Hi,
We have been consistently having issues with GPO and they are not
consistent. We are using version 4.6.3 with BIND DNS Backend. As
suggested in some of our previous communications, when we run the
samba-tool ntacl sysvolcheck it results in the error as detailed below.
[root at dc1 ~]# samba-tool ntacl sysvolcheck
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[shares]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO
file/usr/local/samba/var/locks/sysvol/ktkbankltd.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/Registry.pol
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 270, in run
lp)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1723, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1674, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1631, in check_dir_acl
raise ProvisioningError('%s ACL on GPO file %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access),
os.path.join(root, name), fsacl_sddl, acl))
Also, as suggested in one post, we checked the sysvol ownership and the
result is:
rw------- 1 root root 421888 Mar 22 21:04 account_policy.tdb
-rw------- 1 root root 528384 Apr 20 15:24 registry.tdb
-rw------- 1 root root 421888 Mar 22 21:04 share_info.tdb
drwxrwx---+ 3 root 3000000 27 May 23 14:11 sysvol
-rw------- 1 root root 81920 Jun 19 13:58 winbindd_cache.tdb
drwxr-x--- 2 root root 17 Jun 7 17:25 winbindd_privileged
Any suggestions to get the AD Domain Controller and Group Policies to
work consistently?
--
Thanks & Regards,
Anantha Raghava
Hi, No solutions to get out of this? -- Thanks & Regards, Anantha Raghava On 21/06/17 7:05 PM, Anantha Raghava wrote:> Hi, > > We have been consistently having issues with GPO and they are not > consistent. We are using version 4.6.3 with BIND DNS Backend. As > suggested in some of our previous communications, when we run the > samba-tool ntacl sysvolcheck it results in the error as detailed below. > > [root at dc1 ~]# samba-tool ntacl sysvolcheck > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[shares]" > ldb_wrap open of idmap.ldb > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO file/usr/local/samba/var/locks/sysvol/ktkbankltd.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/Registry.pol O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run > lp) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1723, in checksysvolacl > direct_db_access) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl > domainsid, direct_db_access) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1631, in check_dir_acl > raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) > > Also, as suggested in one post, we checked the sysvol ownership and > the result is: > > rw------- 1 root root 421888 Mar 22 21:04 account_policy.tdb > -rw------- 1 root root 528384 Apr 20 15:24 registry.tdb > -rw------- 1 root root 421888 Mar 22 21:04 share_info.tdb > drwxrwx---+ 3 root 3000000 27 May 23 14:11 sysvol > -rw------- 1 root root 81920 Jun 19 13:58 winbindd_cache.tdb > drwxr-x--- 2 root root 17 Jun 7 17:25 winbindd_privileged > > Any suggestions to get the AD Domain Controller and Group Policies to > work consistently? > > -- > > Thanks & Regards, > > > Anantha Raghava > >
On 6/22/2017 9:41 AM, Anantha Raghava via samba wrote:> Hi, > > No solutions to get out of this? >Not sure exactly what your issue is but based on your error Samba is reporting the following on that particular Policy; * Lost Allow Object and Container inheritance on each ACE. * Create Owner missing ACE and you have Built in Administrators with an ACE * You have the primary owner as Built in Administrators Group. Samba expects it to be Domain Administrators Group * Primary Group you have as Domain users. Samba expects it to be Domain Administrators. * Samba expects the SE_DACL_Protected flag be set. Are you using RFC2307 in your smb.conf? Did you assign Domain Admins a Unix GID(You shouldn't)? Have you run 'samba-tool ntacl sysvolreset' to see if Samba could correct the permissions? -- -- James
On 6/22/2017 9:41 AM, Anantha Raghava via samba wrote:> Hi, > > No solutions to get out of this? >I will also add the Policy in question is your Default Domain Controllers Policy. Did you happen to manually modify it? I would advise against it. -- -- James