thr3ads.net - samba - [Samba] Failure permission in Sysvol and GPO [Oct 2016]

If this information is useful, please help other people find it:
Share via:
Ricardo Pardim Claus
2016-Oct-03 19:28 UTC
[Samba] Failure permission in Sysvol and GPO

Dear, 
I'm having trouble handling GPO's my DC. 

Environment: 
Samba 4.4.5, primary and secondary DC. 

I am not allowed to edit the GPO's. 

The problem occurred after I edit the Default GPO in the primary DC, and then
run the rsync to synchronize between the DC's.

The following errors arise when squeegee commands:
Note: I hid the actual domain name.

# samba-tool gpo aclcheck -U Administrator 
GENSEC backend 'gssapi_spnego' registered 
GENSEC backend 'gssapi_krb5' registered 
GENSEC backend 'gssapi_krb5_sasl' registered 
GENSEC backend 'spnego' registered 
GENSEC backend 'schannel' registered 
GENSEC backend 'naclrpc_as_system' registered 
GENSEC backend 'sasl-EXTERNAL' registered 
GENSEC backend 'ntlmssp' registered 
GENSEC backend 'ntlmssp_resume_ccache' registered 
GENSEC backend 'http_basic' registered 
GENSEC backend 'http_ntlm' registered 
GENSEC backend 'krb5' registered 
GENSEC backend 'fake_gssapi_krb5' registered 
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.DOMAIN.LOCAL<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.DOMAIN.LOCAL<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
srv14.domain.local<0x20>
Password for [DOMAIN\Administrator]: 
resolve_lmhosts: Attempting lmhosts lookup for name
srv14.domain.local<0x20>
ERROR: Invalid GPO ACL
O:BAG:SYD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001200a9;;;AU)(A;OICI;;;;WD)(A;;0x001f01ff;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG)
on path (domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}), should
be
O:DAG:DAD:PAI(A;OICI;0x001e01bf;;;DA)(A;OICIIO;0x001f01ff;;;DA)(A;OICI;0x001e01bf;;;EA)(A;OICIIO;0x001f01ff;;;EA)(A;OICI;0x001e01bf;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)



# samba-tool ntacl sysvolcheck -U Administrator 
lp_load_ex: refreshing parameters 
Initialising global parameters 
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) 
Processing section "[global]" 
Processing section "[netlogon]" 
Processing section "[sysvol]" 
ldb_wrap open of idmap.ldb 
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on sysvol directory
/usr/local/samba/var/locks/sysvol/domain.local
O:BAG:SYD:(A;ID;0x001200a9;;;AU)(A;OICIIOID;0x001200a9;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;0x001200a9;;;SO)(A;ID;0x001e01bf;;;BA)(A;OICIIOID;0x001e01bf;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;0x001f01ff;;;SY)(A;OICIIOID;0x001e01bf;;;CO)S:AI(AU;OICIIDSA;SD;;;WD)
does not match expected value
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
from provision
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs) 
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 270, in run
lp) 
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1728, in checksysvolacl
raise ProvisioningError('%s ACL on sysvol directory %s %s does not match
expected value %s from provision' % (acl_type(direct_db_access), dir_path,
fsacl_sddl, SYSVOL_ACL))


# samba-tool ntacl sysvolreset -U administrator 
lp_load_ex: refreshing parameters 
Initialising global parameters 
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) 
Processing section "[global]" 
Processing section "[netlogon]" 
Processing section "[sysvol]" 
ldb_wrap open of idmap.ldb 
lp_load_ex: refreshing parameters 
Processing section "[global]" 
Processing section "[netlogon]" 
Processing section "[sysvol]" 
Initialising default vfs hooks 
Initialising custom vfs hooks from [/[Default VFS]/] 
Initialising custom vfs hooks from [full_audit] 
Module 'full_audit' loaded 
Segmentation fault (core of the recorded image)



# getfacl
/usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
getfacl: Removing leading '/' from absolute path names 
# file:
usr/local/samba/var/locks/sysvol/domain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: 3000000 
# group: 3000025 
user::rwx 
user:3000012:r-x 
user:3000025:rwx 
user:3000026:r-x 
group::rwx 
group:3000000:rwx 
group:3000012:r-x 
group:3000025:rwx 
group:3000026:r-x 
mask::rwx 
other::--- 
default:user::rwx 
default:user:3000000:rwx 
default:user:3000012:r-x 
default:user:3000025:rwx 
default:user:3000026:r-x 
default:group::--- 
default:group:3000000:rwx 
default:group:3000012:r-x 
default:group:3000025:rwx 
default:group:3000026:r-x 
default:mask::rwx 
default:other::--- 



# ls -al
/usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
total 28 
drwxrwx---+  4 3000000 3000025   45 Ago  2 11:15 . 
drwxrwx---+ 15 3000000 3000025 4096 Ago  2 11:15 .. 
-rwxrwx---+  1 3000000 3000025   27 Set 30 16:03 GPT.INI 
drwxrwx---+  5 3000000 3000025   74 Ago  2 11:15 MACHINE 
drwxrwx---+  5 3000000 3000025  104 Ago  2 11:15 USER 



The GPO {31B2F340-016D-11D2-945F-00C04FB984F9}, it is the Default Domain Policy.
Anyone know how to solve this problem?
Apparently Analagous Threads

Search for more reasonably related threads
samba - Oct 2016 - Failure permission in Sysvol and GPO

[Samba] Failure permission in Sysvol and GPO

Apparently Analagous Threads

Wisdom of the Ancients
