Dear James and Lingpanda
Here I have 2 DC's running. Everything was running perfectly.
The problem started after I started to rsync to synchronize the Sysvol folder
between DC's.
I believe it is a permission problem in the GPO's or Sysvol folder.
Another detail. Even accessing the gpedit Group Polic Manager via RSAT using the
Administrator User, I can no longer edit any GPO. I get access denied error.
When I browse through the folders of GPO's, I do not get access denied
error.
Anyone know tell me how I Corrigo this problem?
How to fix the permissions?
Follow the error return in the commands:
# samba-tool ntacl sysvolcheck
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on sysvol directory
/usr/local/samba/var/locks/sysvol/domain.local
O:BAG:SYD:(A;ID;0x001200a9;;;AU)(A;OICIIOID;0x001200a9;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;0x001200a9;;;SO)(A;ID;0x001e01bf;;;BA)(A;OICIIOID;0x001e01bf;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;0x001f01ff;;;SY)(A;OICIIOID;0x001e01bf;;;CO)S:AI(AU;OICIIDSA;SD;;;WD)
does not match expected value
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
from provision
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 270, in run
lp)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1728, in checksysvolacl
raise ProvisioningError('%s ACL on sysvol directory %s %s does not match
expected value %s from provision' % (acl_type(direct_db_access), dir_path,
fsacl_sddl, SYSVOL_ACL))
# getfacl
/usr/local/samba/var/locks/sysvol/domain.local/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/GPT.INI
getfacl: Removing leading '/' from absolute path names
# file:
usr/local/samba/var/locks/sysvol/domain.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
# owner: 3000000
# group: 3000025
user::rwx
user:3000012:r-x
user:3000025:rwx
user:3000026:r-x
group::rwx
group:users:r-x
group:3000000:rwx
group:3000012:r-x
group:3000025:rwx
group:3000026:r-x
mask::rwx
other::---
# getfacl /usr/local/samba/var/locks/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:3000010:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000010:rwx
default:mask::rwx
default:other::---
>> Segmentation fault (core of the recorded image)
>Did GPO's ever work?
>Can you run 'samba-tool ntacl sysvolcheck' and report the status?
>Even though the file exists physically, the permissions may not be correct.
>--
>-James
>Just waking from my nap but several things:
>A - I believe I read several times it is not advised to use
".local" as top level domain.
>B - samba-tool should not segfault during sysvolreset
>C - most generally GPO update issue are linked to access rights of user or
computer accessing the share or the file(s).
>I wouldn't bother for now about the A.
>I would solve the segfault first (B).
>Finally once Samba is working fully again (including sysvolreset I mean) I
would have a look on rights (issue on rights when accessing GPO folder seems to
happen mainly when several DC are >involved).