Web lists-archives.com

Re: [Samba] Fwd: AD Policies are not applying properly




Hi,

No solutions to get out of this?

--

Thanks & Regards,


Anantha Raghava


On 21/06/17 7:05 PM, Anantha Raghava wrote:
Hi,

We have been consistently having issues with GPO and they are not consistent. We are using version 4.6.3 with BIND DNS Backend. As suggested in some of our previous communications, when we run the samba-tool ntacl sysvolcheck it results in the error as detailed below.

[root@dc1 ~]# samba-tool ntacl sysvolcheck
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[shares]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO file/usr/local/samba/var/locks/sysvol/ktkbankltd.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/Registry.pol O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run
     lp)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
     direct_db_access)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1631, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

Also, as suggested in one post, we checked the sysvol ownership and the result is:

rw-------  1 root root    421888 Mar 22 21:04 account_policy.tdb
-rw-------  1 root root    528384 Apr 20 15:24 registry.tdb
-rw-------  1 root root    421888 Mar 22 21:04 share_info.tdb
drwxrwx---+ 3 root 3000000     27 May 23 14:11 sysvol
-rw-------  1 root root     81920 Jun 19 13:58 winbindd_cache.tdb
drwxr-x---  2 root root        17 Jun  7 17:25 winbindd_privileged

Any suggestions to get the AD Domain Controller and Group Policies to work consistently?

--

Thanks & Regards,


Anantha Raghava



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba