[Samba] "This security ID may not be assigned as the owner of this object" when trying to create a GPO
Sebastian Arcus
s.arcus at open-t.co.uk
Tue Apr 25 20:29:11 UTC 2017
On 25/04/17 20:18, Sebastian Arcus via samba wrote:
> I have upgraded Samba from a NT PDC to an AD DC about a week ago.
> Everything went pretty well until today. I've already configured about
> 25 GPO's (through RSAT on a Windows 10 machine) - but when I came to add
> more GPO's - it wouldn't let me with the above error message.
Replying to my own post, in case it helps someone. After hours of trial
and error, I discovered that enabling the Recycle vfs module globally in
smb.conf caused this. I still don't have a full understanding as to how
did it cause all the security errors related to creating GPO's - but
disabling the Recycle module globally got everything working fine again.
>
> Samba 4.5.0
> Slackware -current 64bit
> Kernel 4.4.20
>
> The client machine is a Windows 10 Pro.
>
> On the server I tried "samba-tool ntacl sysvolreset", which completes,
> but sysvolcheck has always given errors from the beginning of the
> upgrade (and keeps on doing so):
>
> #samba-tool ntacl sysvolcheck
>
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/hebi.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line
> 270, in run
> lp)
> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1723, in checksysvolacl
> direct_db_access)
> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1674, in check_gpos_acl
> domainsid, direct_db_access)
> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1621, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' % (acl_type(direct_db_access),
> path, fsacl_sddl, acl))
>
> I also get a not very helpful error from samba-tool gpo aclcheck:
>
> #samba-tool gpo aclcheck
>
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line
> 1150, in run
> ds_sd_ndr = m['nTSecurityDescriptor'][0]
>
> Could anyone provide some hints as to where I should be looking next?
> What bugs me is that everything was working fine until today - and it
> stopped working seemingly out of the blue. I was mainly adding GPO's and
> not touching the main config - so can't work out what could have gone
> wrong.
>
> Many thanks for any hints.
>
More information about the samba
mailing list