[Samba] Sysvol GPO ACLs problem

Pablo Sanz Fernández psanz at empre.es
Mon May 11 07:31:52 UTC 2020


Hi,

We are having problems with sysvol AD shared folder in a Samba 4.9.13 AD.

Has been running smoothly until recently, and we don't know how to fix it. We detected the problem trying to create a new AD GPO, it fails with the message (sorry, we have windows in Spanish, it's not literal translation): "this security identifier cannot be assigned as object owner".

If we execute in the linux DC a sysvol check (samba-tool ntacl sysvolcheck), we get this error:

[root at mercurio2 ~]# samba-tool ntacl sysvolcheck
WARNING: The "server schannel" option is deprecated
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/eadom.ea/Policies/{9F3EF1BC-6E68-46C4-B6EA-48C66AF71C1B} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 178, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 270, in run
    lp)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1846, in checksysvolacl
    direct_db_access)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1797, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1744, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
[root at mercurio2 ~]#

And, if we execute a sysvol acl reset, we get this:

[root at mercurio2 ~]# samba-tool ntacl sysvolreset
WARNING: The "server schannel" option is deprecated
WARNING: The "server schannel" option is deprecated
===============================================================
INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13)
Please read the Trouble-Shooting section of the Samba HOWTO
===============================================================
PANIC (pid 22555): internal error
BACKTRACE: 41 stack frames:
#0 /usr/local/samba/lib/libsamba-util.so.0(log_stack_trace+0x1f) [0x7f29a686e18a]
#1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6d) [0x7f29974cea47]
#2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f29a686e155]
#3 /usr/local/samba/lib/libsamba-util.so.0(+0x20e2f) [0x7f29a686de2f]
#4 /usr/local/samba/lib/libsamba-util.so.0(+0x20e44) [0x7f29a686de44]
#5 /lib64/libpthread.so.0() [0x3a9620f7e0]
#6 /usr/local/samba/lib/vfs/full_audit.so(+0x555d) [0x7f29755d355d]
#7 /usr/local/samba/lib/vfs/full_audit.so(+0x5c4c) [0x7f29755d3c4c]
#8 /usr/local/samba/lib/vfs/full_audit.so(+0x6359) [0x7f29755d4359]
#9 /usr/local/samba/lib/private/libsmbd-base-samba4.so(smb_vfs_call_connect+0x51) [0x7f2995e21f40]
#10 /usr/local/samba/lib/private/libsmbd-base-samba4.so(+0x2047be) [0x7f2995e487be]
#11 /usr/local/samba/lib/private/libsmbd-base-samba4.so(create_conn_struct_tos+0x91) [0x7f2995e489f3]
#12 /usr/local/samba/lib64/python2.6/site-packages/samba/samba3/smbd.so(+0x1e7f) [0x7f299624ae7f]
#13 /usr/local/samba/lib64/python2.6/site-packages/samba/samba3/smbd.so(+0x2caa) [0x7f299624bcaa]
#14 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x5244) [0x3aa36d59d4]
#15 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647]
#16 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x5304) [0x3aa36d5a94]
#17 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647]
#18 /usr/lib64/libpython2.6.so.1.0() [0x3aa366ad9d]
#19 /usr/lib64/libpython2.6.so.1.0(PyObject_Call+0x53) [0x3aa3643c63]
#20 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x3cd0) [0x3aa36d4460]
#21 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647]
#22 /usr/lib64/libpython2.6.so.1.0() [0x3aa366aca0]
#23 /usr/lib64/libpython2.6.so.1.0(PyObject_Call+0x53) [0x3aa3643c63]
#24 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x3cd0) [0x3aa36d4460]
#25 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647]
#26 /usr/lib64/libpython2.6.so.1.0() [0x3aa366aca0]
#27 /usr/lib64/libpython2.6.so.1.0(PyObject_Call+0x53) [0x3aa3643c63]
#28 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x3cd0) [0x3aa36d4460]
#29 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647]
#30 /usr/lib64/libpython2.6.so.1.0() [0x3aa366aca0]
#31 /usr/lib64/libpython2.6.so.1.0(PyObject_Call+0x53) [0x3aa3643c63]
#32 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalFrameEx+0x3cd0) [0x3aa36d4460]
#33 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCodeEx+0x927) [0x3aa36d7647]
#34 /usr/lib64/libpython2.6.so.1.0(PyEval_EvalCode+0x32) [0x3aa36d7722]
#35 /usr/lib64/libpython2.6.so.1.0() [0x3aa36f1b9c]
#36 /usr/lib64/libpython2.6.so.1.0(PyRun_FileExFlags+0x90) [0x3aa36f1c70]
#37 /usr/lib64/libpython2.6.so.1.0(PyRun_SimpleFileExFlags+0xdc) [0x3aa36f315c]
#38 /usr/lib64/libpython2.6.so.1.0(Py_Main+0xb62) [0x3aa36ff892]
#39 /lib64/libc.so.6(__libc_start_main+0x100) [0x3a95e1ed20]
#40 python() [0x400649]
Can not dump core: corepath not set up
[root at mercurio2 ~]#

We also tried to use the sysvol repair permissions script (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh):

[root at mercurio2 ~]# /usr/oper/samba-check-set-sysvol.sh
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-549 to uid
You have new mail in /var/spool/mail/root
[root at mercurio2 ~]#

Please, do you know how to fix this, or at least were to begin?

Thank you

Pablo Sanz Fernández



More information about the samba mailing list