Web lists-archives.com

[Samba] Fwd: AD Policies are not applying properly


We have been consistently having issues with GPO and they are not consistent. We are using version 4.6.3 with BIND DNS Backend. As suggested in some of our previous communications, when we run the samba-tool ntacl sysvolcheck it results in the error as detailed below.

[root@dc1 ~]# samba-tool ntacl sysvolcheck
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[shares]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO file/usr/local/samba/var/locks/sysvol/ktkbankltd.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/Registry.pol O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1631, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

Also, as suggested in one post, we checked the sysvol ownership and the result is:

rw-------  1 root root    421888 Mar 22 21:04 account_policy.tdb
-rw-------  1 root root    528384 Apr 20 15:24 registry.tdb
-rw-------  1 root root    421888 Mar 22 21:04 share_info.tdb
drwxrwx---+ 3 root 3000000     27 May 23 14:11 sysvol
-rw-------  1 root root     81920 Jun 19 13:58 winbindd_cache.tdb
drwxr-x---  2 root root        17 Jun  7 17:25 winbindd_privileged

Any suggestions to get the AD Domain Controller and Group Policies to work consistently?


Thanks & Regards,

Anantha Raghava

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba