[Samba] More on sysvol maintenance

Luis Peromarta lperoma at icloud.com
Wed May 24 14:33:54 UTC 2023 

Greetings.

A bit more on sysvolchek / reset.

I have a 3 DCs domain. All working fine. DC2 and DC3 rsync sysvol from DC1 on a hourly basis. No issues with GPOs. Some months ago I ran all L.P.H. van Belle steps as per https://wiki.samba.org/index.php/Sysvolreset and all seems OK.

Because of a thread currently on the list, I decided to do a quick check on DC2. No problem breaking things, I can always rsync demo DC1 again.

On DC2 (bookworm) :

Samba is stopped.

./samba-check-set-sysvol.sh

INFO 2023-05-24 16:24:36,614 pid:107693 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb config files from /etc/samba/smb.conf
INFO 2023-05-24 16:24:36,614 pid:107693 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: Loaded services file OK.
failed to call wbcSidToUid: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not convert sid S-1-5-32-549 to uid

Strange why am I getting this, winbind is installed.


I tried sysvolcheck on DC2 and get:


root at bwing:/var/lib/samba# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory /var/lib/samba/sysvol/mad.mater.int O:LAG:BAD:AI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;S-1-5-21-2152908145-95474353-1514027631-1110)(A;OICIID;0x001200a9;;;AU)(A;OICIID;0x001f01ff;;;DA)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x001f01ff;;;SY) does not match expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from provision
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 443, in run
    provision.checksysvolacl(samdb, netlogon, sysvol,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1873, in checksysvolacl
    raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))


I have absolutely no idea how to decode this. Then I tried

samba-tool ntacl sysvolreset (after a couple of minutes…)

No errors, no output. Then:

net cache flush && samba-tool ntacl sysvolcheck

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/mad.mater.int/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU) from GPO object
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 443, in run
    provision.checksysvolacl(samdb, netlogon, sysvol,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1876, in checksysvolacl
    check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1826, in check_gpos_acl
    check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1769, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))


This time I can see it’s complaining about GPO  {31B2F340-016D-11D2-945F-00C04FB984F9}. This seems to be the default domain policy.

Everything seems to be working fine, is looking into this worth anything ?

Thanks,

LP

More information about the samba mailing list