[Samba] Samba 4.2.14 GPO issue

Rowland penny rpenny at samba.org
Sun Jul 24 09:00:03 UTC 2016 

On 24/07/16 04:40, Min Wai Chan wrote:
> Dear All,
> I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that GPO
> are having issue
>
> Specifically when I'm adding new using they *never *got the gpupdate
> success fully.
>
> When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset
>
> But don't seem to got it fix..
>
> Any suggestion?
>
> Thank in advance.
>
> #samba-tool ntacl sysvolcheck
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[dfs]"
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
> kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>    File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line
> 249, in run
>      lp)
>    File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1730, in checksysvolacl
>      direct_db_access)
>    File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1681, in check_gpos_acl
>      domainsid, direct_db_access)
>    File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1628, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
>
> Regards,
> Min Wai

I wouldn't worry about it (at the moment), this is because you are 
getting this:

O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

and if you look closely, the only difference is at the start, yours 
starts 'O:LAG:' and the expected starts 'O:DAG:'

O = owner
LA = Local Administrators
BA = BUILTIN\Administrators

Not that this means anything, because the actually SDDL should be:

O:BAG:SYD:PAI(A;;0x001200a9;;;AU)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;SO)(A;OICIIO;GRGX;;;SO)(A;;0x001e01bf;;;BA)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001f01ff;;;SY)(A;OICIIO;GA;;;SY)(A;;0x001e01bf;;;BA)(A;OICIIO;WOWDGRGWGX;;;CO)S:AI(AU;OICISA;SD;;;WD)

Rowland

More information about the samba mailing list