[Samba] Fwd: AD Policies are not applying properly

Anantha Raghava raghav at exzatechconsulting.com
Wed Jun 21 13:35:41 UTC 2017 

Hi,

We have been consistently having issues with GPO and they are not 
consistent. We are using version 4.6.3 with BIND DNS Backend. As 
suggested in some of our previous communications, when we run the 
samba-tool ntacl sysvolcheck it results in the error as detailed below.

[root at dc1 ~]# samba-tool ntacl sysvolcheck
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[shares]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO file/usr/local/samba/var/locks/sysvol/ktkbankltd.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/Registry.pol O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run
     lp)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
     direct_db_access)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1631, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

Also, as suggested in one post, we checked the sysvol ownership and the 
result is:

rw-------  1 root root    421888 Mar 22 21:04 account_policy.tdb
-rw-------  1 root root    528384 Apr 20 15:24 registry.tdb
-rw-------  1 root root    421888 Mar 22 21:04 share_info.tdb
drwxrwx---+ 3 root 3000000     27 May 23 14:11 sysvol
-rw-------  1 root root     81920 Jun 19 13:58 winbindd_cache.tdb
drwxr-x---  2 root root        17 Jun  7 17:25 winbindd_privileged


Any suggestions to get the AD Domain Controller and Group Policies to 
work consistently?

-- 

Thanks & Regards,


Anantha Raghava

More information about the samba mailing list