thr3ads.net - samba - [Samba] Problem sysvolreset [Mar 2017]

If this information is useful, please help other people find it:
Share via:

Edson Tadeu Almeida da Silveira

2017-Mar-07 15:23 UTC

[Samba] Problem sysvolreset

Hi guys!

I´m experiencing a problem with samba 4 policies and acl and i don´t known
how it starded to do.

Some problems like copy Policies, edit them, etc. It seems like
permissions, but i´ve checked the list and can´t find a solution.


Here are some outputs that i hope can help to understand:

# Sysvol permissions:
drwxrwxrwx+  3 root DOMAIN\domain admins    4096 Mar  7 12:17 sysvol


# samba-tool ntacl sysvolreset -d10

Successfully loaded vfs module [acl_xattr] with the new modules system
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and
'force unknown acl user = true' for service Unknown Service (snum == -1)
vfswrap_fs_capabilities: timestamp resolution of sec available on share
(null), directory /
Segmentation fault (core dumped)



# samba-tool ntacl sysvolcheck -d10

dn: DC=domain,DC=local
objectGUID: 18027d7b-530e-4a6e-8109-722430964df7
objectSid: S-1-5-21-1058002876-845724780-2777320708
fSMORoleOwner: CN=NTDS
Settings,CN=servername,CN=Servers,CN=Default-First-Site-
 Name,CN=Sites,CN=Configuration,DC=domain,DC=local

ldb: ldb_trace_response: DONE
error: 0

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on sysvol directory
/usr/local/samba/var/locks/sysvol/domain.local
O:LAG:BAD:AI(A;OICIID;0x001f01ff;;;LA)(A;OICIIOID;0x001f01ff;;;CO)(A;ID;0x00100000;;;BA)(A;OICIIOID;0x00100000;;;CG)(A;OICIID;0x001200a9;;;AU)(A;OICIID;0x001f01ff;;;SY)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x00100000;;;WD)(A;OICIID;0x001f01ff;;;BA)
does not match expected value
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
from provision
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line
270, in run
    lp)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1728, in checksysvolacl
    raise ProvisioningError('%s ACL on sysvol directory %s %s does not
match expected value %s from provision' % (acl_type(direct_db_access),
dir_path, fsacl_sddl, SYSVOL_ACL))



# samba-tool gpo aclcheck -U Administrator

Password for [DOMAIN\Administrator]:
ERROR: Invalid GPO ACL
O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
on path (cbmerj.local\Policies\{F274A070-5B45-4434-BB7C-75AE1D702A6B}),
should be
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)


This last error is happening to all my policies. After each police i
repair, another one shows up with problem and i can´t delete all policies
and recreate to test.

Thanks for your help!


-- 

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------

Rowland Penny

2017-Mar-07 15:51 UTC

head link

[Samba] Problem sysvolreset

On Tue, 7 Mar 2017 12:23:59 -0300
Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org>
wrote:
> 
> 
> 
> # samba-tool gpo aclcheck -U Administrator
> 
> Password for [DOMAIN\Administrator]:
> ERROR: Invalid GPO ACL
>
O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> on path
> (cbmerj.local\Policies\{F274A070-5B45-4434-BB7C-75AE1D702A6B}),
> should be
>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> 
> 
> This last error is happening to all my policies. After each police i
> repair, another one shows up with problem and i can´t delete all
> policies and recreate to test.
> 
> Thanks for your help!
> 
> 
Welcome to the wonderful world of SYSVOL on a Samba4 AD DC ;-)

Have you set a gidNumber for Domain Admins ?
If so remove it, Domain Admins needs to own files and dirs in sysvol
and if the group has a gidNumber it cannot.

 Note:
  'O:LA' = owner: Local Administrator
  'O:DA' = owner: Domain Admins 
  'G:DA' = group: Domain Admins

Rowland

Edson Tadeu Almeida da Silveira

2017-Mar-07 16:16 UTC

head link

[Samba] Problem sysvolreset

Hi Rowland.

But, samba automaticaly do this mapping.

root at server:/usr/local/src/samba-4.4.10# id 'domain admins'
uid=3000008(DOMAIN\domain admins) gid=3000008(DOMAIN\domain admins)
groups=3000008(DOMAIN\domain admins)


Because of this options in smb.conf:

winbind enum users = yes
winbind enum groups = yes

Can i remove this mapping only for domain admin group?

Thanks


2017-03-07 12:51 GMT-03:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 7 Mar 2017 12:23:59 -0300
> Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org>
wrote:
>
> >
> >
> >
> > # samba-tool gpo aclcheck -U Administrator
> >
> > Password for [DOMAIN\Administrator]:
> > ERROR: Invalid GPO ACL
> >
O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;
> 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;
> 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > on path
> > (cbmerj.local\Policies\{F274A070-5B45-4434-BB7C-75AE1D702A6B}),
> > should be
> > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(
> A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;
> 0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> >
> >
> > This last error is happening to all my policies. After each police i
> > repair, another one shows up with problem and i can´t delete all
> > policies and recreate to test.
> >
> > Thanks for your help!
> >
> >
>
> Welcome to the wonderful world of SYSVOL on a Samba4 AD DC ;-)
>
> Have you set a gidNumber for Domain Admins ?
> If so remove it, Domain Admins needs to own files and dirs in sysvol
> and if the group has a gidNumber it cannot.
>
>  Note:
>   'O:LA' = owner: Local Administrator
>   'O:DA' = owner: Domain Admins
>   'G:DA' = group: Domain Admins
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------

Reasonably Related Threads

Search for more maybe matching threads

samba - Mar 2017 - Problem sysvolreset

[Samba] Problem sysvolreset

[Samba] Problem sysvolreset

[Samba] Problem sysvolreset

Reasonably Related Threads