thr3ads.net - samba - [Samba] GPO problems on a 4.1.6 AD, classicupgraded, uncaught exception [May 2014]

If this information is useful, please help other people find it:
Share via:

mourik jan heupink - merit

2014-May-13 14:39 UTC

[Samba] GPO problems on a 4.1.6 AD, classicupgraded, uncaught exception

Hi all,

We'er running a classicupgraded samba4 AD 4.1.6 sernet for a month or 
two now, and all is very well. :-) It has been classicupgraded using the 
same 4.1.6.

Today I wanted to try GPO's and they are not applied. GPUpdate /force 
tells me:
"Windows attempted to read the file  blahblah\gpt.ini
from a domain controller and was not successful".

Taken from the mailinglist, I tried  samba-tool ntacl sysvolcheck, and 
it fails miserably and SCARY, with an uncaught exception:

root at dc1:~# samba-tool ntacl sysvolcheck
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory 
/var/lib/samba/sysvol/samba.merit.unu.edu/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
     lp)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1695, in checksysvolacl
     direct_db_access)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1646, in check_gpos_acl
     domainsid, direct_db_access)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1593, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))

Since everything looks so scary, I wanted to verify with you guys, 
before attempting a 'samba-tool ntacl sysvolreset'...

I'm surprised to find permission problems, because 4.1.6 is pretty 
recent, and I haven't read very much issues like above on the 
mailinglist lately...

Perhaps related, I occasionally get these as well:

May 13 16:34:24 dc1 samba[2436]:   Failed to modify SPNs on 
CN=p002544,CN=Computers,DC=samba,DC=domain: error in module acl: 
Constraint violation (19)

Any expert ideas here? Is it wise to try 'samba-tool ntacl sysvolreset'?

MJ

Marc Muehlfeld

2014-May-13 15:49 UTC

head link

[Samba] GPO problems on a 4.1.6 AD, classicupgraded, uncaught exception

Hello Mourik,

Am 13.05.2014 15:39, schrieb mourik jan heupink - merit> Taken from the mailinglist, I tried  samba-tool ntacl sysvolcheck, and
> it fails miserably and SCARY, with an uncaught exception:
>
> root at dc1:~# samba-tool ntacl sysvolcheck
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
> ProvisioningError: DB ACL on GPO directory
>
/var/lib/samba/sysvol/samba.merit.unu.edu/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
>
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line
> 249, in run
>      lp)
>    File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1695, in checksysvolacl
>      direct_db_access)
>    File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1646, in check_gpos_acl
>      domainsid, direct_db_access)
>    File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1593, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' % (acl_type(direct_db_access),
> path, fsacl_sddl, acl))
>
> Since everything looks so scary, I wanted to verify with you guys,
> before attempting a 'samba-tool ntacl sysvolreset'...

You should file a bug report about that. But sysvolcheck has some 
uncaught exceptions (e. g. 
https://bugzilla.samba.org/show_bug.cgi?id=10321).

sysvolreset should work fine. But backup is never a bad idea ;-)



> Perhaps related, I occasionally get these as well:
>
> May 13 16:34:24 dc1 samba[2436]:   Failed to modify SPNs on
> CN=p002544,CN=Computers,DC=samba,DC=domain: error in module acl:
> Constraint violation (19)
This is something different:

https://bugzilla.samba.org/show_bug.cgi?id=9316



Regards,
Marc

Possibly Parallel Threads

Search for more maybe matching threads

samba - May 2014 - GPO problems on a 4.1.6 AD, classicupgraded, uncaught exception

[Samba] GPO problems on a 4.1.6 AD, classicupgraded, uncaught exception

[Samba] GPO problems on a 4.1.6 AD, classicupgraded, uncaught exception

Possibly Parallel Threads