[Samba] Failure gpupdate

Wed Oct 5 12:59:33 UTC 2016

Dear James and Lingpanda 

Here I have 2 DC's running. Everything was running perfectly. 
The problem started after I started to rsync to synchronize the Sysvol folder between DC's. 
I believe it is a permission problem in the GPO's or Sysvol folder. 
Another detail. Even accessing the gpedit Group Polic Manager via RSAT using the Administrator User, I can no longer edit any GPO. I get access denied error. 
When I browse through the folders of GPO's, I do not get access denied error. 

Anyone know tell me how I Corrigo this problem? 
How to fix the permissions? 

Follow the error return in the commands:

# samba-tool ntacl sysvolcheck 
lp_load_ex: refreshing parameters 
Initialising global parameters 
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) 
Processing section "[global]" 
Processing section "[netlogon]" 
Processing section "[sysvol]" 
ldb_wrap open of idmap.ldb 
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory /usr/local/samba/var/locks/sysvol/domain.local O:BAG:SYD:(A;ID;0x001200a9;;;AU)(A;OICIIOID;0x001200a9;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;0x001200a9;;;SO)(A;ID;0x001e01bf;;;BA)(A;OICIIOID;0x001e01bf;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;0x001f01ff;;;SY)(A;OICIIOID;0x001e01bf;;;CO)S:AI(AU;OICIIDSA;SD;;;WD) does not match expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from provision 
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run 
return self.run(*args, **kwargs) 
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run 
lp) 
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1728, in checksysvolacl 
raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL)) 

# getfacl /usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/GPT.INI 
getfacl: Removing leading '/' from absolute path names 
# file: usr/local/samba/var/locks/sysvol/domain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI 
# owner: 3000000 
# group: 3000025 
user::rwx 
user:3000012:r-x 
user:3000025:rwx 
user:3000026:r-x 
group::rwx 
group:users:r-x 
group:3000000:rwx 
group:3000012:r-x 
group:3000025:rwx 
group:3000026:r-x 
mask::rwx 
other::--- 

# getfacl /usr/local/samba/var/locks/sysvol/ 
getfacl: Removing leading '/' from absolute path names 
# file: usr/local/samba/var/locks/sysvol/ 
# owner: root 
# group: root 
user::rwx 
user:root:rwx 
group::r-x 
group:root:r-x 
group:3000010:rwx 
mask::rwx 
other::r-x 
default:user::rwx 
default:user:root:rwx 
default:group::--- 
default:group:root:--- 
default:group:3000010:rwx 
default:mask::rwx 
default:other::--- 

>> Segmentation fault (core of the recorded image) 

>Did GPO's ever work? 

>Can you run 'samba-tool ntacl sysvolcheck' and report the status? 
>Even though the file exists physically, the permissions may not be correct. 

>-- 
>-James

>Just waking from my nap but several things:
>A - I believe I read several times it is not advised to use ".local" as top level domain.
>B - samba-tool should not segfault during sysvolreset
>C - most generally GPO update issue are linked to access rights of user or computer accessing the share or the file(s).

>I wouldn't bother for now about the A.
>I would solve the segfault first (B).
>Finally once Samba is working fully again (including sysvolreset I mean) I would have a look on rights (issue on rights when accessing GPO folder seems to happen mainly when several DC are >involved). 