-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my
self or install tehe SerNet-Packages ;-)
Everytime I craete a new GPO or change something in an existing GPO,
the test with "samba-tool ntacl sysvolcheck" fails with the following
Error:
- ----------------
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception
- - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87
CD150568}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
from GPO object
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1733, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1684, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1631, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))
- ----------------
Running "samba-tool gpo aclcheck" exits with the following error:
- ----------------
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such
element'
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
1150, in run
ds_sd_ndr = m['nTSecurityDescriptor'][0]
- ----------------
Running "samba-tool ntacl sysvolcheck" fixes all the Problems.
I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs
replicated with rsync:
Here are the smb.conf
- ----dc1------
# Global parameters
[global]
workgroup = EXAMPLE
realm = EXAMPLE.NET
comment = Samba 4.3.2
netbios name = SAMBABUCH
server role = active directory domain controller
dns forwarder = 8.8.8.8
interfaces = 192.168.56.11
bind interfaces only = yes
[netlogon]
path = /var/lib/samba/sysvol/example.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
- -------------
- -----dc2-----
# Global parameters
[global]
workgroup = EXAMPLE
realm = example.net
netbios name = SAMBABUCH-DC2
server role = active directory domain controller
dns forwarder = 8.8.8.8
interfaces = 192.168.56.21
bind interfaces only = yes
[netlogon]
path = /var/lib/samba/sysvol/example.net/scripts
read only = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = yes
- -------------
This is the replication-command:
- -------------
rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass
rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/
- -------------
I can reproduce this on any installation on any distribution.
So is it a bug?
Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t
S9oAn0bOKhDXp35r6bu2d9AX43uyAose
=gdCy
-----END PGP SIGNATURE-----
Hai Stefan, If you look from within windows, are you sysvol rights ok? If so, just ignore these message. There think there is nothing wrong with your sysvol rights, old bug imo. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania > Verzonden: maandag 28 december 2015 10:56 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Wrong ACL on GPO > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my > self or install tehe SerNet-Packages ;-) > Everytime I craete a new GPO or change something in an existing GPO, > the test with "samba-tool ntacl sysvolcheck" fails with the following > Error: > - ---------------- > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception > - - ProvisioningError: DB ACL on GPO directory > /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87 > CD150568} > O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 > x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 > x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) > does not match expected value > O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 > x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 > x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) > from GPO object > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line > 249, in run > lp) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1733, in checksysvolacl > direct_db_access) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1684, in check_gpos_acl > domainsid, direct_db_access) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1631, in check_dir_acl > raise ProvisioningError('%s ACL on GPO directory %s %s does not > match expected value %s from GPO object' % > (acl_type(direct_db_access), path, fsacl_sddl, acl)) > - ---------------- > Running "samba-tool gpo aclcheck" exits with the following error: > - ---------------- > ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such > element' > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line > 1150, in run > ds_sd_ndr = m['nTSecurityDescriptor'][0] > - ---------------- > > Running "samba-tool ntacl sysvolcheck" fixes all the Problems. > > I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs > replicated with rsync: > Here are the smb.conf > - ----dc1------ > # Global parameters > [global] > workgroup = EXAMPLE > realm = EXAMPLE.NET > comment = Samba 4.3.2 > netbios name = SAMBABUCH > server role = active directory domain controller > dns forwarder = 8.8.8.8 > interfaces = 192.168.56.11 > bind interfaces only = yes > > [netlogon] > path = /var/lib/samba/sysvol/example.net/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > - ------------- > > - -----dc2----- > # Global parameters > [global] > workgroup = EXAMPLE > realm = example.net > netbios name = SAMBABUCH-DC2 > server role = active directory domain controller > dns forwarder = 8.8.8.8 > interfaces = 192.168.56.21 > bind interfaces only = yes > > [netlogon] > path = /var/lib/samba/sysvol/example.net/scripts > read only = yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = yes > - ------------- > This is the replication-command: > - ------------- > rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass > rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/ > - ------------- > I can reproduce this on any installation on any distribution. > > So is it a bug? > > Stefan > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > > iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t > S9oAn0bOKhDXp35r6bu2d9AX43uyAose > =gdCy > -----END PGP SIGNATURE----- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 28/12/15 10:07, L.P.H. van Belle wrote:> Hai Stefan, > > If you look from within windows, are you sysvol rights ok? > If so, just ignore these message. > There think there is nothing wrong with your sysvol rights, old bug imo. > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania >> Verzonden: maandag 28 december 2015 10:56 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Wrong ACL on GPO >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello, >> >> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my >> self or install tehe SerNet-Packages ;-) >> Everytime I craete a new GPO or change something in an existing GPO, >> the test with "samba-tool ntacl sysvolcheck" fails with the following >> Error: >> - ---------------- >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception >> - - ProvisioningError: DB ACL on GPO directory >> /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87 >> CD150568} >> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 >> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 >> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) >> does not match expected value >> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 >> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 >> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) >> from GPO object >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 175, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line >> 249, in run >> lp) >> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1733, in checksysvolacl >> direct_db_access) >> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1684, in check_gpos_acl >> domainsid, direct_db_access) >> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1631, in check_dir_acl >> raise ProvisioningError('%s ACL on GPO directory %s %s does not >> match expected value %s from GPO object' % >> (acl_type(direct_db_access), path, fsacl_sddl, acl)) >> - ---------------- >> Running "samba-tool gpo aclcheck" exits with the following error: >> - ---------------- >> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such >> element' >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 175, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line >> 1150, in run >> ds_sd_ndr = m['nTSecurityDescriptor'][0] >> - ---------------- >> >> Running "samba-tool ntacl sysvolcheck" fixes all the Problems. >> >> I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs >> replicated with rsync: >> Here are the smb.conf >> - ----dc1------ >> # Global parameters >> [global] >> workgroup = EXAMPLE >> realm = EXAMPLE.NET >> comment = Samba 4.3.2 >> netbios name = SAMBABUCH >> server role = active directory domain controller >> dns forwarder = 8.8.8.8 >> interfaces = 192.168.56.11 >> bind interfaces only = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/example.net/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> - ------------- >> >> - -----dc2----- >> # Global parameters >> [global] >> workgroup = EXAMPLE >> realm = example.net >> netbios name = SAMBABUCH-DC2 >> server role = active directory domain controller >> dns forwarder = 8.8.8.8 >> interfaces = 192.168.56.21 >> bind interfaces only = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/example.net/scripts >> read only = yes >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = yes >> - ------------- >> This is the replication-command: >> - ------------- >> rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass >> rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/ >> - ------------- >> I can reproduce this on any installation on any distribution. >> >> So is it a bug? >> >> Stefan >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.22 (GNU/Linux) >> >> iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t >> S9oAn0bOKhDXp35r6bu2d9AX43uyAose >> =gdCy >> -----END PGP SIGNATURE----- >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >As Louis says, this is nothing to worry about. The error message tells you that the policy ACL doesn't match what is expected, but if you examine what the difference is. You will find this: O:DAG:DAD:PAI against the expected O:DAG:DAD:PAR, everything else is the same. If we break this down we get the owner O:DA (Domain Admins), group G:DA (Domain Admins) and the DACL's D:PAI & D:PAR, we can break these down further: D = DACL P = Protected against inheriting AI = Automatically propagate the ACL to child objects (assuming P not set deeper), AR = same as AR but checks if the file system supports automatic propagation of inheritable ACE's (eg. NT4) So, as you can see, AR is expected, but you have got AI instead and I don't think it really matters. Rowland
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 28.12.2015 um 11:07 schrieb L.P.H. van Belle:> Hai Stefan, > > If you look from within windows, are you sysvol rights ok?Yes , I checkt it and everything is OK here.> If so, just ignore these message. There think there is nothing > wrong with your sysvol rights, old bug imo.I didn't see this befor. Might be a combination from Windows 10 and Samb a. Stefan> > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- Van: samba >> [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania >> Verzonden: maandag 28 december 2015 10:56 Aan: >> samba at lists.samba.org Onderwerp: [Samba] Wrong ACL on GPO >> > Hello, > > I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my > self or install tehe SerNet-Packages ;-) Everytime I craete a new > GPO or change something in an existing GPO, the test with > "samba-tool ntacl sysvolcheck" fails with the following Error: > ---------------- ERROR(<class > 'samba.provision.ProvisioningError'>): uncaught exception - > ProvisioningError: DB ACL on GPO directory > /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87> >CD150568}> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0> >x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match expected > value > O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0> >x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) from GPO object File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run return self.run(*args, **kwargs) File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, > in run lp) File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1733, in checksysvolacl direct_db_access) File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1684, in check_gpos_acl domainsid, direct_db_access) File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1631, in check_dir_acl raise ProvisioningError('%s ACL on GPO > directory %s %s does not match expected value %s from GPO object' > % (acl_type(direct_db_access), path, fsacl_sddl, acl)) > ---------------- Running "samba-tool gpo aclcheck" exits with the > following error: ---------------- ERROR(<type > 'exceptions.KeyError'>): uncaught exception - 'No such element' > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 175, in _run return self.run(*args, **kwargs) File > "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, > in run ds_sd_ndr = m['nTSecurityDescriptor'][0] ---------------- > > Running "samba-tool ntacl sysvolcheck" fixes all the Problems. > > I manage the GPOs with RSAT on a Windows 10 Machine. I have two > DCs replicated with rsync: Here are the smb.conf ----dc1------ # > Global parameters [global] workgroup = EXAMPLE realm = EXAMPLE.NET > comment = Samba 4.3.2 netbios name = SAMBABUCH server role = active > directory domain controller dns forwarder = 8.8.8.8 interfaces > 192.168.56.11 bind interfaces only = yes > > [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read > only = No > > [sysvol] path = /var/lib/samba/sysvol read only = No ------------- > > -----dc2----- # Global parameters [global] workgroup = EXAMPLE > realm = example.net netbios name = SAMBABUCH-DC2 server role > active directory domain controller dns forwarder = 8.8.8.8 > interfaces = 192.168.56.21 bind interfaces only = yes > > [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read > only = yes > > [sysvol] path = /var/lib/samba/sysvol read only = yes > ------------- This is the replication-command: ------------- rsync > -XAavz --delete-after --password-file=/etc/samba/rsync.pass > rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/ > ------------- I can reproduce this on any installation on any > distribution. > > So is it a bug? > > Stefan > > >> >> -- To unsubscribe from this list go to the following URL and read >> the instructions: https://lists.samba.org/mailman/options/samba > > >- -- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail. Weiter Informationen unter http://www.gnupg.org Mein Schlüssel liegt auf hkp://subkeys.pgp.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlaBMUkACgkQ2JOGcNAHDTZvGACgykRv9EKRzTCtx2kTQAXQoFGl wiIAoKu+jQughf+0lGgnCuS0SP7f4dmY =o/vI -----END PGP SIGNATURE-----