[Samba] Everyone ACL problem

L.P.H. van Belle belle at bazuin.nl
Sun Nov 27 09:38:39 UTC 2016 

to fix this, try the following

remove the content in the sysvol folder (move it away)
run samba-tool with sysvol reset

copy the content back
with now setfacl copy the acl recursive to the 'domain folder' in vol back.

 now on a windows open group policy editor 
klik on the gp objects. if needed , it say i needs some right fix.

when this is done dont sysvol reset anymore.

this is a small bug in 4.4.5

greetz 
louis

> Op 26 nov. 2016 om 14:04 heeft Rowland Penny via samba <samba at lists.samba.org> het volgende geschreven:
> 
> On Sat, 26 Nov 2016 12:28:19 +0100
> Kévin GUERINEAU <kevin.guerineau at infolix.fr> wrote:
> 
>> Yes, I have. But nothing change...
>> 
>> Kevin
>> 
>>> Le 26/11/2016 à 12:08, Rowland Penny via samba a écrit :
>>> On Sat, 26 Nov 2016 11:44:50 +0100
>>> Kévin GUERINEAU via samba <samba at lists.samba.org> wrote:
>>> 
>>>> Hello list,
>>>> 
>>>> I have problems with my PDC Samba Servers and all file servers.
>>>> All DC Server have a compiled Samba 4.4.5. File servers have Samba
>>>> Debian packages.
>>>> 
>>>> In all shared folders, the ACL has the group "Everyone" and I can't
>>>> remove it.
>>>> The biggest problem concern SYSVOL, I can't modify GPO, I have an
>>>> error in MMC.
>>>> I have tried to resolv the problem with the "samba-tool ntacl
>>>> sysvolreset" command but it didn't resolv anything.
>>>> 
>>>> 
>>>> #samba-tool ntacl sysvolcheck
>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>>>> exception - ProvisioningError: DB ACL on GPO file
>>>> //usr/local/samba/var/locks/sysvol/campuslr.cma17/Policies//{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Preferences/Groups/Groups.xml
>>>> O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
>>>> does not match expected value
>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>> from GPO object
>>>>    File
>>>> "//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
>>>> line 175, in _run
>>>>      return self.run(*args, **kwargs)
>>>>    File
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>> line 270, in run
>>>>      lp)
>>>>    File
>>>> "//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
>>>> line 1732, in checksysvolacl
>>>>      direct_db_access)
>>>>    File
>>>> "//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
>>>> line 1683, in check_gpos_acl
>>>>      domainsid, direct_db_access)
>>>>    File
>>>> "//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
>>>> line 1640, in check_dir_acl
>>>>      raise ProvisioningError('%s ACL on GPO file %s %s does not
>>>> match expected value %s from GPO object' %
>>>> (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl,
>>>> acl))
>>>> 
>>>> # samba-tool dbcheck
>>>> Checking 2591 objects
>>>> Checked 2591 objects (0 errors)
>>>> 
>>>> # samba-tool gpo aclcheck
>>>> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
>>>> element' File
>>>> "//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
>>>> line 175, in _run
>>>>      return self.run(*args, **kwargs)
>>>>    File
>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
>>>> line 1150, in run
>>>>      ds_sd_ndr = m['nTSecurityDescriptor'][0]
>>>> 
>>>> 
>>>> I tried to reinstall DC2, but then the problem extended itself to
>>>> DC2. I have the same problem on the fileservers.
>>>> I don't know where is the problem. Moreover I have a second Samba
>>>> domain without this problem.
>>>> 
>>>> Best regards,
>>>> Kevin
>>> Have you tried 'samba-tool ntacl sysvolreset'
>>> 
>>> Rowland
>>> 
>>> PS Don't refer to your AD DC as a PDC, that is something else
>>> entirely ;-)
>>> 
>> 
> 
> From the looks of it, you have modified one of the default Policies,
> this is not recommended. Try putting things back to the way they were
> and then create a new Policy.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list