[Samba] samba-tool ntacl sysvolcheck: LAG vs DAG?
Michael Tokarev
mjt at tls.msk.ru
Thu Jun 26 09:56:39 UTC 2025
On 26.06.2025 00:27, Douglas Bagnall via samba wrote:
> On 25/06/25 21:45, Michael Tokarev via samba wrote:
>> Hi!
>>
>> Currently, `samba-tool ntacl sysvolcheck' throws the following error
>> to me:
>>
>> # samba-tool ntacl sysvolcheck
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
>> - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
>> tls.msk.ru/Policies/{3E5BB783-D38A-49A2-9453-356FE7E71985}
>> O:LAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)
>> (A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>> (OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
>> (A;OICI;0x1200a9;;;ED) does not match expected value
>> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)
>> (A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>> (OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
>> (A;OICI;0x1200a9;;;ED) from GPO object
>> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 356, in _run
>>
>> The actual difference is the second entry, which is LAG (actual)
>> vs DAG (expected).
>>
>> `samba-tool ntacl sysvolreset` does not report any changes.
> The SDDL format is O:<sid> G:<sid> D:<dacl> S:<sacl> where O and G stand
> for owner and group. O:LAG:DAD:... is read O:LA, G:DA, D:...
>
> LA stands for Local Administrator.
> DA stands for Domain Administrator.
Aha. This makes it clear. I tried to find what these definitions
stands for but that haven't been very successful.
> This happens from time to time, and I don't remember why this early in
> the morning.
>
> e.g https://lists.samba.org/archive/samba/2023-May/245260.html
Shouldn't `ntacl sysvol reset` do the right thing here?
I ended up doing
ntacl set "..." /var/lib/samba/sysvol/$DOMAIN --recursive
to make `sysvol check` happy, - isn't it exactly what
`sysvol reset` should be doing?
Thanks,
/mjt
More information about the samba
mailing list