[Samba] GPO ACL

Tom kleyoneo at hotmail.com
Fri Jun 21 13:38:35 UTC 2019


Hello,

I've en error again in the samba AD world.

I use RSAT with the DOMAIN\administrator account to make some GPOs. 
Sometimes it doesn't work. So I have checked GPO ACL with 'gpo aclcheck' 
command, and this is the return :

got OID=1.2.840.48018.1.2.2
ERROR: Invalid GPO ACL 
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
on path (domain.com\Policies\{20F5D1E9-30B5-49F6-904C-8B41299AA2ED}), 
should be 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

'ntacl sysvolcheck' command return this :

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/usr/local/samba/var/locks/sysvol/domain.com/Policies/{20F5D1E9-30B5-49F6-904C-8B41299AA2ED} 
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File 
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", 
line 185, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/ntacl.py", 
line 314, in run
     lp)
   File 
"/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py", 
line 1853, in checksysvolacl
     direct_db_access)
   File 
"/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py", 
line 1804, in check_gpos_acl
     domainsid, direct_db_access)
   File 
"/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py", 
line 1747, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))

Also, 'ntacl get /usr/local/samba/var/locks/sysvol --as-sddl' command 
say that :

Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
load_module_absolute_path: Module 
'/usr/local/samba/lib/vfs/acl_xattr.so' loaded
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' 
and 'force unknown acl user = true' for service Unknown Service (snum == -1)
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)

this is the sysvol part of the AD DC smb.conf :

[sysvol]
     path = /usr/local/samba/var/locks/sysvol
     read only = No

I fix the problem thanks ' ntacl sysvolreset' command, but when I modify 
a GPO, I need to start again.

So, I'm lost....  what's wrong exactly ?

Thanks :-)





More information about the samba mailing list