samba - Oct 2023 - Error in samba-tool ntacl sysvolcheck

Hi!

I executed the command "samba-tool ntacl sysvolcheck" on a DC and I
got the following I pasted below. The first DC was provisioned migrating from a
samba NT4 PDC with an LDAP backend using the classic upgrade procedure. I
haven't detected any problem but I wanted to make sure there isn't any
problem I might not be seeing yet.

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.com/Policies/{725C8FA6-3CC1-4A37-9C70-4DE6C4793F53}
O:DAG:DAD:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1039)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1054)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1152)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1305)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1390)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1536)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1578)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-21970)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-22166)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:PAR(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1039)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1054)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1152)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1305)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1390)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1536)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1578)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-21970)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-22166)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1039)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1054)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1152)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1305)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1390)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1536)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1578)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-21970)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-22166)
from GPO object
  File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py",
line 230, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py",
line 449, in run
    provision.checksysvolacl(samdb, netlogon, sysvol,
  File
"/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line
1876, in checksysvolacl
    check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
  File
"/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line
1826, in check_gpos_acl
    check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
  File
"/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line
1769, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

Thanks in advance.
Best regards,
Dave.

That's not a problem its just a ACL provisioning message as you can see 
the result was "DAG:DAD:PAI" but expected was
"O:DAG:DAD:PAR" that's
"normal" ;-) just ignore it or do a "samba-tool ntacl
sysvolreset"

Am 19.10.23 um 17:27 schrieb bd730c5053df9efb via samba:
> Hi!
> 
> I executed the command "samba-tool ntacl sysvolcheck" on a DC and
I got the following I pasted below. The first DC was provisioned migrating from
a samba NT4 PDC with an LDAP backend using the classic upgrade procedure. I
haven't detected any problem but I wanted to make sure there isn't any
problem I might not be seeing yet.
> 
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.com/Policies/{725C8FA6-3CC1-4A37-9C70-4DE6C4793F53}
O:DAG:DAD:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1039)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1054)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1152)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1305)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1390)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1536)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1578)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-21970)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-22166)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)
does not match expected value O:DAG:
>  
DAD:PAR(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1039)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1054)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1152)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1305)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1390)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1536)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1578)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-21970)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-22166)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1039)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1054)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1
>  
-5-21-2172607237-3276034063-696894390-1152)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1305)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1390)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1536)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1578)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-21970)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-22166)
from GPO object
>    File
"/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line
230, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py", line 449,
in run
>      provision.checksysvolacl(samdb, netlogon, sysvol,
>    File
"/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line
1876, in checksysvolacl
>      check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>    File
"/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line
1826, in check_gpos_acl
>      check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>    File
"/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line
1769, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
> 
> Thanks in advance.
> Best regards,
> Dave.
>