[Samba] Everyone ACL problem

Kévin GUERINEAU kevin.guerineau at infolix.fr
Sat Nov 26 10:44:50 UTC 2016 

Hello list,

I have problems with my PDC Samba Servers and all file servers.
All DC Server have a compiled Samba 4.4.5. File servers have Samba 
Debian packages.

In all shared folders, the ACL has the group "Everyone" and I can't 
remove it.
The biggest problem concern SYSVOL, I can't modify GPO, I have an error 
in MMC.
I have tried to resolv the problem with the "samba-tool ntacl 
sysvolreset" command but it didn't resolv anything.


#samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO file 
//usr/local/samba/var/locks/sysvol/campuslr.cma17/Policies//{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Preferences/Groups/Groups.xml 
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File 
"//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
line 270, in run
     lp)
   File 
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py", 
line 1732, in checksysvolacl
     direct_db_access)
   File 
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py", 
line 1683, in check_gpos_acl
     domainsid, direct_db_access)
   File 
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py", 
line 1640, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO file %s %s does not match 
expected value %s from GPO object' % (acl_type(direct_db_access), 
os.path.join(root, name), fsacl_sddl, acl))

# samba-tool dbcheck
Checking 2591 objects
Checked 2591 objects (0 errors)

# samba-tool gpo aclcheck
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
   File 
"//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line 
1150, in run
     ds_sd_ndr = m['nTSecurityDescriptor'][0]


I tried to reinstall DC2, but then the problem extended itself to DC2.
I have the same problem on the fileservers.
I don't know where is the problem. Moreover I have a second Samba domain 
without this problem.

Best regards,
Kevin

More information about the samba mailing list