thr3ads.net - samba - [Samba] Everyone ACL problem [Nov 2016]

If this information is useful, please help other people find it:
Share via:

Kévin GUERINEAU

2016-Nov-26 10:44 UTC

[Samba] Everyone ACL problem

Hello list,

I have problems with my PDC Samba Servers and all file servers.
All DC Server have a compiled Samba 4.4.5. File servers have Samba 
Debian packages.

In all shared folders, the ACL has the group "Everyone" and I
can't
remove it.
The biggest problem concern SYSVOL, I can't modify GPO, I have an error 
in MMC.
I have tried to resolv the problem with the "samba-tool ntacl 
sysvolreset" command but it didn't resolv anything.


#samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO file 
//usr/local/samba/var/locks/sysvol/campuslr.cma17/Policies//{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Preferences/Groups/Groups.xml
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
   File 
"//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
line 270, in run
     lp)
   File 
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
line 1732, in checksysvolacl
     direct_db_access)
   File 
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
line 1683, in check_gpos_acl
     domainsid, direct_db_access)
   File 
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
line 1640, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO file %s %s does not match 
expected value %s from GPO object' % (acl_type(direct_db_access), 
os.path.join(root, name), fsacl_sddl, acl))

# samba-tool dbcheck
Checking 2591 objects
Checked 2591 objects (0 errors)

# samba-tool gpo aclcheck
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such element'
   File 
"//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
line
1150, in run
     ds_sd_ndr = m['nTSecurityDescriptor'][0]


I tried to reinstall DC2, but then the problem extended itself to DC2.
I have the same problem on the fileservers.
I don't know where is the problem. Moreover I have a second Samba domain 
without this problem.

Best regards,
Kevin

Rowland Penny

2016-Nov-26 11:08 UTC

head link

[Samba] Everyone ACL problem

On Sat, 26 Nov 2016 11:44:50 +0100
Kévin GUERINEAU via samba <samba at lists.samba.org> wrote:
> Hello list,
> 
> I have problems with my PDC Samba Servers and all file servers.
> All DC Server have a compiled Samba 4.4.5. File servers have Samba 
> Debian packages.
> 
> In all shared folders, the ACL has the group "Everyone" and I
can't
> remove it.
> The biggest problem concern SYSVOL, I can't modify GPO, I have an
> error in MMC.
> I have tried to resolv the problem with the "samba-tool ntacl 
> sysvolreset" command but it didn't resolv anything.
> 
> 
> #samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: DB ACL on GPO file 
>
//usr/local/samba/var/locks/sysvol/campuslr.cma17/Policies//{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Preferences/Groups/Groups.xml
>
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
> does not match expected value 
>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>    File 
>
"//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File 
>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 270, in run
>      lp)
>    File 
>
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
> line 1732, in checksysvolacl
>      direct_db_access)
>    File 
>
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
> line 1683, in check_gpos_acl
>      domainsid, direct_db_access)
>    File 
>
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
> line 1640, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO file %s %s does not match 
> expected value %s from GPO object' % (acl_type(direct_db_access), 
> os.path.join(root, name), fsacl_sddl, acl))
> 
> # samba-tool dbcheck
> Checking 2591 objects
> Checked 2591 objects (0 errors)
> 
> # samba-tool gpo aclcheck
> ERROR(<type 'exceptions.KeyError'>): uncaught exception -
'No such
> element' File 
>
"//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File 
>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 1150, in run
>      ds_sd_ndr = m['nTSecurityDescriptor'][0]
> 
> 
> I tried to reinstall DC2, but then the problem extended itself to DC2.
> I have the same problem on the fileservers.
> I don't know where is the problem. Moreover I have a second Samba
> domain without this problem.
> 
> Best regards,
> Kevin
Have you tried 'samba-tool ntacl sysvolreset'

Rowland

PS Don't refer to your AD DC as a PDC, that is something else
entirely ;-)

Kévin GUERINEAU

2016-Nov-26 11:28 UTC

head link

[Samba] Everyone ACL problem

Yes, I have. But nothing change...

Kevin

Le 26/11/2016 à 12:08, Rowland Penny via samba a écrit :> On Sat, 26 Nov 2016 11:44:50 +0100
> Kévin GUERINEAU via samba <samba at lists.samba.org> wrote:
>
>> Hello list,
>>
>> I have problems with my PDC Samba Servers and all file servers.
>> All DC Server have a compiled Samba 4.4.5. File servers have Samba
>> Debian packages.
>>
>> In all shared folders, the ACL has the group "Everyone" and I
can't
>> remove it.
>> The biggest problem concern SYSVOL, I can't modify GPO, I have an
>> error in MMC.
>> I have tried to resolv the problem with the "samba-tool ntacl
>> sysvolreset" command but it didn't resolv anything.
>>
>>
>> #samba-tool ntacl sysvolcheck
>> ERROR(<class 'samba.provision.ProvisioningError'>):
uncaught
>> exception - ProvisioningError: DB ACL on GPO file
>>
//usr/local/samba/var/locks/sysvol/campuslr.cma17/Policies//{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Preferences/Groups/Groups.xml
>>
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
>> does not match expected value
>>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>> from GPO object
>>     File
>>
"//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
>> line 175, in _run
>>       return self.run(*args, **kwargs)
>>     File
>>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 270, in run
>>       lp)
>>     File
>>
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
>> line 1732, in checksysvolacl
>>       direct_db_access)
>>     File
>>
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
>> line 1683, in check_gpos_acl
>>       domainsid, direct_db_access)
>>     File
>>
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
>> line 1640, in check_dir_acl
>>       raise ProvisioningError('%s ACL on GPO file %s %s does not
match
>> expected value %s from GPO object' % (acl_type(direct_db_access),
>> os.path.join(root, name), fsacl_sddl, acl))
>>
>> # samba-tool dbcheck
>> Checking 2591 objects
>> Checked 2591 objects (0 errors)
>>
>> # samba-tool gpo aclcheck
>> ERROR(<type 'exceptions.KeyError'>): uncaught exception -
'No such
>> element' File
>>
"//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
>> line 175, in _run
>>       return self.run(*args, **kwargs)
>>     File
>>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
>> line 1150, in run
>>       ds_sd_ndr = m['nTSecurityDescriptor'][0]
>>
>>
>> I tried to reinstall DC2, but then the problem extended itself to DC2.
>> I have the same problem on the fileservers.
>> I don't know where is the problem. Moreover I have a second Samba
>> domain without this problem.
>>
>> Best regards,
>> Kevin
> Have you tried 'samba-tool ntacl sysvolreset'
>
> Rowland
>
> PS Don't refer to your AD DC as a PDC, that is something else
> entirely ;-)
>

Reasonably Related Threads

Search for more apparently analagous threads

samba - Nov 2016 - Everyone ACL problem

[Samba] Everyone ACL problem

[Samba] Everyone ACL problem

[Samba] Everyone ACL problem

Reasonably Related Threads