I have a samba DC based on Debian Buster running samba 4.12.2 from Louis'
repo. A second DC on Raspbian buster is running samba
4.12.0. I have sysvol replication working using rsync/unison as per the WiKi.
I wasn't having any issues until I tried to edit
a GPO and found that all the acl settings had disappeared. This may have
happened when I upgraded the DCs from 4.11.x to 4.12.x as
I did it by demoting, then removing samba and re-installing the new version then
re-joined. Anyhow, I tried to set the ACLs using
a Windows member client on the sysvol share of the PDC FSMO role owner to what I
thought they should be but when I run the
samba-tool ntacl sysvolcheck command I get:
root at tiger-db:~# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on sysvol directory
/var/lib/samba/sysvol/microlynx.org
O:LAG:BAD:AI(A;OICIID;0x001f01ff;;;BA)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x001f01ff;;;SY)(A;OICIID;0x001200a9;;;AU)
does not match
expected value
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
from
provision
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
446, in run
lp)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1901, in checksysvolacl
raise ProvisioningError('%s ACL on sysvol directory %s %s does not match
expected value %s from provision' %
(acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))
So I tried running samba-tool ntacl sysvolreset and I get:
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
...
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
ad nauseum.
How can I get this back to normal?
TIA
Roy
On 19/05/2020 17:09, Roy Eastwood via samba wrote:> I have a samba DC based on Debian Buster running samba 4.12.2 from Louis' repo. A second DC on Raspbian buster is running samba > 4.12.0. I have sysvol replication working using rsync/unison as per the WiKi. I wasn't having any issues until I tried to edit > a GPO and found that all the acl settings had disappeared. This may have happened when I upgraded the DCs from 4.11.x to 4.12.x as > I did it by demoting, then removing samba and re-installing the new version then re-joined. Anyhow, I tried to set the ACLs using > a Windows member client on the sysvol share of the PDC FSMO role owner to what I thought they should be but when I run the > samba-tool ntacl sysvolcheck command I get: > > root at tiger-db:~# samba-tool ntacl sysvolcheck > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory > /var/lib/samba/sysvol/microlynx.org > O:LAG:BAD:AI(A;OICIID;0x001f01ff;;;BA)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x001f01ff;;;SY)(A;OICIID;0x001200a9;;;AU) does not match > expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from > provision > File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 446, in run > lp) > File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1901, in checksysvolacl > raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % > (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL)) > > So I tried running samba-tool ntacl sysvolreset and I get: > > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > ... > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > > ad nauseum. > > How can I get this back to normal? > > TIA > > Roy > >You could try using a script Louis wrote, see here: https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh The 'idmap config' lines are nothing to worry about, you cannot set them on a DC, but, for some reason, testparm etc warns about them. Rowland
> You could try using a script Louis wrote, see here: > https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh > > The 'idmap config' lines are nothing to worry about, you cannot set them on a DC, but, for some reason, testparm etc warns about > them. > > Rowland >Sorry, I should have said - I ran louis' script and set the acl's according to the output. The script also produced a file called default-rights-sysvol-acl which contains: # file: /var/lib/samba/sysvol # owner: root # group: root user::rwx user:root:rwx user:3000000:rwx user:3000027:r-x user:3000023:rwx user:3000009:r-x group::rwx group:3000000:rwx group:3000027:r-x group:3000023:rwx group:3000009:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000027:r-x default:user:3000023:rwx default:user:3000009:r-x default:group::--- default:group:3000000:rwx default:group:3000027:r-x default:group:3000023:rwx default:group:3000009:r-x default:mask::rwx default:other::--- After I had set the acl's and run the Group Policy Management tool from Windows (which suggested that the acls were not correct and offered to correct them by clicking OK), getfacl /var/lib/samba/sysvol produces this: # file: var/lib/samba/sysvol # owner: root # group: root user::rwx user:root:rwx user:BUILTIN\\administrators:rwx user:NT\040AUTHORITY\\authenticated\040users:r-x user:NT\040AUTHORITY\\system:rwx user:BUILTIN\\server\040operators:r-x group::rwx group:BUILTIN\\administrators:rwx group:NT\040AUTHORITY\\authenticated\040users:r-x group:NT\040AUTHORITY\\system:rwx group:BUILTIN\\server\040operators:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\\administrators:rwx default:user:NT\040AUTHORITY\\authenticated\040users:r-x default:user:NT\040AUTHORITY\\system:rwx default:user:BUILTIN\\server\040operators:r-x default:group::--- default:group:BUILTIN\\administrators:rwx default:group:NT\040AUTHORITY\\authenticated\040users:r-x default:group:NT\040AUTHORITY\\system:rwx default:group:BUILTIN\\server\040operators:r-x default:mask::rwx default:other::--- If I run wbinfo to convert the gid's to names the two getfacl lists are essentially the same. When I run samba-tool gpo aclcheck -Uadministrator, I get: Password for [MICROLYNX\administrator]: ERROR: Invalid GPO ACL O:LAG:S-1-22-2-0D:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff ;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;BA)(A;OICI;;;;WD)(A;;0x001f01ff;; ;S-1-22-2-0)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) on path (microlynx.org\Policies\{CA8E6F15-335B-4BA1-BDD3-7FE7B6780946}), should be O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;; SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) Any other ideas? Thanks Rowland. Roy