Dear, I'm having trouble handling GPO's my DC. Environment: Samba 4.4.5, primary and secondary DC. I am not allowed to edit the GPO's. The problem occurred after I edit the Default GPO in the primary DC, and then run the rsync to synchronize between the DC's. The following errors arise when squeegee commands: Note: I hid the actual domain name. # samba-tool gpo aclcheck -U Administrator GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.DOMAIN.LOCAL<0x0> resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.DOMAIN.LOCAL<0x0> resolve_lmhosts: Attempting lmhosts lookup for name srv14.domain.local<0x20> Password for [DOMAIN\Administrator]: resolve_lmhosts: Attempting lmhosts lookup for name srv14.domain.local<0x20> ERROR: Invalid GPO ACL O:BAG:SYD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001200a9;;;AU)(A;OICI;;;;WD)(A;;0x001f01ff;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) on path (domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}), should be O:DAG:DAD:PAI(A;OICI;0x001e01bf;;;DA)(A;OICIIO;0x001f01ff;;;DA)(A;OICI;0x001e01bf;;;EA)(A;OICIIO;0x001f01ff;;;EA)(A;OICI;0x001e01bf;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) # samba-tool ntacl sysvolcheck -U Administrator lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" Processing section "[netlogon]" Processing section "[sysvol]" ldb_wrap open of idmap.ldb ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory /usr/local/samba/var/locks/sysvol/domain.local O:BAG:SYD:(A;ID;0x001200a9;;;AU)(A;OICIIOID;0x001200a9;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;0x001200a9;;;SO)(A;ID;0x001e01bf;;;BA)(A;OICIIOID;0x001e01bf;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;0x001f01ff;;;SY)(A;OICIIOID;0x001e01bf;;;CO)S:AI(AU;OICIIDSA;SD;;;WD) does not match expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from provision File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run lp) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1728, in checksysvolacl raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL)) # samba-tool ntacl sysvolreset -U administrator lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" Processing section "[netlogon]" Processing section "[sysvol]" ldb_wrap open of idmap.ldb lp_load_ex: refreshing parameters Processing section "[global]" Processing section "[netlogon]" Processing section "[sysvol]" Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [full_audit] Module 'full_audit' loaded Segmentation fault (core of the recorded image) # getfacl /usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/ getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol/domain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/ # owner: 3000000 # group: 3000025 user::rwx user:3000012:r-x user:3000025:rwx user:3000026:r-x group::rwx group:3000000:rwx group:3000012:r-x group:3000025:rwx group:3000026:r-x mask::rwx other::--- default:user::rwx default:user:3000000:rwx default:user:3000012:r-x default:user:3000025:rwx default:user:3000026:r-x default:group::--- default:group:3000000:rwx default:group:3000012:r-x default:group:3000025:rwx default:group:3000026:r-x default:mask::rwx default:other::--- # ls -al /usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/ total 28 drwxrwx---+ 4 3000000 3000025 45 Ago 2 11:15 . drwxrwx---+ 15 3000000 3000025 4096 Ago 2 11:15 .. -rwxrwx---+ 1 3000000 3000025 27 Set 30 16:03 GPT.INI drwxrwx---+ 5 3000000 3000025 74 Ago 2 11:15 MACHINE drwxrwx---+ 5 3000000 3000025 104 Ago 2 11:15 USER The GPO {31B2F340-016D-11D2-945F-00C04FB984F9}, it is the Default Domain Policy. Anyone know how to solve this problem?