[Samba] sysvolcheck and sysvolreset errors

Roy Eastwood spindles7 at gmail.com
Tue May 19 16:09:21 UTC 2020 

I have a samba DC based on Debian Buster running samba 4.12.2 from Louis' repo.  A second DC on Raspbian buster is running samba
4.12.0.   I have sysvol replication working using rsync/unison as per the WiKi.    I wasn't having any issues until I tried to edit
a GPO and found that all the acl settings had disappeared.   This may have happened when I upgraded the DCs from 4.11.x to 4.12.x as
I did it by demoting, then removing samba and re-installing the new version then re-joined.   Anyhow, I tried to set the ACLs using
a Windows member client on the sysvol share of the PDC FSMO role owner to what I thought they should be but when I run the
samba-tool ntacl sysvolcheck command I get:

root at tiger-db:~# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory
/var/lib/samba/sysvol/microlynx.org
O:LAG:BAD:AI(A;OICIID;0x001f01ff;;;BA)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x001f01ff;;;SY)(A;OICIID;0x001200a9;;;AU) does not match
expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from
provision
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 446, in run
    lp)
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1901, in checksysvolacl
    raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' %
(acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))

So I tried running samba-tool ntacl sysvolreset and I get:

idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
...
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'

ad nauseum.

How can I get this back to normal?

TIA

Roy

More information about the samba mailing list