search for: 59a7d3dcd2dc

...ysvolreset' This is what the sysvolcheck returns: # samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/my.example.com/Policies/{E2BC0255-64C8- 42CF-A27A-59A7D3DCD2DC} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO; 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI; 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff; ;...

...what the sysvolcheck returns: > # samba-tool ntacl sysvolcheck > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - > ProvisioningError: DB ACL on GPO directory > /usr/local/samba/var/locks/sysvol/my.example.com/Policies/{E2BC0255-64C8- > 42CF-A27A-59A7D3DCD2DC} > O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO; > 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI; > 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;...

...TATUS_INVALID_SERVER_STATE =================================== Windows system log provides: =================================== The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,cn={E2BC0255-64C8-42CF-A27A-59A7D3DCD2DC},cn=policies,cn= system,DC=my,DC=example,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure. =================================== How to solve? Thanks, Chris

On Sun, Oct 25, 2020 at 3:31 PM Rowland penny via samba <samba at lists.samba.org> wrote: > OK, if you look at the end of the permissions, there is a '+' sign, this > shows that extended acls set, to see these: > > getfacl /usr/local/samba/var/locks/sysvol The difference in acls is that the non-working domain includes: user:3000001:r-x user:3000002:rwx user:3000003:r-x

> It's needed after every GPO addition and edit. There must be a root > cause to hunt down somewhere. Or is it a bug in 4.13.0 ? Yes, and no. Yes, its a bug. No, in my opionion its an old setting thats just needs some updating. Try this. samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01

...mp;Policy=Microsoft.Policies.WindowsLogon::SyncForegroundPolicy > > The local system is Event ID 1096: > The processing of Group Policy failed. Windows could not apply the > registry-based policy settings for the Group Policy object > LDAP://CN=Machine,cn={E2BC0255-64C8-42CF-A27A-59A7D3DCD2DC},cn > =policies,cn= > system,DC=my,DC=example,DC=com. Group Policy settings will > not be resolved until this event is resolved. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc727302(v=ws.10)?redirectedfrom=MSDN So here they say, dele...