Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
linux.samba
Message from discussion SYSVOL ACLs and GPOs

View parsed - Show only message text

Received: by 10.66.85.166 with SMTP id i6mr8383883paz.13.1351480583613;
        Sun, 28 Oct 2012 20:16:23 -0700 (PDT)
Path: 6ni48335pbd.1!nntp.google.com!npeer01.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!border3.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!border4.nntp.dca.giganews.com!border2.nntp.dca.giganews.com!nntp.giganews.com!nrc-news.nrc.ca!goblin2!goblin.stu.neva.ru!newsfeed.x-privat.org!bofh.it!news.nic.it!robomod
From: Andrew Bartlett <abart...@samba.org>
Newsgroups: linux.samba
Subject: Re: [Samba] SYSVOL ACLs and GPOs
Date: Thu, 25 Oct 2012 12:40:01 +0200
Message-ID: <jYt0Z-682-1@gated-at.bofh.it>
References: <jY5UK-2QN-7@gated-at.bofh.it> <jY7aa-4vR-19@gated-at.bofh.it> <jYc0a-1WI-7@gated-at.bofh.it> <jYd5U-3gV-37@gated-at.bofh.it> <jYkAq-47o-1@gated-at.bofh.it> <jYrBT-4vT-5@gated-at.bofh.it> <jYrVg-4NE-5@gated-at.bofh.it> <jYs4W-4YM-11@gated-at.bofh.it>
X-Original-To: Alex Matthews <qoole.sa...@lillimoth.com>
Organization: linux.* mail to news gateway
X-Mailer: Evolution 3.4.4 (3.4.4-2.fc17)
MIME-Version: 1.0
List-ID: General questions regarding Samba <samba.lists.samba.org>
List-Archive: <http://lists.samba.org/pipermail/samba>
Sender: robo...@news.nic.it
Approved: robo...@news.nic.it
Lines: 59
X-Original-Cc: sa...@lists.samba.org
X-Original-Date: Thu, 25 Oct 2012 21:30:43 +1100
X-Original-Message-ID: <1351161043.21630.228.camel@jesse>
X-Original-References: <5087B9C6.4060...@lillimoth.com>
	<1351076996.21630.195.camel@jesse> <5088167E.7060...@lillimoth.com>
	<50882721.8020...@lillimoth.com> <1351128712.21630.211.camel@jesse>
	<5088FFFD.8060...@lillimoth.com> <1351156816.21630.216.camel@jesse>
	<50890714.1010...@lillimoth.com>
X-Original-Sender: samba-boun...@lists.samba.org
Bytes: 4477
X-Received-Bytes: 4585
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:

> samba-tool ntacl sysvolcheck shows:
> 
> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck

> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
> ProvisioningError: VFS ACL on GPO directory 
> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) 
> does not match expected value 
> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) 
> from GPO object
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
> line 245, in run
>      lp)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1574, in checksysvolacl
>      direct_db_access)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1526, in check_gpos_acl
>      domainsid, direct_db_access)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1476, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not 
> match expected value %s from GPO object' % (acl_type(direct_db_access), 
> path, fsacl_sddl, acl))

Drat.

So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
the issue we have had for a while.  I had (incorrectly in your case)
assumed the issue was that IDMAP mappings imported from classic domains
were breaking it.  That's why I worked on my patches, which improve the
situation by handling some details at a lower level.

On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
then, if you don't mind, getting me the level 10 debug log would be very
helpful.  Set 'log level = 10' in your smb.conf, then re-run and send me
(personally) the result compressed with xz. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google