samba - Apr 2016 - Samba 4.4.2 "samba-tool ntacl sysvolreset" is not working correctly

Samba 4.4.2

I was doing some maintenance work and I noticed that sysvolcheck gave 
some error. I ran "samba-tool ntacl sysvolreset". Running sysvolcheck 
again still gives errors. I tried with several sysvol backups and the 
result is always the same. The affected policies are always "Default 
Domain Policy" and "Default Domain Controllers Policy". These
policies
were originally created under Samba 4.2.x. I noticed that some relevant 
Python scripts have been modified since then.

The persistent error is this one (I separated the lines for easier reading):

  ProvisioningError: DB ACL on GPO directory (...)

O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001200a9;;;AU)

does not match expected value

O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001200a9;;;AU)

from GPO object


The difference between the two is at the beginning of the lines:

"O:LAG:" versus "O:DAG:"

sysvolreset is unable to solve this mismatch.

Does anyone have any idea on how to solve this? Thank you.

> (...) The affected policies are always "Default Domain Policy"
and
> "Default Domain Controllers Policy".
The order of events is the following:

- Restore sysvol from backup
- Run sysvolcheck. The only policy giving error is "Default Domain 
Controllers Policy"
- Run sysvolreset
- Run sysvolcheck again. The only policy giving error is "Default Domain 
Policy". The first one does not give error anymore.

This is consistent, always happening as described.

On 22/04/16 23:50, Miguel Medalha wrote:
> Samba 4.4.2
>
> I was doing some maintenance work and I noticed that sysvolcheck gave 
> some error. I ran "samba-tool ntacl sysvolreset". Running
sysvolcheck
> again still gives errors. I tried with several sysvol backups and the 
> result is always the same. The affected policies are always "Default 
> Domain Policy" and "Default Domain Controllers Policy".
These policies
> were originally created under Samba 4.2.x. I noticed that some 
> relevant Python scripts have been modified since then.
>
> The persistent error is this one (I separated the lines for easier 
> reading):
>
>  ProvisioningError: DB ACL on GPO directory (...)
>
>
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001200a9;;;AU)
>
>
> does not match expected value
>
>
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001200a9;;;AU)
>
>
> from GPO object
>
>
> The difference between the two is at the beginning of the lines:
>
> "O:LAG:" versus "O:DAG:"
>
> sysvolreset is unable to solve this mismatch.
>
> Does anyone have any idea on how to solve this? Thank you.
>
It is actually 'O:LA' versus 'O:DA'

'O' is 'owner'
'LA' is 'Local Admins'
'DA' is 'Domain Admins'

You can ignore this, it should still work.

Rowland

I don't really know the relevance of this, but I found the following 
typos on three source files related to sysvol.

./examples/misc/adssearch.pl:357:"Default Domain Controllers Policy"
=> "6AC1786C-016F-11D2-945F-00C04fB984F9",
./libgpo/gpo_util.c:46: "6AC1786C-016F-11D2-945F-00C04fB984F9" },
./python/samba/provision/__init__.py:123:DEFAULT_DC_POLICY_GUID = 
"6AC1786C-016F-11D2-945F-00C04fB984F9"

Note the lowercase "f" in the last numeric group in those three lines.
Policy IDs normally have uppercase characters.