[Samba] Fwd: AD Policies are not applying properly

Anantha Raghava raghav at exzatechconsulting.com
Thu Jun 22 13:41:18 UTC 2017 

Hi,

No solutions to get out of this?

-- 

Thanks & Regards,


Anantha Raghava


On 21/06/17 7:05 PM, Anantha Raghava wrote:
> Hi,
>
> We have been consistently having issues with GPO and they are not 
> consistent. We are using version 4.6.3 with BIND DNS Backend. As 
> suggested in some of our previous communications, when we run the 
> samba-tool ntacl sysvolcheck it results in the error as detailed below.
>
> [root at dc1 ~]# samba-tool ntacl sysvolcheck
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[shares]"
> ldb_wrap open of idmap.ldb
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO file/usr/local/samba/var/locks/sysvol/ktkbankltd.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/Registry.pol O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run
>      lp)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
>      direct_db_access)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
>      domainsid, direct_db_access)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1631, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
>
> Also, as suggested in one post, we checked the sysvol ownership and 
> the result is:
>
> rw-------  1 root root    421888 Mar 22 21:04 account_policy.tdb
> -rw-------  1 root root    528384 Apr 20 15:24 registry.tdb
> -rw-------  1 root root    421888 Mar 22 21:04 share_info.tdb
> drwxrwx---+ 3 root 3000000     27 May 23 14:11 sysvol
> -rw-------  1 root root     81920 Jun 19 13:58 winbindd_cache.tdb
> drwxr-x---  2 root root        17 Jun  7 17:25 winbindd_privileged
>
> Any suggestions to get the AD Domain Controller and Group Policies to 
> work consistently?
>
> -- 
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
>

More information about the samba mailing list