[Samba] samba-tool ntacl sysvol check errors (samba 4.7.4 AD DC)
Kacper Wirski
kacper.wirski at gmail.com
Tue Jan 9 22:05:34 UTC 2018
Hello,
Since I updated recently my samba DC's, I've noticed some werid
behaviour on windows stations (seems random?) with some GPO's not being
applied from time to time (reboot or even logoff-login usually does the
trick). When policy is not applied and I run "gpupdate" on windows
client I'm getting output, that policy xxx (Default domain policy)
could not be processed and because of this no other policy will be
processed.
So i ran samba-tool ntacl sysvolcheck on DC with PDC FSMO, and I'm
getting errors like this:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{77B4CB26-79A1-44B7-A003-1D8848B58128}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 270, in run
lp)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1723, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1674, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1621, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
I'm not sure what to make out of it. I understand that ACL are somehow
correct ("does not match expected value ").
I've run sysvol reset, but I didn't notice anything change.
I also tried recreating that policy via RSAT and GPO management snap-in.
I'v edone "copy -> paste (use default settings)". Policy was added with
new policy ID, with completely default settings, but I got error with ID
of the "new" policy.
samba-tool dbcheck --cross-ncs shows no errors, from windows client all
permissions seem fine, samba daemon doesn't generate any errors.
Only issue is that windows client occasionaly doesn't apply some (not
all) of the policies, but after restart they're fine. I'm not sure if
i'm even on the right track.
Can someone maybe explain what this error means, and how to possibly fix it?
More information about the samba
mailing list