[Samba] gpupdate use wrong url

L.P.H. van Belle belle at bazuin.nl
Tue Feb 7 11:10:06 UTC 2017

And If samba-tool gpo listall shows errors, well you have an error in your setup. 

You can try to run : samba-tool ntacl sysvolcheck

And if you see things like this : 
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /home/samba/sysvol/internal.domain.tld/Policies/{EAF112FE-4718-4693-BD18-6B4FC8A0513A} O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)

And ignore the output like above. ! do compair it a bit, 
i know my above "error" isnt an error.. 
why :
samba-tool gpo show {EAF212FE-4718-4693-BD18-6B4FC8A0513A}
GPO          : {EAF212FE-4718-4693-BD18-6B4FC8A0513A}
display name : Standaard Computer
path         : \\rotterdam.bazuin.nl\SysVol\internal.domain.tld\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}
dn           : CN={EAF212FE-4718-4693-BD18-6B4FC8A0513A},CN=Policies,CN=System,DC=internal,DC=domain,DC=tld
version      : 15729044
flags        : NONE
ACL          : <hidden>

display name : Standaard Computer = Default Computer

So sysvolcheck is simply wrong here, why? i dont know, 
but i have 0 errors with GPOs here.  ( win7/win10 32/64bit ) 

My fixup is as followed.

Add this line to sysvol share: 
acl_xattr:ignore system acls = yes 
sysvol is a windows only share, this way it gets the best acl support. 

Backup the content in sysvol/internal.domain.tld/ 

Move everything out of the internal.domain.tld folder. 

Run : samba-tool ntacl sysvolreset
( should be error free now ) 

Put everything back.

Now very important, DO NOT RUN samba-tool ntacl sysvolreset again. 
NEVER EVER, if you do, you must repeat the above again. 

Now goto a windows client, login as adminsitrator ( or an policy admin ) 
First check the share rights of sysvol, as it shows on the wiki. 
Second check the security rights of sysvol as it shows on the wiki.

Open GPO Editor, klik once on every GPO object, it complains about rights, thats ok, klik to correct. 

Now you should have a error free GPO setup. 

! an important setting in you GPO. 
The computer$ accounts must have access to the policy.
So you need to set or : authenticated users 
Or you need to add "Domain Computers" to the GPO object.
As shown here : 

and now samba-tool gpo listall should show all GPOs without errors. 
As it does for me. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex Crow via
> samba
> Verzonden: dinsdag 7 februari 2017 11:22
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] gpupdate use wrong url
> There's nothing wrong with that path. If your DNS is working, you should
> be able to connect to \\foo, which is your AD domain.
> It will just pick one of your DCs instead of a static one.
> Alex
> On 06/02/17 14:36, basti via samba wrote:
> >
> > samba-tool gpo listall
> > showes also wrong path in gpo
> >
> >
> > On 06.02.2017 15:21, basti via samba wrote:
> >> When I do an gpupdate /force a wrong url is used.
> >>
> >> \\foo\SysVol\foo\Policies\{89E....}\gpt.ini
> >>
> >> ON my dc the path (in explorer) is
> >>
> >> \\dc1\sysol\foo\Policies\{89E....}\gpt.ini
> >> or
> >> \\dc1.foo\sysol\foo\Policies\{89E....}\gpt.ini
> >>
> >> whats wrong?
> >>
> >>
> --
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute
> advice.
> The information provided is correct to our knowledge & belief and must not
> be used as a substitute for obtaining tax, regulatory, investment, legal
> or
> any other appropriate advice.
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
> 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list