Web lists-archives.com

[Samba] samba-tool ntacl sysvol check errors (samba 4.7.4 AD DC)


Since I updated recently my samba DC's, I've noticed some werid behaviour on windows stations (seems random?) with some GPO's not being applied from time to time (reboot or even logoff-login usually does the trick). When policy is not applied and I run "gpupdate" on windows client  I'm getting output, that policy xxx (Default domain policy) could not be processed and because of this no other policy will be processed.

So i ran samba-tool ntacl sysvolcheck on DC with PDC FSMO, and I'm getting errors like this:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{77B4CB26-79A1-44B7-A003-1D8848B58128} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1621, in check_dir_acl     raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))

I'm not sure what to make out of it. I understand that ACL are somehow correct ("does not match expected value ").

I've run sysvol reset, but I didn't notice anything change.

I also tried recreating that policy via RSAT and GPO management snap-in. I'v edone "copy -> paste (use default settings)". Policy was added with new policy ID, with completely default settings, but I got error with ID of the "new" policy.

samba-tool dbcheck --cross-ncs shows no errors, from windows client all permissions seem fine, samba daemon doesn't generate any errors.

Only issue is that windows client occasionaly doesn't apply some (not all) of the policies, but after restart they're fine. I'm not sure if i'm even on the right track.

Can someone maybe explain what this error means, and how to possibly fix it?

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba