[Samba] GPO aclcheck and sysvolcheck error while applying GPO

[Guilherme Boing]

Hello,

Running Samba 4.2.3 from source, using CentOS 7.0, two DCs.
I have checked and the GPO is properly working, but these errors doesn't
look... intended.

# samba-tool gpo aclcheck
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.PUBLICACOES.ONLINE<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.PUBLICACOES.ONLINE<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line
1150, in run
ds_sd_ndr = m['nTSecurityDescriptor'][0]

# samba-tool ntacl sysvolcheck
....
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/publicacoes.online/Policies/{4A2053FD-433E-4439-965B-6C828D20F5DD}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 249, in run
lp)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))


When I didn't have any GPOs created, I had no issues with sysvolcheck.
Any ideas ?

smb.conf:
# Global parameters
[global]
workgroup = POL
realm = PUBLICACOES.ONLINE
netbios name = STEVE
server role = active directory domain controller
dns forwarder = 192.168.22.180
log level = 3
template shell = /bin/bash
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /usr/local/samba/var/locks/sysvol/publicacoes.online/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[L.P.H. van Belle]

Whats the output of :
samba-tool gpo aclcheck -U Administrator

and
samba-tool ntacl sysvolcheck -U Administrator

but, if you add :
acl_xattr:ignore system acls = yes
to the sysvol share

And you set the correct rights on the share.
Then you can safely ignore these errors/warnings

I did, since GPO on only applies on the windows computers, i just ignore these messages.

For me i get the same messages as you do.
ls -al /var/lib/samba/sysvol/internal.domain.tld/Policies/

and i see things like
drwxrwx---+ 4 root BUILTIN\administrators
drwxrwx---+ 4 domain admins domain admins
drwxrwx---+ 4 root domain admins

depending on the user i used for setting the GPO's.

and i dont have any problems with my GPOs.

i think this : acl_xattr:ignore system acls = yes
is the best option samba has :-)


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Guilherme Boing
> Verzonden: woensdag 9 september 2015 14:11
> Aan: samba
> Onderwerp: [Samba] GPO aclcheck and sysvolcheck error while applying GPO

[Guilherme Boing]

# ls -la /usr/local/samba/var/locks/sysvol/publicacoes.online/Policies/
total 24
drwxrwx---+ 5 root BUILTIN\administrators 4096 Set 9 08:14 .
drwxrwx---+ 4 root BUILTIN\administrators 35 Jul 16 16:15 ..
drwxrwx---+ 4 domain admins domain admins 45 Jul 16 16:15
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 domain admins domain admins 45 Set 9 08:14
{4A2053FD-433E-4439-965B-6C828D20F5DD}
drwxrwx---+ 4 domain admins domain admins 45 Jul 16 16:15
{6AC1786C-016F-11D2-945F-00C04FB984F9}

# samba-tool gpo aclcheck -U Administrator

resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.PUBLICACOES.ONLINE<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.PUBLICACOES.ONLINE<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>

Password for [POL\Administrator]:

resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
steve.publicacoes.online<0x20>

ERROR: Invalid GPO ACL

O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

on path
(publicacoes.online\Policies\{4A2053FD-433E-4439-965B-6C828D20F5DD}),
should be
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

# samba-tool ntacl sysvolcheck -U Administrator

ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/publicacoes.online/Policies/{4A2053FD-433E-4439-965B-6C828D20F5DD}

O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

does not match expected value

O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

from GPO object
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 249, in run
lp)
File

"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",

line 1730, in checksysvolacl
direct_db_access)
File

"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",

line 1681, in check_gpos_acl
domainsid, direct_db_access)
File

"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",

line 1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

I'll try with "acl_xattr:ignore system acls = yes" to see if anything
changes.
Anyway, at least everything seems to be working just fine so far, even with
these errors...