[Samba] several offices: home dirs, local resources, ...

Michael Tokarev mjt at tls.msk.ru
Tue Nov 22 18:50:31 UTC 2022

22.11.2022 20:29, Kees van Vloten wrote:
>> And now, for fun side, once you mention sysvolcheck and sysvolreset stuff,
>> here's another twist:
>> svdcp:/# samba-tool ntacl sysvolcheck
>> svdcp:/# samba-tool ntacl sysvolreset
>> svdcp:/# samba-tool ntacl sysvolcheck
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory 
>> /var/lib/samba/sysvol/tls.msk.ru/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
>> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
>>   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 443, in run
>>     provision.checksysvolacl(samdb, netlogon, sysvol,
>>   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1876, in checksysvolacl
>>     check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>>   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1826, in check_gpos_acl
>>     check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>>   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1769, in check_dir_acl
>>     raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, 
>> fsacl_sddl, acl))
>> (This is a "second" DC).  So the permissions WERE okay after an rsync from
>> "primary" DC.  And sysvolcheck reported no errors. So one might thing
>> sysvolreset will be a no-op - nope. After sysvolreset, sysvolcheck reports
>> errors, and no other sysvolreset fixes them. Only after another resync from
>> primary (which transfers ACLs too) sysvolcheck is quiet again. This is
>> one more thing for me to debug, maybe it's idmap.tdb again (mentioned above
>> already), maybe something else, - it's not important by now.  Just another
>> fun data point in the new context you mentioned..

> Permissions are stored in xattrs, did you add the right options to rsync to replicate those?

Yes, after rsync run sysvolcheck is happy, but after sysvolreset
it shows errors.  See above: I started with sysvolcheck after
an rsync.  Second rsync fixes it. I mentioned it all above :)

Still, it's not important by now - which I also mentioned above ;)



More information about the samba mailing list