Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] gpo not working with samba 4 migrated
100 views
Skip to first unread message
Trenta sis
Jul 21, 2016, 11:30:04 AM7/21/16
to
Hi,
I have migrated samba 3 domain to samba, and I have found that when you try
to use gpo this are not applied we receive in windwos event log errors with
permissions in sysvol, I have checked paths to sysvol gpos and are correct.
Also I have tried with a new fresh domain (not migrated) and with this new
install works GPO
How can I debug this problems and find a solution?
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I have migrated samba 3 domain to samba, and I have found that when you try
to use gpo this are not applied we receive in windwos event log errors with
permissions in sysvol, I have checked paths to sysvol gpos and are correct.
Also I have tried with a new fresh domain (not migrated) and with this new
install works GPO
How can I debug this problems and find a solution?
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marc Muehlfeld
Jul 21, 2016, 1:00:03 PM7/21/16
to
Hello,
Am 21.07.2016 um 17:18 schrieb Trenta sis:
> I have migrated samba 3 domain to samba, and I have found that when you try
> to use gpo this are not applied we receive in windwos event log errors with
> permissions in sysvol, I have checked paths to sysvol gpos and are correct.
> Also I have tried with a new fresh domain (not migrated) and with this new
> install works GPO
>
> How can I debug this problems and find a solution?
Have you tried
https://wiki.samba.org/index.php/FAQ#Incompatible_permissions_of_GPO_objects_and_SysVol_share
Regards,
Marc
Am 21.07.2016 um 17:18 schrieb Trenta sis:
> I have migrated samba 3 domain to samba, and I have found that when you try
> to use gpo this are not applied we receive in windwos event log errors with
> permissions in sysvol, I have checked paths to sysvol gpos and are correct.
> Also I have tried with a new fresh domain (not migrated) and with this new
> install works GPO
>
> How can I debug this problems and find a solution?
https://wiki.samba.org/index.php/FAQ#Incompatible_permissions_of_GPO_objects_and_SysVol_share
Regards,
Marc
Trenta sis
Jul 21, 2016, 2:50:03 PM7/21/16
to
Hi,
First of all thanks for you answer, it seems that this can help, now some
change made to gpo are applied and we are not receiving error in event
viewer, but seem that some change are not applied, why and where I can find
some information, in samba log anv event viewer any error is reported
Also I have tried
# samba-tool ntacl sysvolreset
After this tried
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 270, in run
lp)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1732, in checksysvolacl
direct_db_access)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1683, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1630, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))
Tried with new domain (no migrated) and then works, where is the problem?
First of all thanks for you answer, it seems that this can help, now some
change made to gpo are applied and we are not receiving error in event
viewer, but seem that some change are not applied, why and where I can find
some information, in samba log anv event viewer any error is reported
Also I have tried
# samba-tool ntacl sysvolreset
After this tried
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 270, in run
lp)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1732, in checksysvolacl
direct_db_access)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1683, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1630, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))
Tried with new domain (no migrated) and then works, where is the problem?
Rowland penny
Jul 21, 2016, 3:50:03 PM7/21/16
to
correctly, there is another problem with any extra GPOs added. The
python code gets the acl on the files and then compares it with what it
should be, this is where it goes wrong again :-)
When I figure why, I will let you know.
Rowland
Trenta sis
Jul 21, 2016, 5:30:04 PM7/21/16
to
I'm not sure what are you deatiling, is a bug in progress taht can cause
this random problems with some gpos or this error can be ignored?
2016-07-21 20:37 GMT+02:00 Trenta sis <trent...@gmail.com>:
> Hi,
>
> First of all thanks for you answer, it seems that this can help, now some
> change made to gpo are applied and we are not receiving error in event
> viewer, but seem that some change are not applied, why and where I can find
> some information, in samba log anv event viewer any error is reported
>
> Also I have tried
>
> # samba-tool ntacl sysvolreset
>
> After this tried
> # samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} <http://domain.com/Policies/%7B31B2F340-016D-11D2-945F-00C04FB984F9%7D> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
this random problems with some gpos or this error can be ignored?
2016-07-21 20:37 GMT+02:00 Trenta sis <trent...@gmail.com>:
> Hi,
>
> First of all thanks for you answer, it seems that this can help, now some
> change made to gpo are applied and we are not receiving error in event
> viewer, but seem that some change are not applied, why and where I can find
> some information, in samba log anv event viewer any error is reported
>
> Also I have tried
>
> # samba-tool ntacl sysvolreset
>
> After this tried
> # samba-tool ntacl sysvolcheck
Rowland penny
Jul 22, 2016, 3:50:03 AM7/22/16
to
to look into this, but asked on samba-technical first. I was informed,
by Stefan Metzmacher, that he had looked into this some time ago, but
pressure of work had stopped him completing the work.
I have tested his patches, made a few very minor changes and they work,
until you add another GPO, this is when it goes wrong. It checks the
ACLs on the files in the GPO, then reports they are wrong, I am looking
into this now.
Rowland
lingpa...@gmail.com
Jul 22, 2016, 8:20:03 AM7/22/16
to
My testing shows if you assign a GID to 'Domain Admins'.
Sysvolreset and check will fail. Will this be addressed possibly by the
patches?
--
-James
Rowland penny
Jul 22, 2016, 1:00:03 PM7/22/16
to
Rowland
0 new messages