samba - Apr 2014 - Samba4 policies acl corruption

Hi everybody.

One month ago me migrated from samba 3.6 classic domain to samba4.

After solving some minor problems, we have found ourselves with a ACL 
corruption and we don't know how to deal with this.
When accesing to our sysvol shared (for example, \\domain.local\sysvol) 
from both Samba or Windows clients, we are refused to connect.

Domain=[VECTORSF] OS=[Unix] Server=[Samba 4.1.4]
session setup failed: NT_STATUS_CONNECTION_REFUSED

However we can access our sysvol shares directly (for example 
\\dc01.domain.local\sysvol or \\dc02.domain.local\sysvol).
The problem raised after one tech ENFORCED one policy from GPO windows tool.

After searching in forums, we managed to locate the problem. There is 
some problem with GPO ACLs.

root at DC01:/tmp/policy# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory 
/usr/local/samba/var/locks/sysvol/vectorsf.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value 
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run

As you can see, the only difference is with O:LAG / O:DAG.

Of course we have reset ACLs via samba-tool ntacl sysvolreset.

We have also read something similar in this bugzilla.
https://bugzilla.samba.org/show_bug.cgi?id=9483

Changing owner (an resync) to match UID 512 for each Policy does not fix 
the problem.

Thanks in advance!

We managed to fix this issue.

samba-tool ntacl sysvolreset --use-s3fs
samba-tool ntacl sysvolreset --use-ntvfs

And resync sysvol shares (via rsync) with all DCs.

We had to wait for a few minutes until replication (both sysvol shares 
via rsync and internal DCs) finished.


On 08/04/14 10:54, I?igo Martinez Lasala wrote:
> Hi everybody.
>
> One month ago me migrated from samba 3.6 classic domain to samba4.
>
> After solving some minor problems, we have found ourselves with a ACL 
> corruption and we don't know how to deal with this.
> When accesing to our sysvol shared (for example, 
> \\domain.local\sysvol) from both Samba or Windows clients, we are 
> refused to connect.
>
> Domain=[VECTORSF] OS=[Unix] Server=[Samba 4.1.4]
> session setup failed: NT_STATUS_CONNECTION_REFUSED
>
> However we can access our sysvol shares directly (for example 
> \\dc01.domain.local\sysvol or \\dc02.domain.local\sysvol).
> The problem raised after one tech ENFORCED one policy from GPO windows 
> tool.
>
> After searching in forums, we managed to locate the problem. There is 
> some problem with GPO ACLs.
>
> root at DC01:/tmp/policy# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception
> - ProvisioningError: DB ACL on GPO directory 
>
/usr/local/samba/var/locks/sysvol/vectorsf.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value 
>
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>   File 
>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>
> As you can see, the only difference is with O:LAG / O:DAG.
>
> Of course we have reset ACLs via samba-tool ntacl sysvolreset.
>
> We have also read something similar in this bugzilla.
> https://bugzilla.samba.org/show_bug.cgi?id=9483
>
> Changing owner (an resync) to match UID 512 for each Policy does not 
> fix the problem.
>
> Thanks in advance!
>

-- 
I?igo Mart?nez Lasala
Director de IT
____________________________
Tel.: (+34) 91 183 03 00

Camino del Cerro de los Gamos, 1 ? Edificio 6
28224 Pozuelo de Alarc?n
Madrid - Espa?a
____________________________
Vector Software Factory
www.vectorsf.com

Condiciones de Confidencialidad