On 21/07/16 22:18, Trenta sis wrote:> I'm not sure what are you deatiling, is a bug in progress taht can cause > this random problems with some gpos or this error can be ignored? > > 2016-07-21 20:37 GMT+02:00 Trenta sis <trenta.sis at gmail.com>: > >> Hi, >> >> First of all thanks for you answer, it seems that this can help, now some >> change made to gpo are applied and we are not receiving error in event >> viewer, but seem that some change are not applied, why and where I can find >> some information, in samba log anv event viewer any error is reported >> >> Also I have tried >> >> # samba-tool ntacl sysvolreset >> >> After this tried >> # samba-tool ntacl sysvolcheck >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} <http://domain.com/Policies/%7B31B2F340-016D-11D2-945F-00C04FB984F9%7D> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object >> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run >> return self.run(*args, **kwargs) >> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run >> lp) >> File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1732, in checksysvolacl >> direct_db_access) >> File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1683, in check_gpos_acl >> domainsid, direct_db_access) >> File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1630, in check_dir_acl >> raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) >> >> Tried with new domain (no migrated) and then works, where is the problem? >> >> >> >> 2016-07-21 18:51 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>: >> >>> Hello, >>> >>> Am 21.07.2016 um 17:18 schrieb Trenta sis: >>>> I have migrated samba 3 domain to samba, and I have found that when you >>> try >>>> to use gpo this are not applied we receive in windwos event log errors >>> with >>>> permissions in sysvol, I have checked paths to sysvol gpos and are >>> correct. >>>> Also I have tried with a new fresh domain (not migrated) and with this >>> new >>>> install works GPO >>>> >>>> How can I debug this problems and find a solution? >>> >>> Have you tried >>> >>> https://wiki.samba.org/index.php/FAQ#Incompatible_permissions_of_GPO_objects_and_SysVol_share >>> >>> >>> Regards, >>> Marc >>> >>The ACLs that Samba sets on the sysvol directory are wrong, I was going to look into this, but asked on samba-technical first. I was informed, by Stefan Metzmacher, that he had looked into this some time ago, but pressure of work had stopped him completing the work. I have tested his patches, made a few very minor changes and they work, until you add another GPO, this is when it goes wrong. It checks the ACLs on the files in the GPO, then reports they are wrong, I am looking into this now. Rowland
lingpanda101 at gmail.com
2016-Jul-22 12:10 UTC
[Samba] gpo not working with samba 4 migrated
On 7/22/2016 3:37 AM, Rowland penny wrote:> On 21/07/16 22:18, Trenta sis wrote: >> I'm not sure what are you deatiling, is a bug in progress taht can cause >> this random problems with some gpos or this error can be ignored? >> >> 2016-07-21 20:37 GMT+02:00 Trenta sis <trenta.sis at gmail.com>: >> >>> Hi, >>> >>> First of all thanks for you answer, it seems that this can help, now >>> some >>> change made to gpo are applied and we are not receiving error in event >>> viewer, but seem that some change are not applied, why and where I >>> can find >>> some information, in samba log anv event viewer any error is reported >>> >>> Also I have tried >>> >>> # samba-tool ntacl sysvolreset >>> >>> After this tried >>> # samba-tool ntacl sysvolcheck >>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught >>> exception - ProvisioningError: DB ACL on GPO directory >>> /usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} >>> <http://domain.com/Policies/%7B31B2F340-016D-11D2-945F-00C04FB984F9%7D> >>> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>> does not match expected value >>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>> from GPO object >>> File >>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", >>> line 175, in _run >>> return self.run(*args, **kwargs) >>> File >>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", >>> line 270, in run >>> lp) >>> File >>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >>> line 1732, in checksysvolacl >>> direct_db_access) >>> File >>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >>> line 1683, in check_gpos_acl >>> domainsid, direct_db_access) >>> File >>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >>> line 1630, in check_dir_acl >>> raise ProvisioningError('%s ACL on GPO directory %s %s does not >>> match expected value %s from GPO object' % >>> (acl_type(direct_db_access), path, fsacl_sddl, acl)) >>> >>> Tried with new domain (no migrated) and then works, where is the >>> problem? >>> >>> >>> >>> 2016-07-21 18:51 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>: >>> >>>> Hello, >>>> >>>> Am 21.07.2016 um 17:18 schrieb Trenta sis: >>>>> I have migrated samba 3 domain to samba, and I have found that >>>>> when you >>>> try >>>>> to use gpo this are not applied we receive in windwos event log >>>>> errors >>>> with >>>>> permissions in sysvol, I have checked paths to sysvol gpos and are >>>> correct. >>>>> Also I have tried with a new fresh domain (not migrated) and with >>>>> this >>>> new >>>>> install works GPO >>>>> >>>>> How can I debug this problems and find a solution? >>>> >>>> Have you tried >>>> >>>> https://wiki.samba.org/index.php/FAQ#Incompatible_permissions_of_GPO_objects_and_SysVol_share >>>> >>>> >>>> >>>> Regards, >>>> Marc >>>> >>> > > The ACLs that Samba sets on the sysvol directory are wrong, I was > going to look into this, but asked on samba-technical first. I was > informed, by Stefan Metzmacher, that he had looked into this some time > ago, but pressure of work had stopped him completing the work. > I have tested his patches, made a few very minor changes and they > work, until you add another GPO, this is when it goes wrong. It checks > the ACLs on the files in the GPO, then reports they are wrong, I am > looking into this now. > > Rowland >Rowland, My testing shows if you assign a GID to 'Domain Admins'. Sysvolreset and check will fail. Will this be addressed possibly by the patches? -- -James
On 22/07/16 13:10, lingpanda101 at gmail.com wrote:> On 7/22/2016 3:37 AM, Rowland penny wrote: >> On 21/07/16 22:18, Trenta sis wrote: >>> I'm not sure what are you deatiling, is a bug in progress taht can >>> cause >>> this random problems with some gpos or this error can be ignored? >>> >>> 2016-07-21 20:37 GMT+02:00 Trenta sis <trenta.sis at gmail.com>: >>> >>>> Hi, >>>> >>>> First of all thanks for you answer, it seems that this can help, >>>> now some >>>> change made to gpo are applied and we are not receiving error in event >>>> viewer, but seem that some change are not applied, why and where I >>>> can find >>>> some information, in samba log anv event viewer any error is reported >>>> >>>> Also I have tried >>>> >>>> # samba-tool ntacl sysvolreset >>>> >>>> After this tried >>>> # samba-tool ntacl sysvolcheck >>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught >>>> exception - ProvisioningError: DB ACL on GPO directory >>>> /usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} >>>> <http://domain.com/Policies/%7B31B2F340-016D-11D2-945F-00C04FB984F9%7D> >>>> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>>> does not match expected value >>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>>> from GPO object >>>> File >>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", >>>> line 175, in _run >>>> return self.run(*args, **kwargs) >>>> File >>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", >>>> line 270, in run >>>> lp) >>>> File >>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >>>> line 1732, in checksysvolacl >>>> direct_db_access) >>>> File >>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >>>> line 1683, in check_gpos_acl >>>> domainsid, direct_db_access) >>>> File >>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >>>> line 1630, in check_dir_acl >>>> raise ProvisioningError('%s ACL on GPO directory %s %s does >>>> not match expected value %s from GPO object' % >>>> (acl_type(direct_db_access), path, fsacl_sddl, acl)) >>>> >>>> Tried with new domain (no migrated) and then works, where is the >>>> problem? >>>> >>>> >>>> >>>> 2016-07-21 18:51 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>: >>>> >>>>> Hello, >>>>> >>>>> Am 21.07.2016 um 17:18 schrieb Trenta sis: >>>>>> I have migrated samba 3 domain to samba, and I have found that >>>>>> when you >>>>> try >>>>>> to use gpo this are not applied we receive in windwos event log >>>>>> errors >>>>> with >>>>>> permissions in sysvol, I have checked paths to sysvol gpos and are >>>>> correct. >>>>>> Also I have tried with a new fresh domain (not migrated) and with >>>>>> this >>>>> new >>>>>> install works GPO >>>>>> >>>>>> How can I debug this problems and find a solution? >>>>> >>>>> Have you tried >>>>> >>>>> https://wiki.samba.org/index.php/FAQ#Incompatible_permissions_of_GPO_objects_and_SysVol_share >>>>> >>>>> >>>>> >>>>> Regards, >>>>> Marc >>>>> >>>> >> >> The ACLs that Samba sets on the sysvol directory are wrong, I was >> going to look into this, but asked on samba-technical first. I was >> informed, by Stefan Metzmacher, that he had looked into this some >> time ago, but pressure of work had stopped him completing the work. >> I have tested his patches, made a few very minor changes and they >> work, until you add another GPO, this is when it goes wrong. It >> checks the ACLs on the files in the GPO, then reports they are wrong, >> I am looking into this now. >> >> Rowland >> > > Rowland, > > My testing shows if you assign a GID to 'Domain Admins'. > Sysvolreset and check will fail. Will this be addressed possibly by > the patches? >Didn't know this, will look into it and if required, try to fix it. Rowland