[Samba] Everyone ACL problem

Rowland Penny rpenny at samba.org
Sat Nov 26 11:08:28 UTC 2016 

On Sat, 26 Nov 2016 11:44:50 +0100
Kévin GUERINEAU via samba <samba at lists.samba.org> wrote:

> Hello list,
> 
> I have problems with my PDC Samba Servers and all file servers.
> All DC Server have a compiled Samba 4.4.5. File servers have Samba 
> Debian packages.
> 
> In all shared folders, the ACL has the group "Everyone" and I can't 
> remove it.
> The biggest problem concern SYSVOL, I can't modify GPO, I have an
> error in MMC.
> I have tried to resolv the problem with the "samba-tool ntacl 
> sysvolreset" command but it didn't resolv anything.
> 
> 
> #samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: DB ACL on GPO file 
> //usr/local/samba/var/locks/sysvol/campuslr.cma17/Policies//{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Preferences/Groups/Groups.xml 
> O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) 
> does not match expected value 
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> from GPO object
>    File 
> "//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py", 
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
> line 270, in run
>      lp)
>    File 
> "//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py", 
> line 1732, in checksysvolacl
>      direct_db_access)
>    File 
> "//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py", 
> line 1683, in check_gpos_acl
>      domainsid, direct_db_access)
>    File 
> "//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py", 
> line 1640, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO file %s %s does not match 
> expected value %s from GPO object' % (acl_type(direct_db_access), 
> os.path.join(root, name), fsacl_sddl, acl))
> 
> # samba-tool dbcheck
> Checking 2591 objects
> Checked 2591 objects (0 errors)
> 
> # samba-tool gpo aclcheck
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> element' File 
> "//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py", 
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 1150, in run
>      ds_sd_ndr = m['nTSecurityDescriptor'][0]
> 
> 
> I tried to reinstall DC2, but then the problem extended itself to DC2.
> I have the same problem on the fileservers.
> I don't know where is the problem. Moreover I have a second Samba
> domain without this problem.
> 
> Best regards,
> Kevin

Have you tried 'samba-tool ntacl sysvolreset'

Rowland

PS Don't refer to your AD DC as a PDC, that is something else
entirely ;-)

More information about the samba mailing list