thr3ads.net - samba - [Samba] sysvol acl's broken beyond repair [Oct 2015]

If this information is useful, please help other people find it:
Share via:

Krutskikh Ivan

2015-Oct-02 23:50 UTC

[Samba] sysvol acl's broken beyond repair

Hi everyone.

I ran into notorios gpo error on windows clients. When I go to my dc
controller and run
samba-tool ntacl sysvolcheck

I get an error:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/tsnr.mtt/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
249, in run
    lp)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
    direct_db_access)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

I assume, that is the problem. Now I try to fix it with

samba-tool ntacl sysvolreset

It finishes with no output or errors, but if I run sysvolcheck once again-
the same problem is still there, not to mention that gpo's are still not
working.

My samba version is 4.2.0, the setup is a bit complicated since a use samba
in a lxc container on a zfs fs (although posixacls are supported and common
tasks such as domain provision, logon, dns and even gpo upon first
modifications work)

How can I fix this error or should I rebuild my domain from scratch?

Thanks in advance!

mourik jan heupink

2015-Oct-03 08:54 UTC

head link

[Samba] sysvol acl's broken beyond repair

This very same issue was discussed here a few weeks ago.

Consensus seemed to be: this can be ignored, because many of us (if not 
all?) see this. Perhaps search the archive to check that you are seeing 
the exact same issue.

Hope that helps.
MJ
On 10/03/2015 01:50 AM, Krutskikh Ivan wrote:> Hi everyone.
>
> I ran into notorios gpo error on windows clients. When I go to my dc
> controller and run
> samba-tool ntacl sysvolcheck
>
> I get an error:
>
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
> ProvisioningError: DB ACL on GPO directory
>
/usr/local/samba/var/locks/sysvol/tsnr.mtt/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
>
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>    File
>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File
>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
> 249, in run
>      lp)
>    File
>
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1730, in checksysvolacl
>      direct_db_access)
>    File
>
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1681, in check_gpos_acl
>      domainsid, direct_db_access)
>    File
>
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1628, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not
match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
>
> I assume, that is the problem. Now I try to fix it with
>
> samba-tool ntacl sysvolreset
>
> It finishes with no output or errors, but if I run sysvolcheck once again-
> the same problem is still there, not to mention that gpo's are still
not
> working.
>
> My samba version is 4.2.0, the setup is a bit complicated since a use samba
> in a lxc container on a zfs fs (although posixacls are supported and common
> tasks such as domain provision, logon, dns and even gpo upon first
> modifications work)
>
> How can I fix this error or should I rebuild my domain from scratch?
>
> Thanks in advance!
>

Rowland Penny

2015-Oct-03 09:09 UTC

head link

[Samba] sysvol acl's broken beyond repair

On 03/10/15 00:50, Krutskikh Ivan wrote:> Hi everyone.
>
> I ran into notorios gpo error on windows clients. When I go to my dc
> controller and run
> samba-tool ntacl sysvolcheck
>
> I get an error:
>
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
> ProvisioningError: DB ACL on GPO directory
>
/usr/local/samba/var/locks/sysvol/tsnr.mtt/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P
> does not match expected value
> O:DAG:DAD:P
>
I am not sure this is your problem, if you look very carefully, there is 
only one letter different between what is found and what is expected. 
This one letter means that Local Administrators (LA) owns the policy 
instead of Domain Administrators (DA), who should have access to the 
policy is correct.
Is there anything in the event log on a PC when it tries to use the policy?

Rowland

Krutskikh Ivan

2015-Oct-03 15:20 UTC

head link

[Samba] sysvol acl's broken beyond repair

Hm, can I fix it manually? Maybe sysvolcheck stumbles on the first error
and misses something more severe later on.

2015-10-03 12:09 GMT+03:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 03/10/15 00:50, Krutskikh Ivan wrote:
>
>> Hi everyone.
>>
>> I ran into notorios gpo error on windows clients. When I go to my dc
>> controller and run
>> samba-tool ntacl sysvolcheck
>>
>> I get an error:
>>
>> ERROR(<class 'samba.provision.ProvisioningError'>):
uncaught exception -
>> ProvisioningError: DB ACL on GPO directory
>>
>>
/usr/local/samba/var/locks/sysvol/tsnr.mtt/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
>> O:LAG:DAD:P
>> does not match expected value
>> O:DAG:DAD:P
>>
>>
> I am not sure this is your problem, if you look very carefully, there is
> only one letter different between what is found and what is expected. This
> one letter means that Local Administrators (LA) owns the policy instead of
> Domain Administrators (DA), who should have access to the policy is
correct.
> Is there anything in the event log on a PC when it tries to use the policy?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

samba - Oct 2015 - sysvol acl's broken beyond repair

[Samba] sysvol acl's broken beyond repair

[Samba] sysvol acl's broken beyond repair

[Samba] sysvol acl's broken beyond repair

[Samba] sysvol acl's broken beyond repair