[Samba] sysvolcheck and aclcheck generates error
Mario Codeniera
mario.codeniera at gmail.com
Wed Feb 26 00:39:55 UTC 2020
Hi,
Search on the net but not getting enough information to resolve the issue.
As per suggestion to check the sysvol but mine got issues.
Currently using CentOS 8.1.1911 and a compiled samba 4.11.4 based on Fedora
31.
I tried also to delete the broken GPO
policy E4108E65-68AB-4E2D-9A00-A9063B1558E3 but I can't delete it (using
samba-tool gpo del {31B2F340-016D-11D2-945F-00C04FB984F9} -Uadministrator)
and renamed the directory in /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies which generates more error.
However using sysvolreset, don't give any issues but doesn't resolve the
issue.
How do I manually delete a GPO Policy? Or any experience how to resolve
this? I will try to upgrade to a current version 4.11.6.
Regards,
Mario
Snippet of samba-tool ntacl sysvolreset -Uadministrator -d4 in last part.
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol.
uid = 0, gid = 512.
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'directory mask = 0777', 'store dos attributes =
yes' and all 'map ...' options to 'no'
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 512
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/Scripts.
uid = 0, gid = 512.
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'directory mask = 0777', 'store dos attributes =
yes' and all 'map ...' options to 'no'
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 512
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/Microsoft.
uid = 0, gid = 512.
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'directory mask = 0777', 'store dos attributes =
yes' and all 'map ...' options to 'no'
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 512
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI.
uid = 0, gid = 512.
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'directory mask = 0777', 'store dos attributes =
yes' and all 'map ...' options to 'no'
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 512
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE.
uid = 0, gid = 512.
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'directory mask = 0777', 'store dos attributes =
yes' and all 'map ...' options to 'no'
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 512
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER.
uid = 0, gid = 512.
[root at abridor-dc1 Policies]# samba-tool ntacl sysvolcheck -d3
-UAdministrator
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{E4108E65-68AB-4E2D-9A00-A9063B1558E3}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line
186, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python3.6/site-packages/samba/netcmd/ntacl.py", line
456, in run
lp)
File "/usr/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1900, in checksysvolacl
direct_db_access)
File "/usr/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1851, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1794, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))
[root at abridor-dc1 Policies]# samba-tool gpo aclcheck -d3 -Uadministrator
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.ABRIDOR.lumad.sandbox.net<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.ABRIDOR.lumad.sandbox.net<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
abridor-dc1.abridor.lumad.sandbox.net<0x20>
Password for [ABRIDOR\administrator]:
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Connecting to 192.168.19.5 at port 445
*ERROR: Invalid GPO ACL
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
on path (abridor.lumad.sandbox.net
<http://abridor.lumad.sandbox.net>\Policies\{E4108E65-68AB-4E2D-9A00-A9063B1558E3}),
should be
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)*
[root at abridor-dc1 Policies]# ls -all
total 24
drwxrwx---+ 6 root 3000000 190 Feb 26 13:12 .
drwxrwx---+ 4 root 3000000 37 Dec 18 17:28 ..
drwxrwx---+ 4 root 512 48 Feb 21 13:23
{1FF53CF3-A410-470E-A983-82C73BABCA1E}
drwxrwx---+ 4 root 512 48 Dec 18 17:28
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 root 512 48 Dec 18 17:28
{6AC1786C-016F-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 root 512 48 Feb 19 14:32
{E4108E65-68AB-4E2D-9A00-A9063B1558E3}
[root at abridor-dc1 Policies]# samba-tool gpo listall
GPO : {E4108E65-68AB-4E2D-9A00-A9063B1558E3}
display name : Users - ABRIDOR Mapped Drives
path : \\abridor.lumad.sandbox.net\SysVol\abridor.lumad.sandbox.net
\Policies\{E4108E65-68AB-4E2D-9A00-A9063B1558E3}
*dn :
CN={E4108E65-68AB-4E2D-9A00-A9063B1558E3},CN=Policies,CN=System,DC=abridor,DC=lumad,DC=sandbox,DC=net*version
: 393216
flags : NONE
GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path : \\abridor.lumad.sandbox.net\sysvol\abridor.lumad.sandbox.net
\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
dn :
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=abridor,DC=lumad,DC=sandbox,DC=net
version : 0
flags : NONE
GPO : {1FF53CF3-A410-470E-A983-82C73BABCA1E}
display name : Zoom
path : \\abridor.lumad.sandbox.net\SysVol\abridor.lumad.sandbox.net
\Policies\{1FF53CF3-A410-470E-A983-82C73BABCA1E}
dn :
CN={1FF53CF3-A410-470E-A983-82C73BABCA1E},CN=Policies,CN=System,DC=abridor,DC=lumad,DC=sandbox,DC=net
version : 0
flags : NONE
GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path : \\abridor.lumad.sandbox.net\sysvol\abridor.lumad.sandbox.net
\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn :
CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=abridor,DC=lumad,DC=sandbox,DC=net
version : 2
flags : NONE
[root at abridor-dc1 Policies]# samba-tool gpo del
{31B2F340-016D-11D2-945F-00C04FB984F9} -Uadministrator
Password for [ABRIDOR\administrator]:
*ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
<00002035: objectclass: Cannot delete
CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=abridor,DC=lumad,DC=sandbox,DC=net,
it isn't permitted!> <> File
"/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in
_run return self.run(*args, **kwargs) File
"/usr/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 1518, in
run self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)))*
More information about the samba
mailing list