[Samba] GPO fail and sysvol perm errors

[Rowland penny]

On 25/10/2020 20:20, Sonic wrote:
> On Sun, Oct 25, 2020 at 4:02 PM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> What do you mean by 'working domain' and 'non-working domain' ?
>> Do you have two domains ?
> Different sites, different companies, not related. The working one was
> also a classic upgrade but earlier on, pre 4.6.x. Just using it to
> compare.
>
>> I am also trying to understand why you have
>> 'DENIED_RODC_PASSWORD_REPLICATION_GROUP' in your ACL ?
>>
>> i do not normally advise this, but try running 'samba-tool ntacl
>> sysvolreset'
> This is what the sysvolcheck returns:
> # samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory
> /usr/local/samba/var/locks/sysvol/my.example.com/Policies/{E2BC0255-64C8-
> 42CF-A27A-59A7D3DCD2DC}
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;
> 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;
> 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;
> ;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;
> OICI;0x001200a9;;;ED) from GPO object
>    File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py",
> line 186, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/ntacl.py",
> line 446, in run
>      lp)
>    File
> "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", line
> 1894, in checksysvolacl
>      direct_db_access)
>    File
> "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", line
> 1844, in check_gpos_acl
>      domainsid, direct_db_access)
>    File
> "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", line
> 1786, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl)
>
> Should sysvolreset fix this?
>
> Thanks,
> Chris

Yes, that is what it is designed for.

Rowland