Sebastian Arcus
2017-Apr-25 19:18 UTC
[Samba] "This security ID may not be assigned as the owner of this object" when trying to create a GPO
I have upgraded Samba from a NT PDC to an AD DC about a week ago.
Everything went pretty well until today. I've already configured about
25 GPO's (through RSAT on a Windows 10 machine) - but when I came to add
more GPO's - it wouldn't let me with the above error message. My specs
are:
Samba 4.5.0
Slackware -current 64bit
Kernel 4.4.20
The client machine is a Windows 10 Pro.
On the server I tried "samba-tool ntacl sysvolreset", which completes,
but sysvolcheck has always given errors from the beginning of the
upgrade (and keeps on doing so):
#samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/hebi.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line
270, in run
lp)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1723, in checksysvolacl
direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1674, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1621, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
I also get a not very helpful error from samba-tool gpo aclcheck:
#samba-tool gpo aclcheck
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such element'
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line
1150, in run
ds_sd_ndr = m['nTSecurityDescriptor'][0]
Could anyone provide some hints as to where I should be looking next?
What bugs me is that everything was working fine until today - and it
stopped working seemingly out of the blue. I was mainly adding GPO's and
not touching the main config - so can't work out what could have gone wrong.
Many thanks for any hints.
Sebastian Arcus
2017-Apr-25 20:29 UTC
[Samba] "This security ID may not be assigned as the owner of this object" when trying to create a GPO
On 25/04/17 20:18, Sebastian Arcus via samba wrote:> I have upgraded Samba from a NT PDC to an AD DC about a week ago. > Everything went pretty well until today. I've already configured about > 25 GPO's (through RSAT on a Windows 10 machine) - but when I came to add > more GPO's - it wouldn't let me with the above error message.Replying to my own post, in case it helps someone. After hours of trial and error, I discovered that enabling the Recycle vfs module globally in smb.conf caused this. I still don't have a full understanding as to how did it cause all the security errors related to creating GPO's - but disabling the Recycle module globally got everything working fine again.> > Samba 4.5.0 > Slackware -current 64bit > Kernel 4.4.20 > > The client machine is a Windows 10 Pro. > > On the server I tried "samba-tool ntacl sysvolreset", which completes, > but sysvolcheck has always given errors from the beginning of the > upgrade (and keeps on doing so): > > #samba-tool ntacl sysvolcheck > > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - > ProvisioningError: DB ACL on GPO directory > /var/lib/samba/sysvol/hebi.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} > O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > does not match expected value > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > from GPO object > File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line > 270, in run > lp) > File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 1723, in checksysvolacl > direct_db_access) > File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 1674, in check_gpos_acl > domainsid, direct_db_access) > File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 1621, in check_dir_acl > raise ProvisioningError('%s ACL on GPO directory %s %s does not > match expected value %s from GPO object' % (acl_type(direct_db_access), > path, fsacl_sddl, acl)) > > I also get a not very helpful error from samba-tool gpo aclcheck: > > #samba-tool gpo aclcheck > > ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element' > File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line > 1150, in run > ds_sd_ndr = m['nTSecurityDescriptor'][0] > > Could anyone provide some hints as to where I should be looking next? > What bugs me is that everything was working fine until today - and it > stopped working seemingly out of the blue. I was mainly adding GPO's and > not touching the main config - so can't work out what could have gone > wrong. > > Many thanks for any hints. >