[Samba] gpo not working with samba 4 migrated

Rowland penny rpenny at samba.org
Fri Jul 22 16:47:29 UTC 2016 

On 22/07/16 13:10, lingpanda101 at gmail.com wrote:
> On 7/22/2016 3:37 AM, Rowland penny wrote:
>> On 21/07/16 22:18, Trenta sis wrote:
>>> I'm not sure what are you deatiling, is a bug in progress taht can 
>>> cause
>>> this random problems with some gpos or this error can be ignored?
>>>
>>> 2016-07-21 20:37 GMT+02:00 Trenta sis <trenta.sis at gmail.com>:
>>>
>>>> Hi,
>>>>
>>>> First of all thanks for you answer, it seems that this can help, 
>>>> now some
>>>> change made to gpo are applied and we are not receiving error in event
>>>> viewer, but seem that some change are not applied, why and where I 
>>>> can find
>>>> some information, in samba log anv event viewer any error is reported
>>>>
>>>> Also I have tried
>>>>
>>>> # samba-tool ntacl sysvolreset
>>>>
>>>> After this tried
>>>> # samba-tool ntacl sysvolcheck
>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught 
>>>> exception - ProvisioningError: DB ACL on GPO directory 
>>>> /usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
>>>> <http://domain.com/Policies/%7B31B2F340-016D-11D2-945F-00C04FB984F9%7D> 
>>>> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>>> does not match expected value 
>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>>> from GPO object
>>>>    File 
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>>> line 175, in _run
>>>>      return self.run(*args, **kwargs)
>>>>    File 
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
>>>> line 270, in run
>>>>      lp)
>>>>    File 
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>> line 1732, in checksysvolacl
>>>>      direct_db_access)
>>>>    File 
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>> line 1683, in check_gpos_acl
>>>>      domainsid, direct_db_access)
>>>>    File 
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>> line 1630, in check_dir_acl
>>>>      raise ProvisioningError('%s ACL on GPO directory %s %s does 
>>>> not match expected value %s from GPO object' % 
>>>> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>>>>
>>>> Tried with new domain (no migrated) and then works, where is the 
>>>> problem?
>>>>
>>>>
>>>>
>>>> 2016-07-21 18:51 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>>>>
>>>>> Hello,
>>>>>
>>>>> Am 21.07.2016 um 17:18 schrieb Trenta sis:
>>>>>> I have migrated samba 3 domain to samba, and I have found that 
>>>>>> when you
>>>>> try
>>>>>> to use gpo this are not applied we receive in windwos event log 
>>>>>> errors
>>>>> with
>>>>>> permissions in sysvol, I have checked paths to sysvol gpos and are
>>>>> correct.
>>>>>> Also I have tried with a new fresh domain (not migrated) and with 
>>>>>> this
>>>>> new
>>>>>> install works GPO
>>>>>>
>>>>>> How can I debug this problems and find a solution?
>>>>>
>>>>> Have you tried
>>>>>
>>>>> https://wiki.samba.org/index.php/FAQ#Incompatible_permissions_of_GPO_objects_and_SysVol_share 
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>> Marc
>>>>>
>>>>
>>
>> The ACLs that Samba sets on the sysvol directory are wrong, I was 
>> going to look into this, but asked on samba-technical first. I was 
>> informed, by Stefan Metzmacher, that he had looked into this some 
>> time ago, but pressure of work had stopped him completing the work.
>> I have tested his patches, made a few very minor changes and they 
>> work, until you add another GPO, this is when it goes wrong. It 
>> checks the ACLs on the files in the GPO, then reports they are wrong, 
>> I am looking into this now.
>>
>> Rowland
>>
>
> Rowland,
>
>     My testing shows if you assign a GID to 'Domain Admins'. 
> Sysvolreset and check will fail. Will this be addressed possibly by 
> the patches?
>

Didn't know this, will look into it and if required, try to fix it.

Rowland

More information about the samba mailing list