[Samba] Sysvol permission issue - how to repair permanently?
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 6 14:44:36 UTC 2021
Hai Rowland,
Yes, im aware of that.
Only, i use "BAG" not "DAG"
Both are correct, just because DAG is member of BAG, no setup is the same.
It's a good attempt for the sysvolcheck fix but its not 100%..
And yes, just, since i know it, i just dont run sysvolchecks normaly.. ;-)
but i also dont have problems with my policies, all applies as needed where needed.
now looking at that below.
> O:BAG:DUD << thats the wrong won. DUD "Domain Users" .. ?
rights are not correct, as simple as that.
Should be
O:LAG:DAD .. OR O:BAG:DAD
so, im asuming this was en "user" with elevated rights that runned GPMC
and created the policies, or a user which was added to "domain admins" which is a big NO NO..
The difference for me is, i only use Administrator or a new admin,copy off Administrator but with exact same rights.
Not users with elevated rights are used for this.
So i suggest to TP starter, read this :
https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/permissions-this-gpo-inconsistent
and apply it.
Then run/get the SSDL of it.
if one does not have windows official server.. download on, install it in VM. Check the rights on sysvol.
That i have, exacly what was on my W2008R2 server its sysvol.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny via
> samba
> Verzonden: dinsdag 6 april 2021 12:12
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Sysvol permission issue - how to repair
> permanently?
>
> On 06/04/2021 10:42, L.P.H. van Belle via samba wrote:
> > root at dc1:~# samba-tool ntacl sysvolcheck
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
> > - ProvisioningError: DB ACL on GPO
> > file /var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-
> > AD7A32DF180F}/Machine/Registry.pol
> >
> O:BAG:DUD:(A;;0x001d0156;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;
> >
> 0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)(A;;0x001200a9;;;D
> > A)
> > does not match expected value
> >
> O:DAG:DAD:PAR(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x0
> >
> 01f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001
> > 200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)
> > from GPO object
>
>
> Hi Louis,
>
> The reason why you get that error is because you have given Domain
> Admins a gidNumber, this means that 'O:DA' can never happen. I have
> multiple GPO's in sysvol and this happens:
>
> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolreset
> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolcheck
> pi at rpidc1:~ $
>
> Absolutely no errors, this is with Samba 4.14.2
>
> At one time 'samba-tool ntacl sysvol*' didn't work, I tried to fix this
> and came to the conclusion it was because Samba didn't know who some of
> the users and groups were (they couldn't be 'mapped') and some of the
> permissions were unknown as well. These problems have now been fixed and
> syvolreset and sysvolcheck now work correctly, provided users & groups
> can be mapped as Windows expects.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list