[Samba] Failure permission in Sysvol and GPO

Ricardo Pardim Claus ricardo.claus at yahoo.com.br
Mon Oct 3 19:28:58 UTC 2016


Dear, 
I'm having trouble handling GPO's my DC. 

Environment: 
Samba 4.4.5, primary and secondary DC. 

I am not allowed to edit the GPO's. 

The problem occurred after I edit the Default GPO in the primary DC, and then run the rsync to synchronize between the DC's. 

The following errors arise when squeegee commands:
Note: I hid the actual domain name.

# samba-tool gpo aclcheck -U Administrator 
GENSEC backend 'gssapi_spnego' registered 
GENSEC backend 'gssapi_krb5' registered 
GENSEC backend 'gssapi_krb5_sasl' registered 
GENSEC backend 'spnego' registered 
GENSEC backend 'schannel' registered 
GENSEC backend 'naclrpc_as_system' registered 
GENSEC backend 'sasl-EXTERNAL' registered 
GENSEC backend 'ntlmssp' registered 
GENSEC backend 'ntlmssp_resume_ccache' registered 
GENSEC backend 'http_basic' registered 
GENSEC backend 'http_ntlm' registered 
GENSEC backend 'krb5' registered 
GENSEC backend 'fake_gssapi_krb5' registered 
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.DOMAIN.LOCAL<0x0> 
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.DOMAIN.LOCAL<0x0> 
resolve_lmhosts: Attempting lmhosts lookup for name srv14.domain.local<0x20> 
Password for [DOMAIN\Administrator]: 
resolve_lmhosts: Attempting lmhosts lookup for name srv14.domain.local<0x20> 
ERROR: Invalid GPO ACL O:BAG:SYD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001200a9;;;AU)(A;OICI;;;;WD)(A;;0x001f01ff;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) on path (domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}), should be O:DAG:DAD:PAI(A;OICI;0x001e01bf;;;DA)(A;OICIIO;0x001f01ff;;;DA)(A;OICI;0x001e01bf;;;EA)(A;OICIIO;0x001f01ff;;;EA)(A;OICI;0x001e01bf;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 



# samba-tool ntacl sysvolcheck -U Administrator 
lp_load_ex: refreshing parameters 
Initialising global parameters 
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) 
Processing section "[global]" 
Processing section "[netlogon]" 
Processing section "[sysvol]" 
ldb_wrap open of idmap.ldb 
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory /usr/local/samba/var/locks/sysvol/domain.local O:BAG:SYD:(A;ID;0x001200a9;;;AU)(A;OICIIOID;0x001200a9;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;0x001200a9;;;SO)(A;ID;0x001e01bf;;;BA)(A;OICIIOID;0x001e01bf;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;0x001f01ff;;;SY)(A;OICIIOID;0x001e01bf;;;CO)S:AI(AU;OICIIDSA;SD;;;WD) does not match expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from provision 
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run 
return self.run(*args, **kwargs) 
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run 
lp) 
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1728, in checksysvolacl 
raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))


# samba-tool ntacl sysvolreset -U administrator 
lp_load_ex: refreshing parameters 
Initialising global parameters 
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) 
Processing section "[global]" 
Processing section "[netlogon]" 
Processing section "[sysvol]" 
ldb_wrap open of idmap.ldb 
lp_load_ex: refreshing parameters 
Processing section "[global]" 
Processing section "[netlogon]" 
Processing section "[sysvol]" 
Initialising default vfs hooks 
Initialising custom vfs hooks from [/[Default VFS]/] 
Initialising custom vfs hooks from [full_audit] 
Module 'full_audit' loaded 
Segmentation fault (core of the recorded image)



# getfacl /usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/ 
getfacl: Removing leading '/' from absolute path names 
# file: usr/local/samba/var/locks/sysvol/domain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/ 
# owner: 3000000 
# group: 3000025 
user::rwx 
user:3000012:r-x 
user:3000025:rwx 
user:3000026:r-x 
group::rwx 
group:3000000:rwx 
group:3000012:r-x 
group:3000025:rwx 
group:3000026:r-x 
mask::rwx 
other::--- 
default:user::rwx 
default:user:3000000:rwx 
default:user:3000012:r-x 
default:user:3000025:rwx 
default:user:3000026:r-x 
default:group::--- 
default:group:3000000:rwx 
default:group:3000012:r-x 
default:group:3000025:rwx 
default:group:3000026:r-x 
default:mask::rwx 
default:other::--- 



# ls -al /usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/ 
total 28 
drwxrwx---+  4 3000000 3000025   45 Ago  2 11:15 . 
drwxrwx---+ 15 3000000 3000025 4096 Ago  2 11:15 .. 
-rwxrwx---+  1 3000000 3000025   27 Set 30 16:03 GPT.INI 
drwxrwx---+  5 3000000 3000025   74 Ago  2 11:15 MACHINE 
drwxrwx---+  5 3000000 3000025  104 Ago  2 11:15 USER 



The GPO {31B2F340-016D-11D2-945F-00C04FB984F9}, it is the Default Domain Policy. 
Anyone know how to solve this problem?



More information about the samba mailing list