samba - Dec 2015 - Wrong ACL on GPO

On 28/12/15 10:07, L.P.H. van Belle wrote:
> Hai Stefan,
>
> If you look from within windows, are you sysvol rights ok?
> If so, just ignore these message.
> There think there is nothing wrong with your sysvol rights, old bug imo.
>
> Greetz,
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan
Kania
>> Verzonden: maandag 28 december 2015 10:56
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Wrong ACL on GPO
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello,
>>
>> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my
>> self or install tehe SerNet-Packages ;-)
>> Everytime I craete a new GPO or change something in an existing GPO,
>> the test with "samba-tool ntacl sysvolcheck" fails with the
following
>> Error:
>> - ----------------
>> ERROR(<class 'samba.provision.ProvisioningError'>):
uncaught exception
>> - - ProvisioningError: DB ACL on GPO directory
>>
/var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87
>> CD150568}
>>
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
>>
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
>> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
>> does not match expected value
>>
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
>>
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
>> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
>> from GPO object
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>>      return self.run(*args, **kwargs)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>> 249, in run
>>      lp)
>>    File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1733, in checksysvolacl
>>      direct_db_access)
>>    File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1684, in check_gpos_acl
>>      domainsid, direct_db_access)
>>    File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>> line 1631, in check_dir_acl
>>      raise ProvisioningError('%s ACL on GPO directory %s %s does
not
>> match expected value %s from GPO object' %
>> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>> - ----------------
>> Running "samba-tool gpo aclcheck" exits with the following
error:
>> - ----------------
>> ERROR(<type 'exceptions.KeyError'>): uncaught exception -
'No such
>> element'
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>>      return self.run(*args, **kwargs)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
>> 1150, in run
>>      ds_sd_ndr = m['nTSecurityDescriptor'][0]
>> - ----------------
>>
>> Running "samba-tool ntacl sysvolcheck" fixes all the
Problems.
>>
>> I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs
>> replicated with rsync:
>> Here are the smb.conf
>> - ----dc1------
>> # Global parameters
>> [global]
>>          workgroup = EXAMPLE
>>          realm = EXAMPLE.NET
>>          comment = Samba 4.3.2
>>          netbios name = SAMBABUCH
>>          server role = active directory domain controller
>>          dns forwarder = 8.8.8.8
>>          interfaces = 192.168.56.11
>>          bind interfaces only = yes
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/example.net/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> - -------------
>>
>> - -----dc2-----
>> # Global parameters
>> [global]
>>          workgroup = EXAMPLE
>>          realm = example.net
>>          netbios name = SAMBABUCH-DC2
>>          server role = active directory domain controller
>>          dns forwarder = 8.8.8.8
>>          interfaces = 192.168.56.21
>>          bind interfaces only = yes
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/example.net/scripts
>>          read only = yes
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = yes
>> - -------------
>> This is the replication-command:
>> - -------------
>> rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass
>> rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/
>> - -------------
>> I can reproduce this on any installation on any distribution.
>>
>> So is it a bug?
>>
>> Stefan
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (GNU/Linux)
>>
>> iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t
>> S9oAn0bOKhDXp35r6bu2d9AX43uyAose
>> =gdCy
>> -----END PGP SIGNATURE-----
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
As Louis says, this is nothing to worry about. The error message tells 
you that the policy ACL doesn't match what is expected, but if you 
examine what the difference is. You will find this: O:DAG:DAD:PAI 
against the expected O:DAG:DAD:PAR, everything else is the same. If we 
break this down we get the owner O:DA (Domain Admins), group G:DA 
(Domain Admins) and the DACL's D:PAI & D:PAR, we can break these down 
further:

D = DACL
P = Protected against inheriting
AI = Automatically propagate the ACL to child objects (assuming P not 
set deeper),
AR = same as AR but checks if the file system supports automatic 
propagation of inheritable ACE's (eg. NT4)

So, as you can see, AR is expected, but you have got AI instead and I 
don't think it really matters.

Rowland

Hi,

to chime in here, I had the same problem!
I added the `samba-tool ntacl sysvolcheck` to my rsync script which 
fixed all issues for me.

Not sure if you got problems with the GPO besides the check, mine failed 
and the computers didn't have access to them.

Thomas

On 28 Dec 2015, at 12:22, Rowland penny wrote:
> On 28/12/15 10:07, L.P.H. van Belle wrote:
>> Hai Stefan,
>>
>> If you look from within windows, are you sysvol rights ok?
>> If so, just ignore these message.
>> There think there is nothing wrong with your sysvol rights, old bug 
>> imo.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan 
>>> Kania
>>> Verzonden: maandag 28 december 2015 10:56
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] Wrong ACL on GPO
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hello,
>>>
>>> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by
my
>>> self or install tehe SerNet-Packages ;-)
>>> Everytime I craete a new GPO or change something in an existing
GPO,
>>> the test with "samba-tool ntacl sysvolcheck" fails with
the
>>> following
>>> Error:
>>> - ----------------
>>> ERROR(<class 'samba.provision.ProvisioningError'>):
uncaught
>>> exception
>>> - - ProvisioningError: DB ACL on GPO directory
>>>
/var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87
>>> CD150568}
>>>
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
>>>
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
>>> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
>>> does not match expected value
>>>
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0
>>>
x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0
>>> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
>>> from GPO object
>>> File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>>  return self.run(*args, **kwargs)
>>> File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
>>> 249, in run
>>>  lp)
>>> File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1733, in checksysvolacl
>>>  direct_db_access)
>>> File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1684, in check_gpos_acl
>>>  domainsid, direct_db_access)
>>> File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1631, in check_dir_acl
>>>  raise ProvisioningError('%s ACL on GPO directory %s %s does
not
>>> match expected value %s from GPO object' %
>>> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>>> - ----------------
>>> Running "samba-tool gpo aclcheck" exits with the
following error:
>>> - ----------------
>>> ERROR(<type 'exceptions.KeyError'>): uncaught
exception - 'No such
>>> element'
>>> File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>>  return self.run(*args, **kwargs)
>>> File
"/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
>>> 1150, in run
>>>  ds_sd_ndr = m['nTSecurityDescriptor'][0]
>>> - ----------------
>>>
>>> Running "samba-tool ntacl sysvolcheck" fixes all the
Problems.
>>>
>>> I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs
>>> replicated with rsync:
>>> Here are the smb.conf
>>> - ----dc1------
>>> # Global parameters
>>> [global]
>>>      workgroup = EXAMPLE
>>>      realm = EXAMPLE.NET
>>>      comment = Samba 4.3.2
>>>      netbios name = SAMBABUCH
>>>      server role = active directory domain controller
>>>      dns forwarder = 8.8.8.8
>>>      interfaces = 192.168.56.11
>>>      bind interfaces only = yes
>>>
>>> [netlogon]
>>>      path = /var/lib/samba/sysvol/example.net/scripts
>>>      read only = No
>>>
>>> [sysvol]
>>>      path = /var/lib/samba/sysvol
>>>      read only = No
>>> - -------------
>>>
>>> - -----dc2-----
>>> # Global parameters
>>> [global]
>>>      workgroup = EXAMPLE
>>>      realm = example.net
>>>      netbios name = SAMBABUCH-DC2
>>>      server role = active directory domain controller
>>>      dns forwarder = 8.8.8.8
>>>      interfaces = 192.168.56.21
>>>      bind interfaces only = yes
>>>
>>> [netlogon]
>>>      path = /var/lib/samba/sysvol/example.net/scripts
>>>      read only = yes
>>>
>>> [sysvol]
>>>      path = /var/lib/samba/sysvol
>>>      read only = yes
>>> - -------------
>>> This is the replication-command:
>>> - -------------
>>> rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass
>>> rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/
>>> - -------------
>>> I can reproduce this on any installation on any distribution.
>>>
>>> So is it a bug?
>>>
>>> Stefan
>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.22 (GNU/Linux)
>>>
>>> iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t
>>> S9oAn0bOKhDXp35r6bu2d9AX43uyAose
>>> =gdCy
>>> -----END PGP SIGNATURE-----
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
> As Louis says, this is nothing to worry about. The error message tells 
> you that the policy ACL doesn't match what is expected, but if you 
> examine what the difference is. You will find this: O:DAG:DAD:PAI 
> against the expected O:DAG:DAD:PAR, everything else is the same. If we 
> break this down we get the owner O:DA (Domain Admins), group G:DA 
> (Domain Admins) and the DACL's D:PAI & D:PAR, we can break these
down
> further:
>
> D = DACL
> P = Protected against inheriting
> AI = Automatically propagate the ACL to child objects (assuming P not 
> set deeper),
> AR = same as AR but checks if the file system supports automatic 
> propagation of inheritable ACE's (eg. NT4)
>
> So, as you can see, AR is expected, but you have got AI instead and I 
> don't think it really matters.
>
> Rowland
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 28.12.2015 um 12:44 schrieb Thomas Rosenstein:
> Hi,
> 
> to chime in here, I had the same problem! I added the `samba-tool
> ntacl sysvolcheck` to my rsync script which fixed all issues for
> me.
> 
For me too.
> Not sure if you got problems with the GPO besides the check, mine
> failed and the computers didn't have access to them.
Yes, that's the way I will go.

Stefan
> 
> Thomas
> 
> On 28 Dec 2015, at 12:22, Rowland penny wrote:
> 
>> On 28/12/15 10:07, L.P.H. van Belle wrote:
>>> Hai Stefan,
>>> 
>>> If you look from within windows, are you sysvol rights ok? If
>>> so, just ignore these message. There think there is nothing
>>> wrong with your sysvol rights, old bug imo.
>>> 
>>> Greetz,
>>> 
>>> Louis
>>> 
>>> 
>>> 
>>> 
>>>> -----Oorspronkelijk bericht----- Van: samba
>>>> [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania 
>>>> Verzonden: maandag 28 december 2015 10:56 Aan:
>>>> samba at lists.samba.org Onderwerp: [Samba] Wrong ACL on GPO
>>>> 
> Hello,
> 
> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my 
> self or install tehe SerNet-Packages ;-) Everytime I craete a new
> GPO or change something in an existing GPO, the test with
> "samba-tool ntacl sysvolcheck" fails with the following Error: 
> ---------------- ERROR(<class
> 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C
87
>
>  CD150568} 
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO
;0
>
>  
> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI
;0
>
>  x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match expected
> value 
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO
;0
>
>  
> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI
;0
>
>  x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) from GPO object File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249,
> in run lp) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1733, in checksysvolacl direct_db_access) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1684, in check_gpos_acl domainsid, direct_db_access) File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1631, in check_dir_acl raise ProvisioningError('%s ACL on GPO
> directory %s %s does not match expected value %s from GPO object'
> % (acl_type(direct_db_access), path, fsacl_sddl, acl)) 
> ---------------- Running "samba-tool gpo aclcheck" exits with the
> following error: ---------------- ERROR(<type
> 'exceptions.KeyError'>): uncaught exception - 'No such
element'
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
1150,
> in run ds_sd_ndr = m['nTSecurityDescriptor'][0] ----------------
> 
> Running "samba-tool ntacl sysvolcheck" fixes all the Problems.
> 
> I manage the GPOs with RSAT on a Windows 10 Machine. I have two
> DCs replicated with rsync: Here are the smb.conf ----dc1------ #
> Global parameters [global] workgroup = EXAMPLE realm = EXAMPLE.NET 
> comment = Samba 4.3.2 netbios name = SAMBABUCH server role = active
> directory domain controller dns forwarder = 8.8.8.8 interfaces >
192.168.56.11 bind interfaces only = yes
> 
> [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read
> only = No
> 
> [sysvol] path = /var/lib/samba/sysvol read only = No -------------
> 
> -----dc2----- # Global parameters [global] workgroup = EXAMPLE 
> realm = example.net netbios name = SAMBABUCH-DC2 server role > active
directory domain controller dns forwarder = 8.8.8.8
> interfaces = 192.168.56.21 bind interfaces only = yes
> 
> [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read
> only = yes
> 
> [sysvol] path = /var/lib/samba/sysvol read only = yes 
> ------------- This is the replication-command: ------------- rsync
> -XAavz --delete-after --password-file=/etc/samba/rsync.pass 
> rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/ 
> ------------- I can reproduce this on any installation on any
> distribution.
> 
> So is it a bug?
> 
> Stefan
> 
> 
>>>> 
>>>> -- To unsubscribe from this list go to the following URL and
>>>> read the instructions:
>>>> https://lists.samba.org/mailman/options/samba
>>> 
>>> 
>> 
>> As Louis says, this is nothing to worry about. The error message
>> tells you that the policy ACL doesn't match what is expected, but
>> if you examine what the difference is. You will find this:
>> O:DAG:DAD:PAI against the expected O:DAG:DAD:PAR, everything else
>> is the same. If we break this down we get the owner O:DA (Domain
>> Admins), group G:DA (Domain Admins) and the DACL's D:PAI &
D:PAR,
>> we can break these down further:
>> 
>> D = DACL P = Protected against inheriting AI = Automatically
>> propagate the ACL to child objects (assuming P not set deeper), 
>> AR = same as AR but checks if the file system supports automatic 
>> propagation of inheritable ACE's (eg. NT4)
>> 
>> So, as you can see, AR is expected, but you have got AI instead
>> and I don't think it really matters.
>> 
>> Rowland
>> 
>> -- To unsubscribe from this list go to the following URL and read
>> the instructions:  https://lists.samba.org/mailman/options/samba
> 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlaBMaMACgkQ2JOGcNAHDTbguwCbBoe8eC2nIZRRnu2DkhGFkJfB
+N4AoM5ON5RaoHvP56BaWPGQ5H6VHBth
=M2oi
-----END PGP SIGNATURE-----