thr3ads.net - samba - [Samba] More on sysvol maintenance [May 2023]

If this information is useful, please help other people find it:
Share via:

Luis Peromarta

2023-May-24 14:33 UTC

[Samba] More on sysvol maintenance

Greetings.

A bit more on sysvolchek / reset.

I have a 3 DCs domain. All working fine. DC2 and DC3 rsync sysvol from DC1 on a
hourly basis. No issues with GPOs. Some months ago I ran all L.P.H. van Belle
steps as per?https://wiki.samba.org/index.php/Sysvolreset?and all seems OK.

Because of a thread currently on the list, I decided to do a quick check on DC2.
No problem breaking things, I can always rsync demo DC1 again.

On DC2 (bookworm) :

Samba is stopped.

./samba-check-set-sysvol.sh

INFO 2023-05-24 16:24:36,614 pid:107693
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb config
files from /etc/samba/smb.conf
INFO 2023-05-24 16:24:36,614 pid:107693
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: Loaded services
file OK.
failed to call wbcSidToUid: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not convert sid S-1-5-32-549 to uid

Strange why am I getting this, winbind is installed.


I tried sysvolcheck on DC2 and get:


root at bwing:/var/lib/samba# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on sysvol directory
/var/lib/samba/sysvol/mad.mater.int
O:LAG:BAD:AI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;S-1-5-21-2152908145-95474353-1514027631-1110)(A;OICIID;0x001200a9;;;AU)(A;OICIID;0x001f01ff;;;DA)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x001f01ff;;;SY)
does not match expected value
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
from provision
??File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185, in _run
?? ?return self.run(*args, **kwargs)
? ? ? ? ? ?^^^^^^^^^^^^^^^^^^^^^^^^^
??File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
443, in run
?? ?provision.checksysvolacl(samdb, netlogon, sysvol,
??File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1873, in checksysvolacl
?? ?raise ProvisioningError('%s ACL on sysvol directory %s %s does not match
expected value %s from provision' % (acl_type(direct_db_access), dir_path,
fsacl_sddl, SYSVOL_ACL))


I have absolutely no idea how to decode this. Then I tried

samba-tool ntacl sysvolreset (after a couple of minutes?)

No errors, no output. Then:

net cache flush && samba-tool ntacl sysvolcheck

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/mad.mater.int/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
from GPO object
??File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185, in _run
?? ?return self.run(*args, **kwargs)
? ? ? ? ? ?^^^^^^^^^^^^^^^^^^^^^^^^^
??File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
443, in run
?? ?provision.checksysvolacl(samdb, netlogon, sysvol,
??File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1876, in checksysvolacl
?? ?check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
??File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1826, in check_gpos_acl
?? ?check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
??File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1769, in check_dir_acl
?? ?raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))


This time I can see it?s complaining about
GPO??{31B2F340-016D-11D2-945F-00C04FB984F9}. This seems to be the default domain
policy.

Everything seems to be working fine, is looking into this worth anything ?

Thanks,

LP

Rowland Penny

2023-May-24 15:06 UTC

head link

[Samba] More on sysvol maintenance

On 24/05/2023 15:33, Luis Peromarta via samba wrote:> Greetings.
> 
> A bit more on sysvolchek / reset.
> 
> I have a 3 DCs domain. All working fine. DC2 and DC3 rsync sysvol from DC1
on a hourly basis. No issues with GPOs. Some months ago I ran all L.P.H. van
Belle steps as per?https://wiki.samba.org/index.php/Sysvolreset?and all seems
OK.
> 
> Because of a thread currently on the list, I decided to do a quick check on
DC2. No problem breaking things, I can always rsync demo DC1 again.
> 
> On DC2 (bookworm) :
> 
> Samba is stopped.
> 
> ./samba-check-set-sysvol.sh
> 
> INFO 2023-05-24 16:24:36,614 pid:107693
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb config
files from /etc/samba/smb.conf
> INFO 2023-05-24 16:24:36,614 pid:107693
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: Loaded services
file OK.
> failed to call wbcSidToUid: WBC_ERR_WINBIND_NOT_AVAILABLE
> Could not convert sid S-1-5-32-549 to uid
> 
> Strange why am I getting this, winbind is installed.
> 
> 
> I tried sysvolcheck on DC2 and get:
> 
> 
> root at bwing:/var/lib/samba# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on sysvol directory
/var/lib/samba/sysvol/mad.mater.int
O:LAG:BAD:AI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;S-1-5-21-2152908145-95474353-1514027631-1110)(A;OICIID;0x001200a9;;;AU)(A;OICIID;0x001f01ff;;;DA)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x001f01ff;;;SY)
does not match expected value
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
from provision
>  ??File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185,
in _run
>  ?? ?return self.run(*args, **kwargs)
>  ? ? ? ? ? ?^^^^^^^^^^^^^^^^^^^^^^^^^
>  ??File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py",
line 443, in run
>  ?? ?provision.checksysvolacl(samdb, netlogon, sysvol,
>  ??File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py", line
1873, in checksysvolacl
>  ?? ?raise ProvisioningError('%s ACL on sysvol directory %s %s does not
match expected value %s from provision' % (acl_type(direct_db_access),
dir_path, fsacl_sddl, SYSVOL_ACL))
> 
> 
> I have absolutely no idea how to decode this. Then I tried
> 
> samba-tool ntacl sysvolreset (after a couple of minutes?)
> 
> No errors, no output. Then:
> 
> net cache flush && samba-tool ntacl sysvolcheck
> 
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/mad.mater.int/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
from GPO object
>  ??File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185,
in _run
>  ?? ?return self.run(*args, **kwargs)
>  ? ? ? ? ? ?^^^^^^^^^^^^^^^^^^^^^^^^^
>  ??File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py",
line 443, in run
>  ?? ?provision.checksysvolacl(samdb, netlogon, sysvol,
>  ??File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py", line
1876, in checksysvolacl
>  ?? ?check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>  ??File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py", line
1826, in check_gpos_acl
>  ?? ?check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>  ??File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py", line
1769, in check_dir_acl
>  ?? ?raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
> 
> 
> This time I can see it?s complaining about
GPO??{31B2F340-016D-11D2-945F-00C04FB984F9}. This seems to be the default domain
policy.
> 
> Everything seems to be working fine, is looking into this worth anything ?
> 
> Thanks,
> 
> LP
If you look very carefully at the output from the error after you ran 
sysvolreset, you will see that the difference is at the start. The ACL 
owners 'O:LAG:DA' do not match what is expected 'O:DAG:DA'

If you do not understand the output, let me decipher it:
O = owner
LA = Local Administrator, probably 'root'
G = group
DA = Domain Admins

so to put it another way, you appear to have 'root:Domain Admins' as the
owner of 
/var/lib/samba/sysvol/mad.mater.int/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
and it should be 'Domain Admins:Domain Admins'

Are you by any chance using rfc2307 attributes and if so, have you given 
Domain Admins a gidNumber ?

Rowland

samba - May 2023 - More on sysvol maintenance

[Samba] More on sysvol maintenance

[Samba] More on sysvol maintenance