On Sun, Oct 25, 2020 at 4:24 PM Rowland penny via samba <samba at lists.samba.org> wrote:> Yes, that is what it is designed for.Yes, and yes it does! Thank you!!
The reset allowed the current GPO to take effect, but right after
adding a new GPO (just named it, no editing, or linking) the
sysvolcheck fails:
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception
- ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/hq.theauditors.com/Policies/{4409F67D-97F1-4241-9243-02058C6E3FE6}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File
"/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py",
line 186, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/ntacl.py",
line 446, in run
lp)
File
"/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py",
line 1894, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py",
line 1844, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py",
line 1786, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))
On 25/10/2020 20:37, Sonic wrote:> The reset allowed the current GPO to take effect, but right after > adding a new GPO (just named it, no editing, or linking) the > sysvolcheck fails: > # samba-tool ntacl sysvolcheck > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception > - ProvisioningError: DB ACL on GPO directory > /usr/local/samba/var/locks/sysvol/hq.theauditors.com/Policies/{4409F67D-97F1-4241-9243-02058C6E3FE6} > O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > does not match expected value > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > from GPO object > File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py", > line 186, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/ntacl.py", > line 446, in run > lp) > File "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", > line 1894, in checksysvolacl > direct_db_access) > File "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", > line 1844, in check_gpos_acl > domainsid, direct_db_access) > File "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", > line 1786, in check_dir_acl > raise ProvisioningError('%s ACL on GPO directory %s %s does not > match expected value %s from GPO object' % > (acl_type(direct_db_access), path, fsacl_sddl, acl))its a bit like 'wack a mole', just keep running sysvolreset :-D Rowland