[Samba] samba-tool ntacl sysvol check errors (samba 4.7.4 AD DC)

Kacper Wirski kacper.wirski at gmail.com
Tue Jan 9 22:05:34 UTC 2018 

Hello,

Since I updated recently my samba DC's, I've noticed some werid 
behaviour on windows stations (seems random?) with some GPO's not being 
applied from time to time (reboot or even logoff-login usually does the 
trick). When policy is not applied and I run "gpupdate" on windows 
client  I'm getting output, that policy xxx (Default domain policy) 
could not be processed and because of this no other policy will be 
processed.

So i ran samba-tool ntacl sysvolcheck on DC with PDC FSMO, and I'm 
getting errors like this:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{77B4CB26-79A1-44B7-A003-1D8848B58128} 
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", 
line 270, in run
     lp)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", 
line 1723, in checksysvolacl
     direct_db_access)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", 
line 1674, in check_gpos_acl
     domainsid, direct_db_access)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", 
line 1621, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))

I'm not sure what to make out of it. I understand that ACL are somehow 
correct ("does not match expected value ").

I've run sysvol reset, but I didn't notice anything change.

I also tried recreating that policy via RSAT and GPO management snap-in. 
I'v edone "copy -> paste (use default settings)". Policy was added with 
new policy ID, with completely default settings, but I got error with ID 
of the "new" policy.

samba-tool dbcheck --cross-ncs shows no errors, from windows client all 
permissions seem fine, samba daemon doesn't generate any errors.

Only issue is that windows client occasionaly doesn't apply some (not 
all) of the policies, but after restart they're fine. I'm not sure if 
i'm even on the right track.

Can someone maybe explain what this error means, and how to possibly fix it?

More information about the samba mailing list