[Samba] samba-tool ntacl sysvolcheck: LAG vs DAG?
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Wed Jun 25 21:27:40 UTC 2025
On 25/06/25 21:45, Michael Tokarev via samba wrote:
> Hi!
>
> Currently, `samba-tool ntacl sysvolcheck' throws the following error
> to me:
>
> # samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
> tls.msk.ru/Policies/{3E5BB783-D38A-49A2-9453-356FE7E71985}
> O:LAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)
> (A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
> (OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
> (A;OICI;0x1200a9;;;ED) does not match expected value
> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)
> (A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
> (OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
> (A;OICI;0x1200a9;;;ED) from GPO object
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> 356, in _run
>
> The actual difference is the second entry, which is LAG (actual)
> vs DAG (expected).
>
> `samba-tool ntacl sysvolreset` does not report any changes.
>
> What *is* this DAG/LAG thing, how to fix this error (so maybe
> to proceed to other errors, at least), and does it actually
> matter?
The SDDL format is O:<sid> G:<sid> D:<dacl> S:<sacl> where O and G stand
for owner and group. O:LAG:DAD:... is read O:LA, G:DA, D:...
LA stands for Local Administrator.
DA stands for Domain Administrator.
This happens from time to time, and I don't remember why this early in
the morning.
e.g https://lists.samba.org/archive/samba/2023-May/245260.html
Douglas
More information about the samba
mailing list