[Samba] GPO ACL
Tom
kleyoneo at hotmail.com
Fri Jun 21 13:38:35 UTC 2019
Hello,
I've en error again in the samba AD world.
I use RSAT with the DOMAIN\administrator account to make some GPOs.
Sometimes it doesn't work. So I have checked GPO ACL with 'gpo aclcheck'
command, and this is the return :
got OID=1.2.840.48018.1.2.2
ERROR: Invalid GPO ACL
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
on path (domain.com\Policies\{20F5D1E9-30B5-49F6-904C-8B41299AA2ED}),
should be
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
'ntacl sysvolcheck' command return this :
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/domain.com/Policies/{20F5D1E9-30B5-49F6-904C-8B41299AA2ED}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
line 185, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/ntacl.py",
line 314, in run
lp)
File
"/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1853, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1804, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1747, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
Also, 'ntacl get /usr/local/samba/var/locks/sysvol --as-sddl' command
say that :
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
load_module_absolute_path: Module
'/usr/local/samba/lib/vfs/acl_xattr.so' loaded
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
and 'force unknown acl user = true' for service Unknown Service (snum == -1)
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
this is the sysvol part of the AD DC smb.conf :
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
I fix the problem thanks ' ntacl sysvolreset' command, but when I modify
a GPO, I need to start again.
So, I'm lost.... what's wrong exactly ?
Thanks :-)
More information about the samba
mailing list