[Samba] Samba 4 -> Group Policy Drive Map -> Access Denied

Marco Shmerykowsky PE marco at sce-engineers.com
Mon Jan 21 19:16:59 UTC 2019 

Kicks up an error:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory /var/lib/samb
a/sysvol/sce-internal.sce-engineers.com/Policies/{EEB4B384-6F43-403B-BD24-B0BA7AB04F41} 
O:DAG:DAD:PAI(A;OICIIO;0x001f01ff;;;CO)(A
;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED) 
does not m
atch expected value 
O:DAG:DAD:PAR(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;D
A)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED) from GPO object 

   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 177, in _run
     return self.run(*args, **kwargs) 

   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
270, in run
     lp) 

   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1836, in checksysvolacl
     direct_db_access) 

   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1787, in check_gpos_acl
     domainsid, direct_db_access) 

   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1734, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_d
b_access), path, fsacl_sddl, acl))

On 1/21/2019 2:11 PM, Luke Barone via samba wrote:
> OK, the preference is set correctly. Have you run a "samba-tool ntacl
> sysvolcheck" on your first domain controller? That will check the
> permissions. If you have additional domain controllers, ensure you're
> connecting to the one holding the PDC Emulator role (typically your first
> DC) in your GPMC.
> 
> If the sysvolcheck says everything is fine, and you only have one domain
> controller, then we'll have more troubleshooting to do.
> 
> On Mon, Jan 21, 2019 at 10:37 AM Marco Shmerykowsky via samba <
> samba at lists.samba.org> wrote:
> 
>> <?xml version="1.0" encoding="utf-8"?>
>> <Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}"><Drive
>> clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="W:" status="W:"
>> image="2" changed="2019-01-21 18:36:07"
>> uid="{6524E6E3-E107-48CC-9973-406E16B5F34D}" userContext="1"
>> bypassErrors="1"><Properties action="U" thisDrive="SHOW" allDrives="SHOW"
>> userName="" path="\\sce251\test-share" label="SHARE" persistent="1"
>> useLetter="1" letter="W"/><Filters/></Drive>
>> </Drives>
>>
>> On Mon, January 21, 2019 1:27 pm, Luke Barone via samba wrote:
>>> OK, remove the Item Level Targeting - that should hit all Domain Users
>>> anyways.
>>>
>>> Can you extract the .XML file that is made from that policy? Go to your
>>> SYSVOL\<domain>\Policies\<GUID for Policy>\User\Preferences\Drives, and
>>> open up "Drives.xml". Copy and paste the contents of that file into the
>>> mailing list.
>>>
>>> On Mon, Jan 21, 2019 at 10:23 AM Marco Shmerykowsky PE via samba <
>>> samba at lists.samba.org> wrote:
>>>
>>>> user configuration -> Preferences -> Windows Settings -> Drive Maps
>>>>
>>>> Item Level Targeting -> Security Group, Domain Users
>>>>
>>>> On 1/21/2019 11:09 AM, Luke Barone via samba wrote:
>>>>> Where is the policy targeting - the user or the computer?
>>>>>
>>>>>
>>>>> On Mon, Jan 21, 2019 at 7:51 AM Marco Shmerykowsky PE via samba <
>>>>> samba at lists.samba.org> wrote:
>>>>>
>>>>>> I seem to be having trouble getting group policies
>>>>>> to map a drive.  When I drilled down thru the logs
>>>>>> I get an "Access Denied" message.
>>>>>>
>>>>>> I can navigate to the share via the computer browser
>>>>>> and map a drive the "old fashion way" with any issues.
>>>>>> Files can be read and written.
>>>>>>
>>>>>> The group policy doesn't seem to take.  Suggestions?
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list