thr3ads.net - samba - [Samba] sysvolcheck and aclcheck generates error [Feb 2020]

If this information is useful, please help other people find it:
Share via:
Mario Codeniera
2020-Feb-26 00:39 UTC
[Samba] sysvolcheck and aclcheck generates error

Hi,

Search on the net but not getting enough information to resolve the issue.
As per suggestion to check the sysvol but mine got issues.

Currently using CentOS 8.1.1911 and a compiled samba 4.11.4 based on Fedora
31.

I tried also to delete the broken GPO
policy E4108E65-68AB-4E2D-9A00-A9063B1558E3 but I can't delete it (using
samba-tool gpo del {31B2F340-016D-11D2-945F-00C04FB984F9} -Uadministrator)
and renamed the directory in /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies which generates more error.

However using sysvolreset, don't give any issues but doesn't resolve the
issue.


How do I manually delete a GPO Policy? Or any experience how to resolve
this? I will try to upgrade to a current version 4.11.6.


Regards,
Mario


Snippet of samba-tool ntacl sysvolreset -Uadministrator -d4 in last part.
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol.
uid = 0, gid = 512.
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'directory mask = 0777', 'store dos
attributes yes' and all 'map ...' options to 'no'
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 512
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/Scripts.
uid = 0, gid = 512.
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'directory mask = 0777', 'store dos
attributes yes' and all 'map ...' options to 'no'
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 512
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/Microsoft.
uid = 0, gid = 512.
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'directory mask = 0777', 'store dos
attributes yes' and all 'map ...' options to 'no'
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 512
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI.
uid = 0, gid = 512.
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'directory mask = 0777', 'store dos
attributes yes' and all 'map ...' options to 'no'
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 512
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE.
uid = 0, gid = 512.
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and
'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'directory mask = 0777', 'store dos
attributes yes' and all 'map ...' options to 'no'
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 512
set_nt_acl: chown /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER.
uid = 0, gid = 512.


[root at abridor-dc1 Policies]# samba-tool ntacl sysvolcheck -d3
-UAdministrator
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
abridor.lumad.sandbox.net/Policies/{E4108E65-68AB-4E2D-9A00-A9063B1558E3}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
line
186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/ntacl.py",
line
456, in run
    lp)
  File
"/usr/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1900, in checksysvolacl
    direct_db_access)
  File
"/usr/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1851, in check_gpos_acl
    domainsid, direct_db_access)
  File
"/usr/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1794, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))


[root at abridor-dc1 Policies]#  samba-tool gpo aclcheck -d3 -Uadministrator
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.ABRIDOR.lumad.sandbox.net<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.ABRIDOR.lumad.sandbox.net<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
abridor-dc1.abridor.lumad.sandbox.net<0x20>
Password for [ABRIDOR\administrator]:
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Connecting to 192.168.19.5 at port 445
*ERROR: Invalid GPO ACL
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
on path (abridor.lumad.sandbox.net
<http://abridor.lumad.sandbox.net>\Policies\{E4108E65-68AB-4E2D-9A00-A9063B1558E3}),
should be
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)*


[root at abridor-dc1 Policies]# ls -all
total 24
drwxrwx---+ 6 root 3000000 190 Feb 26 13:12 .
drwxrwx---+ 4 root 3000000  37 Dec 18 17:28 ..
drwxrwx---+ 4 root     512  48 Feb 21 13:23
{1FF53CF3-A410-470E-A983-82C73BABCA1E}
drwxrwx---+ 4 root     512  48 Dec 18 17:28
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 root     512  48 Dec 18 17:28
{6AC1786C-016F-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 root     512  48 Feb 19 14:32
{E4108E65-68AB-4E2D-9A00-A9063B1558E3}



[root at abridor-dc1 Policies]# samba-tool gpo listall
GPO          : {E4108E65-68AB-4E2D-9A00-A9063B1558E3}
display name : Users - ABRIDOR Mapped Drives
path         : \\abridor.lumad.sandbox.net\SysVol\abridor.lumad.sandbox.net
\Policies\{E4108E65-68AB-4E2D-9A00-A9063B1558E3}

*dn           :
CN={E4108E65-68AB-4E2D-9A00-A9063B1558E3},CN=Policies,CN=System,DC=abridor,DC=lumad,DC=sandbox,DC=net*version
     : 393216
flags        : NONE

GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path         : \\abridor.lumad.sandbox.net\sysvol\abridor.lumad.sandbox.net
\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
dn           :
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=abridor,DC=lumad,DC=sandbox,DC=net
version      : 0
flags        : NONE

GPO          : {1FF53CF3-A410-470E-A983-82C73BABCA1E}
display name : Zoom
path         : \\abridor.lumad.sandbox.net\SysVol\abridor.lumad.sandbox.net
\Policies\{1FF53CF3-A410-470E-A983-82C73BABCA1E}
dn           :
CN={1FF53CF3-A410-470E-A983-82C73BABCA1E},CN=Policies,CN=System,DC=abridor,DC=lumad,DC=sandbox,DC=net
version      : 0
flags        : NONE

GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path         : \\abridor.lumad.sandbox.net\sysvol\abridor.lumad.sandbox.net
\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn           :
CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=abridor,DC=lumad,DC=sandbox,DC=net
version      : 2
flags        : NONE


[root at abridor-dc1 Policies]#  samba-tool gpo del
{31B2F340-016D-11D2-945F-00C04FB984F9} -Uadministrator
Password for [ABRIDOR\administrator]:




*ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
 <00002035: objectclass: Cannot delete
CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=abridor,DC=lumad,DC=sandbox,DC=net,
it isn't permitted!> <>  File
"/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line
186, in
_run    return self.run(*args, **kwargs)  File
"/usr/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 1518,
in
run    self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" %
str(gpo_dn)))*
Reasonably Related Threads

Search for more possibly parallel threads
samba - Feb 2020 - sysvolcheck and aclcheck generates error

[Samba] sysvolcheck and aclcheck generates error

Reasonably Related Threads

Wisdom of the Ancients
