[Samba] gpo not working with samba 4 migrated
lingpanda101 at gmail.com
lingpanda101 at gmail.com
Fri Jul 22 12:10:48 UTC 2016
On 7/22/2016 3:37 AM, Rowland penny wrote:
> On 21/07/16 22:18, Trenta sis wrote:
>> I'm not sure what are you deatiling, is a bug in progress taht can cause
>> this random problems with some gpos or this error can be ignored?
>>
>> 2016-07-21 20:37 GMT+02:00 Trenta sis <trenta.sis at gmail.com>:
>>
>>> Hi,
>>>
>>> First of all thanks for you answer, it seems that this can help, now
>>> some
>>> change made to gpo are applied and we are not receiving error in event
>>> viewer, but seem that some change are not applied, why and where I
>>> can find
>>> some information, in samba log anv event viewer any error is reported
>>>
>>> Also I have tried
>>>
>>> # samba-tool ntacl sysvolreset
>>>
>>> After this tried
>>> # samba-tool ntacl sysvolcheck
>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>>> exception - ProvisioningError: DB ACL on GPO directory
>>> /usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
>>> <http://domain.com/Policies/%7B31B2F340-016D-11D2-945F-00C04FB984F9%7D>
>>> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>> does not match expected value
>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>> from GPO object
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>> return self.run(*args, **kwargs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>> line 270, in run
>>> lp)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1732, in checksysvolacl
>>> direct_db_access)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1683, in check_gpos_acl
>>> domainsid, direct_db_access)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>> line 1630, in check_dir_acl
>>> raise ProvisioningError('%s ACL on GPO directory %s %s does not
>>> match expected value %s from GPO object' %
>>> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>>>
>>> Tried with new domain (no migrated) and then works, where is the
>>> problem?
>>>
>>>
>>>
>>> 2016-07-21 18:51 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>>>
>>>> Hello,
>>>>
>>>> Am 21.07.2016 um 17:18 schrieb Trenta sis:
>>>>> I have migrated samba 3 domain to samba, and I have found that
>>>>> when you
>>>> try
>>>>> to use gpo this are not applied we receive in windwos event log
>>>>> errors
>>>> with
>>>>> permissions in sysvol, I have checked paths to sysvol gpos and are
>>>> correct.
>>>>> Also I have tried with a new fresh domain (not migrated) and with
>>>>> this
>>>> new
>>>>> install works GPO
>>>>>
>>>>> How can I debug this problems and find a solution?
>>>>
>>>> Have you tried
>>>>
>>>> https://wiki.samba.org/index.php/FAQ#Incompatible_permissions_of_GPO_objects_and_SysVol_share
>>>>
>>>>
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>>
>
> The ACLs that Samba sets on the sysvol directory are wrong, I was
> going to look into this, but asked on samba-technical first. I was
> informed, by Stefan Metzmacher, that he had looked into this some time
> ago, but pressure of work had stopped him completing the work.
> I have tested his patches, made a few very minor changes and they
> work, until you add another GPO, this is when it goes wrong. It checks
> the ACLs on the files in the GPO, then reports they are wrong, I am
> looking into this now.
>
> Rowland
>
Rowland,
My testing shows if you assign a GID to 'Domain Admins'.
Sysvolreset and check will fail. Will this be addressed possibly by the
patches?
--
-James
More information about the samba
mailing list