That's not a problem its just a ACL provisioning message as you can see
the result was "DAG:DAD:PAI" but expected was
"O:DAG:DAD:PAR" that's
"normal" ;-) just ignore it or do a "samba-tool ntacl
sysvolreset"
Am 19.10.23 um 17:27 schrieb bd730c5053df9efb via samba:> Hi!
>
> I executed the command "samba-tool ntacl sysvolcheck" on a DC and
I got the following I pasted below. The first DC was provisioned migrating from
a samba NT4 PDC with an LDAP backend using the classic upgrade procedure. I
haven't detected any problem but I wanted to make sure there isn't any
problem I might not be seeing yet.
>
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.com/Policies{725C8FA6-3CC1-4A37-9C70-4DE6C4793F53}
O:DAG:DAD:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1039)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1054)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1152)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1305)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1390)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1536)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1578)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-21970)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-22166)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)
does not match expected value O:DAG:
>
DAD:PAR(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1039)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1054)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1152)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1305)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1390)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1536)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-1578)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-21970)(A;OICI;0x001200a9;;;S-1-5-21-2172607237-3276034063-696894390-22166)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1039)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1054)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1
>
-5-21-2172607237-3276034063-696894390-1152)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1305)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1390)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1536)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-1578)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-21970)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2172607237-3276034063-696894390-22166)
from GPO object
> File
"/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line
230, in _run
> return self.run(*args, **kwargs)
> File
"/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py", line 449,
in run
> provision.checksysvolacl(samdb, netlogon, sysvol,
> File
"/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line
1876, in checksysvolacl
> check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> File
"/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line
1826, in check_gpos_acl
> check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
> File
"/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line
1769, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
>
> Thanks in advance.
> Best regards,
> Dave.
>