[Samba] Everyone ACL problem
Rowland Penny
rpenny at samba.org
Sat Nov 26 12:56:58 UTC 2016
On Sat, 26 Nov 2016 12:28:19 +0100
Kévin GUERINEAU <kevin.guerineau at infolix.fr> wrote:
> Yes, I have. But nothing change...
>
> Kevin
>
> Le 26/11/2016 à 12:08, Rowland Penny via samba a écrit :
> > On Sat, 26 Nov 2016 11:44:50 +0100
> > Kévin GUERINEAU via samba <samba at lists.samba.org> wrote:
> >
> >> Hello list,
> >>
> >> I have problems with my PDC Samba Servers and all file servers.
> >> All DC Server have a compiled Samba 4.4.5. File servers have Samba
> >> Debian packages.
> >>
> >> In all shared folders, the ACL has the group "Everyone" and I can't
> >> remove it.
> >> The biggest problem concern SYSVOL, I can't modify GPO, I have an
> >> error in MMC.
> >> I have tried to resolv the problem with the "samba-tool ntacl
> >> sysvolreset" command but it didn't resolv anything.
> >>
> >>
> >> #samba-tool ntacl sysvolcheck
> >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> >> exception - ProvisioningError: DB ACL on GPO file
> >> //usr/local/samba/var/locks/sysvol/campuslr.cma17/Policies//{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Preferences/Groups/Groups.xml
> >> O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
> >> does not match expected value
> >> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> >> from GPO object
> >> File
> >> "//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
> >> line 175, in _run
> >> return self.run(*args, **kwargs)
> >> File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> >> line 270, in run
> >> lp)
> >> File
> >> "//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
> >> line 1732, in checksysvolacl
> >> direct_db_access)
> >> File
> >> "//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
> >> line 1683, in check_gpos_acl
> >> domainsid, direct_db_access)
> >> File
> >> "//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
> >> line 1640, in check_dir_acl
> >> raise ProvisioningError('%s ACL on GPO file %s %s does not
> >> match expected value %s from GPO object' %
> >> (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl,
> >> acl))
> >>
> >> # samba-tool dbcheck
> >> Checking 2591 objects
> >> Checked 2591 objects (0 errors)
> >>
> >> # samba-tool gpo aclcheck
> >> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> >> element' File
> >> "//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
> >> line 175, in _run
> >> return self.run(*args, **kwargs)
> >> File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> >> line 1150, in run
> >> ds_sd_ndr = m['nTSecurityDescriptor'][0]
> >>
> >>
> >> I tried to reinstall DC2, but then the problem extended itself to
> >> DC2. I have the same problem on the fileservers.
> >> I don't know where is the problem. Moreover I have a second Samba
> >> domain without this problem.
> >>
> >> Best regards,
> >> Kevin
> > Have you tried 'samba-tool ntacl sysvolreset'
> >
> > Rowland
> >
> > PS Don't refer to your AD DC as a PDC, that is something else
> > entirely ;-)
> >
>
From the looks of it, you have modified one of the default Policies,
this is not recommended. Try putting things back to the way they were
and then create a new Policy.
Rowland
More information about the samba
mailing list