samba - Oct 2015 - gpo failure

Hi Marc,

Ok, I apologise, I was unsure if the number 
{31B2F340-016D-11D2-945F-00C04FB984F9} was something sensitive 
password-like or not, so i changed it slightly.... Sorry..! The number 
is actually the number as you quote it below for the Default Domain Policy.
> The two GUID directories, that exist on every AD DC, are
>
> {6AC1786C-016F-11D2-945F-00C04FB984F9} = Default Domain Controller Policy
> {31B2F340-016D-11D2-945F-00C04FB984F9} = Default Domain Policy
>
> So yours is a GPO, you had created.
Again...apologies: no it really is the default domain policy.
> That's normal. If you create a new GPO, the GPMC only created the GUID
> folder, that contains an empty Machine and User folder and the GPT.INI
> file. Nothing else.
But in case of the default domain policy..? Is it also normal?

I guess perhaps not...? And how to solve this..?
> Have you verified, that the error "Access is denied" is correct?
I can access the UNC
\\samba.company.com\sysvol\samba.company.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\User\

So I guess "access denied" is NOT the problem.
(though I'm trying as a user, and perhaps GPO runs as a machine account...)

samba-tool ntacl sysvolcheck crashes with the well-known error:
> root at DC2:~# samba-tool ntacl sysvolcheck
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ldb_wrap open of idmap.ldb
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samba.company.com/Policies/{A577A789-8C39-447A-8555-42B247B9943C}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175,
in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line 249, in run
>     lp)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1730, in checksysvolacl
>     direct_db_access)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1681, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1628, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
> root at DC2:~#
In a thread a few weeks ago I was told that this is quite normal. Most 
of us see this. A few weeks ago I ran sysvolreset as well.

Anyway: that running sysvolreset again will not give me a registry.pol 
file in that location...

What to do..? Do I have a problem?

MJ

Just checked backups from beginning july this year: no registry.pol 
there as well.

Do others here have a registry.pol file in the default domain policy?

Am 06.10.2015 um 20:28 schrieb mourik jan c heupink:
> Have you verified, that the error "Access is denied" is correct?
> I can access the UNC
>
\\samba.company.com\sysvol\samba.company.com\Policies\{31B2F340-016D11D2-945F-00C04FB984F9}\User\
> So I guess "access denied" is NOT the problem.
Can you successfully created a file there (e. g. right-click -> new ->
textfile)?


> Anyway: that running sysvolreset again will not give me a
> registry.pol file in that location...
>
> ...
>
> Just checked backups from beginning july this year: no registry.pol
> there as well.
> 
> Do others here have a registry.pol file in the default domain policy?
As said: When you set a machine/user policy, the file is generated. Of
course only, if the user doing the edit, has permissions to edit the
SYSVOL share.


Regards,
Marc

I never tought the default policies, none of them. 
I always create new ones. 
So no files there for me in the default policies. ( only GPT.INI ) 
And gpt.ini are without content.

In the question .. 
> Do others here have a registry.pol file in the default domain policy?
No, not when no policy is set. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mourik jan c
> heupink
> Verzonden: dinsdag 6 oktober 2015 20:28
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] gpo failure
> 
> Just checked backups from beginning july this year: no registry.pol
> there as well.
> 
> Do others here have a registry.pol file in the default domain policy?
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba