Discussion:
[Samba] gpo not working with samba 4 migrated
Trenta sis
2016-07-21 15:18:02 UTC
Permalink
Hi,

I have migrated samba 3 domain to samba, and I have found that when you try
to use gpo this are not applied we receive in windwos event log errors with
permissions in sysvol, I have checked paths to sysvol gpos and are correct.
Also I have tried with a new fresh domain (not migrated) and with this new
install works GPO


How can I debug this problems and find a solution?

Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Trenta sis
2016-07-21 18:37:06 UTC
Permalink
Hi,

First of all thanks for you answer, it seems that this can help, now some
change made to gpo are applied and we are not receiving error in event
viewer, but seem that some change are not applied, why and where I can find
some information, in samba log anv event viewer any error is reported

Also I have tried

# samba-tool ntacl sysvolreset

After this tried
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 270, in run
lp)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1732, in checksysvolacl
direct_db_access)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1683, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1630, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))

Tried with new domain (no migrated) and then works, where is the problem?
Hello,
Post by Trenta sis
I have migrated samba 3 domain to samba, and I have found that when you
try
Post by Trenta sis
to use gpo this are not applied we receive in windwos event log errors
with
Post by Trenta sis
permissions in sysvol, I have checked paths to sysvol gpos and are
correct.
Post by Trenta sis
Also I have tried with a new fresh domain (not migrated) and with this
new
Post by Trenta sis
install works GPO
How can I debug this problems and find a solution?
Have you tried
https://wiki.samba.org/index.php/FAQ#Incompatible_permissions_of_GPO_objects_and_SysVol_share
Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Trenta sis
2016-07-21 21:18:35 UTC
Permalink
I'm not sure what are you deatiling, is a bug in progress taht can cause
this random problems with some gpos or this error can be ignored?
Post by Trenta sis
Hi,
First of all thanks for you answer, it seems that this can help, now some
change made to gpo are applied and we are not receiving error in event
viewer, but seem that some change are not applied, why and where I can find
some information, in samba log anv event viewer any error is reported
Also I have tried
# samba-tool ntacl sysvolreset
After this tried
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} <http://domain.com/Policies/%7B31B2F340-016D-11D2-945F-00C04FB984F9%7D> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run
lp)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1732, in checksysvolacl
direct_db_access)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1683, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1630, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
Tried with new domain (no migrated) and then works, where is the problem?
Hello,
Post by Trenta sis
I have migrated samba 3 domain to samba, and I have found that when you
try
Post by Trenta sis
to use gpo this are not applied we receive in windwos event log errors
with
Post by Trenta sis
permissions in sysvol, I have checked paths to sysvol gpos and are
correct.
Post by Trenta sis
Also I have tried with a new fresh domain (not migrated) and with this
new
Post by Trenta sis
install works GPO
How can I debug this problems and find a solution?
Have you tried
https://wiki.samba.org/index.php/FAQ#Incompatible_permissions_of_GPO_objects_and_SysVol_share
Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
l***@gmail.com
2016-07-22 12:10:48 UTC
Permalink
Post by Trenta sis
I'm not sure what are you deatiling, is a bug in progress taht can cause
this random problems with some gpos or this error can be ignored?
Post by Trenta sis
Hi,
First of all thanks for you answer, it seems that this can help, now some
change made to gpo are applied and we are not receiving error in event
viewer, but seem that some change are not applied, why and where I can find
some information, in samba log anv event viewer any error is reported
Also I have tried
# samba-tool ntacl sysvolreset
After this tried
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
<http://domain.com/Policies/%7B31B2F340-016D-11D2-945F-00C04FB984F9%7D>
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 270, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1732, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1683, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1630, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))
Tried with new domain (no migrated) and then works, where is the problem?
Hello,
Post by Trenta sis
I have migrated samba 3 domain to samba, and I have found that when you
try
Post by Trenta sis
to use gpo this are not applied we receive in windwos event log errors
with
Post by Trenta sis
permissions in sysvol, I have checked paths to sysvol gpos and are
correct.
Post by Trenta sis
Also I have tried with a new fresh domain (not migrated) and with this
new
Post by Trenta sis
install works GPO
How can I debug this problems and find a solution?
Have you tried
https://wiki.samba.org/index.php/FAQ#Incompatible_permissions_of_GPO_objects_and_SysVol_share
Regards,
Marc
The ACLs that Samba sets on the sysvol directory are wrong, I was
going to look into this, but asked on samba-technical first. I was
informed, by Stefan Metzmacher, that he had looked into this some time
ago, but pressure of work had stopped him completing the work.
I have tested his patches, made a few very minor changes and they
work, until you add another GPO, this is when it goes wrong. It checks
the ACLs on the files in the GPO, then reports they are wrong, I am
looking into this now.
Rowland
Rowland,

My testing shows if you assign a GID to 'Domain Admins'.
Sysvolreset and check will fail. Will this be addressed possibly by the
patches?
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...