thr3ads.net - samba - [Samba] Sysvol permission issue - how to repair permanently? [Apr 2021]

If this information is useful, please help other people find it:
Share via:

Rowland penny

2021-Apr-06 10:11 UTC

[Samba] Sysvol permission issue - how to repair permanently?

On 06/04/2021 10:42, L.P.H. van Belle via samba wrote:> root at dc1:~# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception
> - ProvisioningError: DB ACL on GPO
> file /var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-
> AD7A32DF180F}/Machine/Registry.pol
> O:BAG:DUD:(A;;0x001d0156;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;
> 0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)(A;;0x001200a9;;;D
> A)
> does not match expected value
> O:DAG:DAD:PAR(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x0
> 01f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001
> 200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)
> from GPO object

Hi Louis,

The reason why you get that error is because you have given Domain 
Admins a gidNumber, this means that 'O:DA' can never happen. I have 
multiple GPO's in sysvol and this happens:

pi at rpidc1:~ $ sudo samba-tool ntacl sysvolreset
pi at rpidc1:~ $ sudo samba-tool ntacl sysvolcheck
pi at rpidc1:~ $

Absolutely no errors, this is with Samba 4.14.2

At one time 'samba-tool ntacl sysvol*' didn't work, I tried to fix
this
and came to the conclusion it was because Samba didn't know who some of 
the users and groups were (they couldn't be 'mapped') and some of
the
permissions were unknown as well. These problems have now been fixed and 
syvolreset and sysvolcheck now work correctly, provided users & groups 
can be mapped as Windows expects.

Rowland

Stefan Bellon

2021-Apr-06 10:32 UTC

head link

[Samba] Sysvol permission issue - how to repair permanently?

On Tue, 06 Apr, Rowland penny via samba wrote:
> The reason why you get that error is because you have given Domain 
> Admins a gidNumber,
But that is not my case. Domain Admins DOES NOT have a gidNumber
attribute (neither does Domain Users).
> this means that 'O:DA' can never happen. I have multiple GPO's
in
> sysvol and this happens:
> 
> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolreset
> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolcheck
> pi at rpidc1:~ $
> 
> Absolutely no errors, this is with Samba 4.14.2
After a "sysvolreset" a subsequent "sysvolcheck" works
without any
issues for me as well. This is not my issue.

My issue is that it throws the error as soon as I have edited a GPO
from RSAT, because that somehow changed the permissions in an
"unexpected" way.

Greetings,
Stefan

-- 
Stefan Bellon

samba - Apr 2021 - Sysvol permission issue - how to repair permanently?

[Samba] Sysvol permission issue - how to repair permanently?

[Samba] Sysvol permission issue - how to repair permanently?