[Samba] sysvolcheck and sysvolreset errors

Rowland penny rpenny at samba.org
Tue May 19 17:36:57 UTC 2020 

On 19/05/2020 17:09, Roy Eastwood via samba wrote:
> I have a samba DC based on Debian Buster running samba 4.12.2 from Louis' repo.  A second DC on Raspbian buster is running samba
> 4.12.0.   I have sysvol replication working using rsync/unison as per the WiKi.    I wasn't having any issues until I tried to edit
> a GPO and found that all the acl settings had disappeared.   This may have happened when I upgraded the DCs from 4.11.x to 4.12.x as
> I did it by demoting, then removing samba and re-installing the new version then re-joined.   Anyhow, I tried to set the ACLs using
> a Windows member client on the sysvol share of the PDC FSMO role owner to what I thought they should be but when I run the
> samba-tool ntacl sysvolcheck command I get:
>
> root at tiger-db:~# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory
> /var/lib/samba/sysvol/microlynx.org
> O:LAG:BAD:AI(A;OICIID;0x001f01ff;;;BA)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x001f01ff;;;SY)(A;OICIID;0x001200a9;;;AU) does not match
> expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from
> provision
>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 446, in run
>      lp)
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1901, in checksysvolacl
>      raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' %
> (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))
>
> So I tried running samba-tool ntacl sysvolreset and I get:
>
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> ...
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
>
> ad nauseum.
>
> How can I get this back to normal?
>
> TIA
>
> Roy
>
>
You could try using a script Louis wrote, see here: 
https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh

The 'idmap config' lines are nothing to worry about, you cannot set them 
on a DC, but, for some reason, testparm etc warns about them.

Rowland

More information about the samba mailing list