thr3ads.net - samba - [Samba] ACL on GPO directory does not match expected value from GPO object. AGAIN. [Jan 2013]

If this information is useful, please help other people find it:
Share via:

Alex Matthews

2013-Jan-10 09:53 UTC

[Samba] ACL on GPO directory does not match expected value from GPO object. AGAIN.

Hi all,

Some (then all) of our workstations were complaining about incorrect 
ACLs on GPOs and were unable to read the gpt.ini to apply the GPOs.
So I did a sysvolcheck and sure enough I'd lost the ACLs when I moved 
our sysvol share to a new location on the server (whoops, mea culpa).

I ran a sysvolreset which took a long time to return (some 5 minutes, 
please see my post on slow winbind lookups).

Just to make sure everything went as planned I re-ran the sysvolcheck 
and I get the following error:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory 
/vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value 
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line
245, in run
     lp)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1599, in checksysvolacl
     direct_db_access)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1550, in check_gpos_acl
     domainsid, direct_db_access)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1500, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))

Comparing the two ACLs

O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)


The only difference I can see is the 'DAG' vs 'LAG' at the
beginning
(Directory ACL vs File ACL?)

Thanks,

Alex

Hleb Valoshka

2013-Jan-10 13:47 UTC

head link

[Samba] ACL on GPO directory does not match expected value from GPO object. AGAIN.

On 1/10/13, Alex Matthews <qoole.samba at lillimoth.com>
wrote:> Comparing the two ACLs
>
>
O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> The only difference I can see is the 'DAG' vs 'LAG' at the
beginning
> (Directory ACL vs File ACL?)
Take a look here: https://bugzilla.samba.org/show_bug.cgi?id=9483

Seemingly Similar Threads

Search for more seemingly similar threads

samba - Jan 2013 - ACL on GPO directory does not match expected value from GPO object. AGAIN.

[Samba] ACL on GPO directory does not match expected value from GPO object. AGAIN.

[Samba] ACL on GPO directory does not match expected value from GPO object. AGAIN.

Seemingly Similar Threads