[Samba] Sysvol permission issue - how to repair permanently?

Rowland penny rpenny at samba.org
Tue Apr 6 10:11:31 UTC 2021

On 06/04/2021 10:42, L.P.H. van Belle via samba wrote:
> root at dc1:~# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO
> file /var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-
> AD7A32DF180F}/Machine/Registry.pol
> O:BAG:DUD:(A;;0x001d0156;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;
> 0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)(A;;0x001200a9;;;D
> A)
> does not match expected value
> O:DAG:DAD:PAR(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x0
> 01f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001
> 200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)
> from GPO object

Hi Louis,

The reason why you get that error is because you have given Domain 
Admins a gidNumber, this means that 'O:DA' can never happen. I have 
multiple GPO's in sysvol and this happens:

pi at rpidc1:~ $ sudo samba-tool ntacl sysvolreset
pi at rpidc1:~ $ sudo samba-tool ntacl sysvolcheck
pi at rpidc1:~ $

Absolutely no errors, this is with Samba 4.14.2

At one time 'samba-tool ntacl sysvol*' didn't work, I tried to fix this 
and came to the conclusion it was because Samba didn't know who some of 
the users and groups were (they couldn't be 'mapped') and some of the 
permissions were unknown as well. These problems have now been fixed and 
syvolreset and sysvolcheck now work correctly, provided users & groups 
can be mapped as Windows expects.


More information about the samba mailing list