[Samba] Sysvol permission issue - how to repair permanently?
Rowland penny
rpenny at samba.org
Tue Apr 6 10:11:31 UTC 2021
On 06/04/2021 10:42, L.P.H. van Belle via samba wrote:
> root at dc1:~# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: DB ACL on GPO
> file /var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-
> AD7A32DF180F}/Machine/Registry.pol
> O:BAG:DUD:(A;;0x001d0156;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;
> 0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)(A;;0x001200a9;;;D
> A)
> does not match expected value
> O:DAG:DAD:PAR(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x0
> 01f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001
> 200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)
> from GPO object
Hi Louis,
The reason why you get that error is because you have given Domain
Admins a gidNumber, this means that 'O:DA' can never happen. I have
multiple GPO's in sysvol and this happens:
pi at rpidc1:~ $ sudo samba-tool ntacl sysvolreset
pi at rpidc1:~ $ sudo samba-tool ntacl sysvolcheck
pi at rpidc1:~ $
Absolutely no errors, this is with Samba 4.14.2
At one time 'samba-tool ntacl sysvol*' didn't work, I tried to fix this
and came to the conclusion it was because Samba didn't know who some of
the users and groups were (they couldn't be 'mapped') and some of the
permissions were unknown as well. These problems have now been fixed and
syvolreset and sysvolcheck now work correctly, provided users & groups
can be mapped as Windows expects.
Rowland
More information about the samba
mailing list