[Samba] gpo not working with samba 4 migrated

Rowland penny rpenny at samba.org
Thu Jul 21 19:41:15 UTC 2016 

On 21/07/16 19:37, Trenta sis wrote:
> Hi,
>
> First of all thanks for you answer, it seems that this can help, now some
> change made to gpo are applied and we are not receiving error in event
> viewer, but seem that some change are not applied, why and where I can find
> some information, in samba log anv event viewer any error is reported
>
> Also I have tried
>
> # samba-tool ntacl sysvolreset
>
> After this tried
> # samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO directory
> /usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
>      lp)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1732, in checksysvolacl
>      direct_db_access)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1683, in check_gpos_acl
>      domainsid, direct_db_access)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1630, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' %
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>
> Tried with new domain (no migrated) and then works, where is the problem?
>
>
>
> 2016-07-21 18:51 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>
>> Hello,
>>
>> Am 21.07.2016 um 17:18 schrieb Trenta sis:
>>> I have migrated samba 3 domain to samba, and I have found that when you
>> try
>>> to use gpo this are not applied we receive in windwos event log errors
>> with
>>> permissions in sysvol, I have checked paths to sysvol gpos and are
>> correct.
>>> Also I have tried with a new fresh domain (not migrated) and with this
>> new
>>> install works GPO
>>>
>>> How can I debug this problems and find a solution?
>>
>> Have you tried
>>
>> https://wiki.samba.org/index.php/FAQ#Incompatible_permissions_of_GPO_objects_and_SysVol_share
>>
>>
>> Regards,
>> Marc
>>

Firstly, the ACLs that Samba4 sets are wrong, but when you set them 
correctly, there is another problem with any extra GPOs added. The 
python code gets the acl on the files and then compares it with what it 
should be, this is where it goes wrong again :-)

When I figure why, I will let you know.

Rowland

More information about the samba mailing list