samba - Jul 2016 - Samba 4.2.14 GPO issue

Dear All,
I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that GPO
are having issue

Specifically when I'm adding new using they *never *got the gpupdate
success fully.

When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset

But don't seem to got it fix..

Any suggestion?

Thank in advance.

#samba-tool ntacl sysvolcheck
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[dfs]"
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line
249, in run
    lp)
  File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
    direct_db_access)
  File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

Regards,
Min Wai

Hi,

Do you have any specific error message in Windows events log concerning GPO?

Regards


Le 24/07/2016 à 05:40, Min Wai Chan a écrit :
> Dear All,
> I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that
GPO
> are having issue
>
> Specifically when I'm adding new using they *never *got the gpupdate
> success fully.
>
> When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset
>
> But don't seem to got it fix..
>
> Any suggestion?
>
> Thank in advance.
>
> #samba-tool ntacl sysvolcheck
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[dfs]"
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
> kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>    File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line
> 249, in run
>      lp)
>    File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1730, in checksysvolacl
>      direct_db_access)
>    File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1681, in check_gpos_acl
>      domainsid, direct_db_access)
>    File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1628, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not
match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
>
> Regards,
> Min Wai

On 24/07/16 04:40, Min Wai Chan wrote:
> Dear All,
> I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that
GPO
> are having issue
>
> Specifically when I'm adding new using they *never *got the gpupdate
> success fully.
>
> When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset
>
> But don't seem to got it fix..
>
> Any suggestion?
>
> Thank in advance.
>
> #samba-tool ntacl sysvolcheck
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[dfs]"
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
> kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>    File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line
> 249, in run
>      lp)
>    File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1730, in checksysvolacl
>      direct_db_access)
>    File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1681, in check_gpos_acl
>      domainsid, direct_db_access)
>    File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
> line 1628, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not
match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
>
> Regards,
> Min Wai
I wouldn't worry about it (at the moment), this is because you are 
getting this:

O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

and if you look closely, the only difference is at the start, yours 
starts 'O:LAG:' and the expected starts 'O:DAG:'

O = owner
LA = Local Administrators
BA = BUILTIN\Administrators

Not that this means anything, because the actually SDDL should be:

O:BAG:SYD:PAI(A;;0x001200a9;;;AU)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;SO)(A;OICIIO;GRGX;;;SO)(A;;0x001e01bf;;;BA)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001f01ff;;;SY)(A;OICIIO;GA;;;SY)(A;;0x001e01bf;;;BA)(A;OICIIO;WOWDGRGWGX;;;CO)S:AI(AU;OICISA;SD;;;WD)

Rowland

Hello Sébastien Le Ray,

The PC reply the following...

The processing of Group Policy failed. Windows could not resolve the user
name. This could be caused by one or more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).

The processing of Group Policy failed. Windows could not resolve the
computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).

To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from
the command line to access information about Group Policy results.

On Sun, Jul 24, 2016 at 3:56 PM, Sébastien Le Ray <sebastien-samba at
orniz.org
> wrote:
> Hi,
>
> Do you have any specific error message in Windows events log concerning
> GPO?
>
> Regards
>
>
> Le 24/07/2016 à 05:40, Min Wai Chan a écrit :
>
>> Dear All,
>> I've recently upgrade from samba 4.1.x to samba 4.2.14 and found
that GPO
>> are having issue
>>
>> Specifically when I'm adding new using they *never *got the
gpupdate
>>
>> success fully.
>>
>> When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset
>>
>> But don't seem to got it fix..
>>
>> Any suggestion?
>>
>> Thank in advance.
>>
>> #samba-tool ntacl sysvolcheck
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[dfs]"
>> ERROR(<class 'samba.provision.ProvisioningError'>):
uncaught exception -
>> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
>> kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>
<http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-00C04FB984F9%7D>
>>
>>
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>> does not match expected value
>>
>>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>> from GPO object
>>    File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>> line
>> 175, in _run
>>      return self.run(*args, **kwargs)
>>    File
"/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line
>> 249, in run
>>      lp)
>>    File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>> line 1730, in checksysvolacl
>>      direct_db_access)
>>    File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>> line 1681, in check_gpos_acl
>>      domainsid, direct_db_access)
>>    File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>> line 1628, in check_dir_acl
>>      raise ProvisioningError('%s ACL on GPO directory %s %s does
not match
>> expected value %s from GPO object' % (acl_type(direct_db_access),
path,
>> fsacl_sddl, acl))
>>
>> Regards,
>> Min Wai
>>
>
>