[Samba] More on sysvol maintenance

Rowland Penny rpenny at samba.org
Wed May 24 15:06:33 UTC 2023 


On 24/05/2023 15:33, Luis Peromarta via samba wrote:
> Greetings.
> 
> A bit more on sysvolchek / reset.
> 
> I have a 3 DCs domain. All working fine. DC2 and DC3 rsync sysvol from DC1 on a hourly basis. No issues with GPOs. Some months ago I ran all L.P.H. van Belle steps as per https://wiki.samba.org/index.php/Sysvolreset and all seems OK.
> 
> Because of a thread currently on the list, I decided to do a quick check on DC2. No problem breaking things, I can always rsync demo DC1 again.
> 
> On DC2 (bookworm) :
> 
> Samba is stopped.
> 
> ./samba-check-set-sysvol.sh
> 
> INFO 2023-05-24 16:24:36,614 pid:107693 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb config files from /etc/samba/smb.conf
> INFO 2023-05-24 16:24:36,614 pid:107693 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: Loaded services file OK.
> failed to call wbcSidToUid: WBC_ERR_WINBIND_NOT_AVAILABLE
> Could not convert sid S-1-5-32-549 to uid
> 
> Strange why am I getting this, winbind is installed.
> 
> 
> I tried sysvolcheck on DC2 and get:
> 
> 
> root at bwing:/var/lib/samba# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory /var/lib/samba/sysvol/mad.mater.int O:LAG:BAD:AI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;S-1-5-21-2152908145-95474353-1514027631-1110)(A;OICIID;0x001200a9;;;AU)(A;OICIID;0x001f01ff;;;DA)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x001f01ff;;;SY) does not match expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from provision
>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
>      return self.run(*args, **kwargs)
>             ^^^^^^^^^^^^^^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 443, in run
>      provision.checksysvolacl(samdb, netlogon, sysvol,
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1873, in checksysvolacl
>      raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))
> 
> 
> I have absolutely no idea how to decode this. Then I tried
> 
> samba-tool ntacl sysvolreset (after a couple of minutes…)
> 
> No errors, no output. Then:
> 
> net cache flush && samba-tool ntacl sysvolcheck
> 
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/mad.mater.int/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU) from GPO object
>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
>      return self.run(*args, **kwargs)
>             ^^^^^^^^^^^^^^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 443, in run
>      provision.checksysvolacl(samdb, netlogon, sysvol,
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1876, in checksysvolacl
>      check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1826, in check_gpos_acl
>      check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1769, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> 
> This time I can see it’s complaining about GPO  {31B2F340-016D-11D2-945F-00C04FB984F9}. This seems to be the default domain policy.
> 
> Everything seems to be working fine, is looking into this worth anything ?
> 
> Thanks,
> 
> LP

If you look very carefully at the output from the error after you ran 
sysvolreset, you will see that the difference is at the start. The ACL 
owners 'O:LAG:DA' do not match what is expected 'O:DAG:DA'

If you do not understand the output, let me decipher it:
O = owner
LA = Local Administrator, probably 'root'
G = group
DA = Domain Admins

so to put it another way, you appear to have 'root:Domain Admins' as the 
owner of 
/var/lib/samba/sysvol/mad.mater.int/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
and it should be 'Domain Admins:Domain Admins'

Are you by any chance using rfc2307 attributes and if so, have you given 
Domain Admins a gidNumber ?

Rowland

More information about the samba mailing list