Hi all,
There has been some discussion on GPO's lately, and I find myself having
a problem too. This error in logged on one of our win7 workstations:
EventData
SupportInfo1 2
SupportInfo2 1232
ProcessingMode 1
ProcessingTimeInMilliseconds 1638
ErrorCode 5
ErrorDescription Access is denied.
DCName \\dc4.samba.company.com
GPOCNName
LDAP://CN=User,CN={12B62F356-336D-14D5-896F-00C04FB984F9},CN=Policies,CN=System,DC=samba,DC=company,DC=com
FilePath
\\samba.company.com\sysvol\samba.company.com\Policies\{12B62F356-336D-14D5-896F-00C04FB984F9}\User\registry.pol
Taking a look at the DC's, I see that the directories exist, but the
file "registry.pol" does NOT exist on any of our 3 DCs.
So does this mean this GPO is a corrupt one..? Looking it up in the
windows Group Policy Management, it seems the policy in question is the
Default Domain Policy.
Any ideas..?
Some more info:> \\samba.company.com\sysvol\samba.company.com\Policies\{12B62F356-336D-14D5-896F-00C04FB984F9}\User\registry.polI can open the UNC \\samba.company.com\sysvol\samba.company.com\Policies\{12B62F356-336D-14D5-896F-00C04FB984F9}\User\ it's just the file "registry.pol" that doesn't exist. This is on samba 4.2.4, sernet, running in AD mode on wheezy.
Hello Mourik, Am 06.10.2015 um 17:41 schrieb mourik jan c heupink:> So does this mean this GPO is a corrupt one..? Looking it up in the > windows Group Policy Management, it seems the policy in question is > the Default Domain Policy.The two GUID directories, that exist on every AD DC, are {6AC1786C-016F-11D2-945F-00C04FB984F9} = Default Domain Controller Policy {31B2F340-016D-11D2-945F-00C04FB984F9} = Default Domain Policy So yours is a GPO, you had created.> Taking a look at the DC's, I see that the directories exist, but the > file "registry.pol" does NOT exist on any of our 3 DCs.That's normal. If you create a new GPO, the GPMC only created the GUID folder, that contains an empty Machine and User folder and the GPT.INI file. Nothing else. When you define your first policy using the GPME, the registry.pol file is created in the Machine/User folder - depending where your change is located. If you don't know to which GPO the GUID belongs, open the GPMC, expand "Group Policy Objects". When you click each entry, the "Details" tab shows you the GUID.> EventData > SupportInfo1 2 > SupportInfo2 1232 > ProcessingMode 1 > ProcessingTimeInMilliseconds 1638 > ErrorCode 5 > ErrorDescription Access is denied. > DCName \\dc4.samba.company.com > GPOCNName > LDAP://CN=User,CN={12B62F356-336D-14D5-896F-00C04FB984F9},CN=Policies,CN=System,DC=samba,DC=company,DC=com > > FilePath > \\samba.company.com\sysvol\samba.company.com\Policies\{12B62F356-336D-14D5-896F-00C04FB984F9}\User\registry.polHave you verified, that the error "Access is denied" is correct? # samba-tool ntacl sysvolreset resets the ACLs in SYSVOL to defaults. Regards, Marc
Hi Marc,
Ok, I apologise, I was unsure if the number
{31B2F340-016D-11D2-945F-00C04FB984F9} was something sensitive
password-like or not, so i changed it slightly.... Sorry..! The number
is actually the number as you quote it below for the Default Domain Policy.
> The two GUID directories, that exist on every AD DC, are
>
> {6AC1786C-016F-11D2-945F-00C04FB984F9} = Default Domain Controller Policy
> {31B2F340-016D-11D2-945F-00C04FB984F9} = Default Domain Policy
>
> So yours is a GPO, you had created.
Again...apologies: no it really is the default domain policy.
> That's normal. If you create a new GPO, the GPMC only created the GUID
> folder, that contains an empty Machine and User folder and the GPT.INI
> file. Nothing else.
But in case of the default domain policy..? Is it also normal?
I guess perhaps not...? And how to solve this..?
> Have you verified, that the error "Access is denied" is correct?
I can access the UNC
\\samba.company.com\sysvol\samba.company.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\User\
So I guess "access denied" is NOT the problem.
(though I'm trying as a user, and perhaps GPO runs as a machine account...)
samba-tool ntacl sysvolcheck crashes with the well-known error:
> root at DC2:~# samba-tool ntacl sysvolcheck
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ldb_wrap open of idmap.ldb
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samba.company.com/Policies/{A577A789-8C39-447A-8555-42B247B9943C}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
> File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175,
in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line 249, in run
> lp)
> File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1730, in checksysvolacl
> direct_db_access)
> File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1681, in check_gpos_acl
> domainsid, direct_db_access)
> File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1628, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
> root at DC2:~#
In a thread a few weeks ago I was told that this is quite normal. Most
of us see this. A few weeks ago I ran sysvolreset as well.
Anyway: that running sysvolreset again will not give me a registry.pol
file in that location...
What to do..? Do I have a problem?
MJ
Marc, Its for mourik important, because he wants to know why he has this error in his event logs. (i want to know also.) (learning mode) Mourik Jan, reboot the computer and login again, do you still see the error message, just to check if this wasnt an old message. And/or, maybe this pc logged in at a time the file/policy was changed. And all your sysvols are synced? Gr. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mourik jan c > heupink > Verzonden: dinsdag 6 oktober 2015 17:42 > Aan: samba > Onderwerp: [Samba] gpo failure > > Hi all, > > There has been some discussion on GPO's lately, and I find myself having > a problem too. This error in logged on one of our win7 workstations: > > EventData > SupportInfo1 2 > SupportInfo2 1232 > ProcessingMode 1 > ProcessingTimeInMilliseconds 1638 > ErrorCode 5 > ErrorDescription Access is denied. > DCName \\dc4.samba.company.com > GPOCNName > LDAP://CN=User,CN={12B62F356-336D-14D5-896F- > 00C04FB984F9},CN=Policies,CN=System,DC=samba,DC=company,DC=com > > FilePath > \\samba.company.com\sysvol\samba.company.com\Policies\{12B62F356-336D- > 14D5-896F-00C04FB984F9}\User\registry.pol > > > Taking a look at the DC's, I see that the directories exist, but the > file "registry.pol" does NOT exist on any of our 3 DCs. > > So does this mean this GPO is a corrupt one..? Looking it up in the > windows Group Policy Management, it seems the policy in question is the > Default Domain Policy. > > Any ideas..? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hi Louis, Marc, list, Quick update: On 7-10-2015 12:25, L.P.H. van Belle wrote:> Marc, > > Its for mourik important, because he wants to know why he has this error in his event logs. (i want to know also.) (learning mode) > > Mourik Jan, reboot the computer and login again, do you still see the error message, just to check if this wasnt an old message. > And/or, maybe this pc logged in at a time the file/policy was changed. > And all your sysvols are synced?I have found a problem: As a regular user, I CAN open the UNCs> \\dc2.samba.company.com\SysVol\samba.company.com\Policies\{12AEE8C7-1711-4B26-B5AB-DC7BF1CC2143} > \\dc4.samba.company.com\SysVol\samba.company.com\Policies\{12AEE8C7-1711-4B26-B5AB-DC7BF1CC2143}But I can NOT open the UNC> \\dc3.samba.company.com\SysVol\samba.company.com\Policies\{12AEE8C7-1711-4B26-B5AB-DC7BF1CC2143}So my dc3 seems unsynced or so. So I am now checking to make sure that my rsync replication script works as it should. (I'm guesssing it does NOT)