[Samba] Failure permission in Sysvol and GPO
Ricardo Pardim Claus
ricardo.claus at yahoo.com.br
Mon Oct 3 19:28:58 UTC 2016
Dear,
I'm having trouble handling GPO's my DC.
Environment:
Samba 4.4.5, primary and secondary DC.
I am not allowed to edit the GPO's.
The problem occurred after I edit the Default GPO in the primary DC, and then run the rsync to synchronize between the DC's.
The following errors arise when squeegee commands:
Note: I hid the actual domain name.
# samba-tool gpo aclcheck -U Administrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.DOMAIN.LOCAL<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.DOMAIN.LOCAL<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name srv14.domain.local<0x20>
Password for [DOMAIN\Administrator]:
resolve_lmhosts: Attempting lmhosts lookup for name srv14.domain.local<0x20>
ERROR: Invalid GPO ACL O:BAG:SYD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001200a9;;;AU)(A;OICI;;;;WD)(A;;0x001f01ff;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) on path (domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}), should be O:DAG:DAD:PAI(A;OICI;0x001e01bf;;;DA)(A;OICIIO;0x001f01ff;;;DA)(A;OICI;0x001e01bf;;;EA)(A;OICIIO;0x001f01ff;;;EA)(A;OICI;0x001e01bf;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
# samba-tool ntacl sysvolcheck -U Administrator
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory /usr/local/samba/var/locks/sysvol/domain.local O:BAG:SYD:(A;ID;0x001200a9;;;AU)(A;OICIIOID;0x001200a9;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;0x001200a9;;;SO)(A;ID;0x001e01bf;;;BA)(A;OICIIOID;0x001e01bf;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;0x001f01ff;;;SY)(A;OICIIOID;0x001e01bf;;;CO)S:AI(AU;OICIIDSA;SD;;;WD) does not match expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from provision
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run
lp)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1728, in checksysvolacl
raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))
# samba-tool ntacl sysvolreset -U administrator
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
lp_load_ex: refreshing parameters
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [full_audit]
Module 'full_audit' loaded
Segmentation fault (core of the recorded image)
# getfacl /usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/domain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: 3000000
# group: 3000025
user::rwx
user:3000012:r-x
user:3000025:rwx
user:3000026:r-x
group::rwx
group:3000000:rwx
group:3000012:r-x
group:3000025:rwx
group:3000026:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000000:rwx
default:user:3000012:r-x
default:user:3000025:rwx
default:user:3000026:r-x
default:group::---
default:group:3000000:rwx
default:group:3000012:r-x
default:group:3000025:rwx
default:group:3000026:r-x
default:mask::rwx
default:other::---
# ls -al /usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
total 28
drwxrwx---+ 4 3000000 3000025 45 Ago 2 11:15 .
drwxrwx---+ 15 3000000 3000025 4096 Ago 2 11:15 ..
-rwxrwx---+ 1 3000000 3000025 27 Set 30 16:03 GPT.INI
drwxrwx---+ 5 3000000 3000025 74 Ago 2 11:15 MACHINE
drwxrwx---+ 5 3000000 3000025 104 Ago 2 11:15 USER
The GPO {31B2F340-016D-11D2-945F-00C04FB984F9}, it is the Default Domain Policy.
Anyone know how to solve this problem?
More information about the samba
mailing list