/3163622

In sum:
Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.

See if above helps you. 
If not, enable GPO operational logging.
Open registry editor, navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion

- Right click CurrentVersion->New->Key
- Rename the newly created key to Diagnostics 
- Right click on Diagnostics->New->DWORD(32-bit)value, rename the new DWORD entry to GPSvcDebugLevel and set the value as 0x30002 (hexadecimal)

- After you modified the registry, please run the command gpupdate /force at command prompt to refresh the policy. Reboot the computer to reproduce the issue. 

The log file is written to the %SystemRoot%\Debug\UserMode folder.
And see if you get more/better info from the debug log.

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Min Wai Chan
> Verzonden: woensdag 3 augustus 2016 4:45
> Aan: Sébastien Le Ray
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.2.14 GPO issue
> 
> Dear Sébastien,
> 
> Sorry for the delay,
> 
> Please check on the log below.
> As for the word "???????????????"  it should translate to Access Deny...
> 
> Please help.
> 
> 
> - <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
> <http://schemas.microsoft.com/win/2004/08/events/event>*">
> - <System>
>   <Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
> *{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
>   <EventID>1055</EventID>
>   <Version>0</Version>
>   <Level>2</Level>
>   <Task>0</Task>
>   <Opcode>1</Opcode>
>   <Keywords>0x8000000000000000</Keywords>
>   <TimeCreated SystemTime="*2016-08-03T02:25:58.236569500Z*" />
>   <EventRecordID>237427</EventRecordID>
>   <Correlation ActivityID="*{20A9F83F-172B-4F62-8B1A-5732474FD71D}*" />
>   <Execution ProcessID="*1156*" ThreadID="*1872*" />
>   <Channel>System</Channel>
>   <Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
>   <Security UserID="*S-1-5-18*" />
>   </System>
> - <EventData>
>   <Data Name="*SupportInfo1*">1</Data>
>   <Data Name="*SupportInfo2*">2052</Data>
>   <Data Name="*ProcessingMode*">0</Data>
>   <Data Name="*ProcessingTimeInMilliseconds*">3495</Data>
>   <Data Name="*ErrorCode*">5</Data>
>   <Data Name="*ErrorDescription*">???????????????</Data>
>   </EventData>
>   </Event>
> 
> 
> - <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
> <http://schemas.microsoft.com/win/2004/08/events/event>*">
> - <System>
>   <Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
> *{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
>   <EventID>1053</EventID>
>   <Version>0</Version>
>   <Level>2</Level>
>   <Task>0</Task>
>   <Opcode>1</Opcode>
>   <Keywords>0x8000000000000000</Keywords>
>   <TimeCreated SystemTime="*2016-08-03T02:25:58.220969800Z*" />
>   <EventRecordID>237426</EventRecordID>
>   <Correlation ActivityID="*{81CBE41A-C06F-4C33-9A59-DA9418903184}*" />
>   <Execution ProcessID="*1156*" ThreadID="*4516*" />
>   <Channel>System</Channel>
>   <Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
>   <Security UserID="*S-1-5-21-3560897929-3766931875-2087304217-2002*" />
>   </System>
> - <EventData>
>   <Data Name="*SupportInfo1*">1</Data>
>   <Data Name="*SupportInfo2*">2052</Data>
>   <Data Name="*ProcessingMode*">0</Data>
>   <Data Name="*ProcessingTimeInMilliseconds*">3541</Data>
>   <Data Name="*ErrorCode*">5</Data>
>   <Data Name="*ErrorDescription*">???????????????</Data>
>   </EventData>
>   </Event>
> 
> 
> 
> 
> On Mon, Jul 25, 2016 at 2:51 AM, Sébastien Le Ray <sebastien-
> samba at orniz.org
> > wrote:
> 
> > Hi,
> >
> > That's look more like a gpupdate output than an event log entry :-)
> >
> >
> >
> > Le 24/07/2016 à 20:46, Min Wai Chan a écrit :
> >
> >> Hello Sébastien Le Ray,
> >>
> >> The PC reply the following...
> >>
> >> The processing of Group Policy failed. Windows could not resolve the
> user
> >> name. This could be caused by one or more of the following:
> >> a) Name Resolution failure on the current domain controller.
> >> b) Active Directory Replication Latency (an account created on another
> >> domain controller has not replicated to the current domain controller).
> >>
> >> The processing of Group Policy failed. Windows could not resolve the
> >> computer name. This could be caused by one of more of the following:
> >> a) Name Resolution failure on the current domain controller.
> >> b) Active Directory Replication Latency (an account created on another
> >> domain controller has not replicated to the current domain controller).
> >>
> >> To diagnose the failure, review the event log or run GPRESULT /H
> >> GPReport.html from
> >> the command line to access information about Group Policy results.
> >>
> >> On Sun, Jul 24, 2016 at 3:56 PM, Sébastien Le Ray <
> >> sebastien-samba at orniz.org
> >>
> >>> wrote:
> >>> Hi,
> >>>
> >>> Do you have any specific error message in Windows events log
> concerning
> >>> GPO?
> >>>
> >>> Regards
> >>>
> >>>
> >>> Le 24/07/2016 à 05:40, Min Wai Chan a écrit :
> >>>
> >>> Dear All,
> >>>> I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that
> >>>> GPO
> >>>> are having issue
> >>>>
> >>>> Specifically when I'm adding new using they *never *got the gpupdate
> >>>>
> >>>> success fully.
> >>>>
> >>>> When I run samba-tool ntacl sysvolcheck or samba-tool ntacl
> sysvolreset
> >>>>
> >>>> But don't seem to got it fix..
> >>>>
> >>>> Any suggestion?
> >>>>
> >>>> Thank in advance.
> >>>>
> >>>> #samba-tool ntacl sysvolcheck
> >>>> Processing section "[netlogon]"
> >>>> Processing section "[sysvol]"
> >>>> Processing section "[dfs]"
> >>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception -
> >>>> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
> >>>> kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> >>>> <http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-
> 00C04FB984F9%7D>
> >>>> <
> >>>> http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-
> 00C04FB984F9%7D
> >>>> >
> >>>>
> >>>>
> >>>>
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> >>>> does not match expected value
> >>>>
> >>>>
> >>>>
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> >>>> from GPO object
> >>>>     File "/usr/lib64/python2.7/site-
> packages/samba/netcmd/__init__.py",
> >>>> line
> >>>> 175, in _run
> >>>>       return self.run(*args, **kwargs)
> >>>>     File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
> >>>> line
> >>>> 249, in run
> >>>>       lp)
> >>>>     File
> >>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> >>>> line 1730, in checksysvolacl
> >>>>       direct_db_access)
> >>>>     File
> >>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> >>>> line 1681, in check_gpos_acl
> >>>>       domainsid, direct_db_access)
> >>>>     File
> >>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> >>>> line 1628, in check_dir_acl
> >>>>       raise ProvisioningError('%s ACL on GPO directory %s %s does not
> >>>> match
> >>>> expected value %s from GPO object' % (acl_type(direct_db_access),
> path,
> >>>> fsacl_sddl, acl))
> >>>>
> >>>> Regards,
> >>>> Min Wai
> >>>>
> >>>>
> >>>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba