Discussion:
[Samba] Samba 4.2.14 GPO issue
Min Wai Chan
2016-07-24 03:40:20 UTC
Permalink
Dear All,
I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that GPO
are having issue

Specifically when I'm adding new using they *never *got the gpupdate
success fully.

When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset

But don't seem to got it fix..

Any suggestion?

Thank in advance.

#samba-tool ntacl sysvolcheck
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[dfs]"
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
direct_db_access)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

Regards,
Min Wai
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Min Wai Chan
2016-07-24 18:46:13 UTC
Permalink
Hello Sébastien Le Ray,

The PC reply the following...

The processing of Group Policy failed. Windows could not resolve the user
name. This could be caused by one or more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).

The processing of Group Policy failed. Windows could not resolve the
computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).

To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from
the command line to access information about Group Policy results.
Hi,
Do you have any specific error message in Windows events log concerning
GPO?
Regards
Post by Min Wai Chan
Dear All,
I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that GPO
are having issue
Specifically when I'm adding new using they *never *got the gpupdate
success fully.
When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset
But don't seem to got it fix..
Any suggestion?
Thank in advance.
#samba-tool ntacl sysvolcheck
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[dfs]"
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
<http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-00C04FB984F9%7D>
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
direct_db_access)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))
Regards,
Min Wai
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Min Wai Chan
2016-08-03 02:44:41 UTC
Permalink
Dear Sébastien,

Sorry for the delay,

Please check on the log below.
As for the word "存取被拒。" it should translate to Access Deny...

Please help.


- <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
<http://schemas.microsoft.com/win/2004/08/events/event>*">
- <System>
<Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
*{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
<EventID>1055</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="*2016-08-03T02:25:58.236569500Z*" />
<EventRecordID>237427</EventRecordID>
<Correlation ActivityID="*{20A9F83F-172B-4F62-8B1A-5732474FD71D}*" />
<Execution ProcessID="*1156*" ThreadID="*1872*" />
<Channel>System</Channel>
<Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
<Security UserID="*S-1-5-18*" />
</System>
- <EventData>
<Data Name="*SupportInfo1*">1</Data>
<Data Name="*SupportInfo2*">2052</Data>
<Data Name="*ProcessingMode*">0</Data>
<Data Name="*ProcessingTimeInMilliseconds*">3495</Data>
<Data Name="*ErrorCode*">5</Data>
<Data Name="*ErrorDescription*">存取被拒。</Data>
</EventData>
</Event>


- <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
<http://schemas.microsoft.com/win/2004/08/events/event>*">
- <System>
<Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
*{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
<EventID>1053</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="*2016-08-03T02:25:58.220969800Z*" />
<EventRecordID>237426</EventRecordID>
<Correlation ActivityID="*{81CBE41A-C06F-4C33-9A59-DA9418903184}*" />
<Execution ProcessID="*1156*" ThreadID="*4516*" />
<Channel>System</Channel>
<Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
<Security UserID="*S-1-5-21-3560897929-3766931875-2087304217-2002*" />
</System>
- <EventData>
<Data Name="*SupportInfo1*">1</Data>
<Data Name="*SupportInfo2*">2052</Data>
<Data Name="*ProcessingMode*">0</Data>
<Data Name="*ProcessingTimeInMilliseconds*">3541</Data>
<Data Name="*ErrorCode*">5</Data>
<Data Name="*ErrorDescription*">存取被拒。</Data>
</EventData>
</Event>
Hi,
That's look more like a gpupdate output than an event log entry :-)
Post by Min Wai Chan
Hello Sébastien Le Ray,
The PC reply the following...
The processing of Group Policy failed. Windows could not resolve the user
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).
The processing of Group Policy failed. Windows could not resolve the
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).
To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from
the command line to access information about Group Policy results.
On Sun, Jul 24, 2016 at 3:56 PM, Sébastien Le Ray <
Hi,
Do you have any specific error message in Windows events log concerning
GPO?
Regards
Dear All,
Post by Min Wai Chan
I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that GPO
are having issue
Specifically when I'm adding new using they *never *got the gpupdate
success fully.
When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset
But don't seem to got it fix..
Any suggestion?
Thank in advance.
#samba-tool ntacl sysvolcheck
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[dfs]"
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
<http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-00C04FB984F9%7D>
<
http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-00C04FB984F9%7D
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))
Regards,
Min Wai
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-03 06:27:39 UTC
Permalink
In addition

( source : http://www.networksteve.com/forum/topic.php/Group_Policy_Access_Denied_for_computer_policy_only/?TopicId=39534&Posts=2 )

The root problem was a rogue cached credential under the Local System account. This was preventing the Local System account from logging on to the domain using the domain computer account. I think the rogue credential was a lingering item from my prior home network configuration using Windows Home Server 2011.

To resolve the issue, I had to find and delete the rogue credential under the Local System account. This is what I did:
1.Use SysInternals PsExec to open a command prompt under the Local System account [http://technet.microsoft.com/en-us/sysinternals/bb897553]:
From an Administrator command prompt: PsExec.exe -i -s cmd.exe
2.Open the Stored User Names and Passwords app under the Local System account:
From the System account command prompt: rundll32.exe keymgr.dll, KRShowKeyMgr
3.You should now see the credentials that are cached under the Local System account. Review the list for rogue suspects, and remove them. For me, this was straightforward. There were two credentials listed: one rogue cred (from my old WHS2011 config I suspect), and a second called virtualapp/didlogical. When I reviewed the credentials on machines that were working, they only had the virtualapp/didlogical credential listed.

I removed the rogue credential, and then gpupdate worked like a charm! Also, running klist -li 0x3e7 now shows a nice healthy set of Kerberos tickets for the Local System account.
All is good.
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 8:15
Onderwerp: Re: [Samba] Samba 4.2.14 GPO issue
Hai Min Wai,
Please read these links, MS change some things in GPO.
MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398
The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622
Add the Authenticated Users group with Read Permissions on the Group
Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with
read permission.
See if above helps you.
If not, enable GPO operational logging.
Open registry editor, navigate to HKLM\Software\Microsoft\Windows
NT\CurrentVersion
- Right click CurrentVersion->New->Key
- Rename the newly created key to Diagnostics
- Right click on Diagnostics->New->DWORD(32-bit)value, rename the new
DWORD entry to GPSvcDebugLevel and set the value as 0x30002 (hexadecimal)
- After you modified the registry, please run the command gpupdate /force
at command prompt to refresh the policy. Reboot the computer to reproduce
the issue.
The log file is written to the %SystemRoot%\Debug\UserMode folder.
And see if you get more/better info from the debug log.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 4:45
Aan: Sébastien Le Ray
Onderwerp: Re: [Samba] Samba 4.2.14 GPO issue
Dear Sébastien,
Sorry for the delay,
Please check on the log below.
As for the word "???????????????" it should translate to Access Deny...
Please help.
- <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
<http://schemas.microsoft.com/win/2004/08/events/event>*">
- <System>
<Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
*{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
<EventID>1055</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="*2016-08-03T02:25:58.236569500Z*" />
<EventRecordID>237427</EventRecordID>
<Correlation ActivityID="*{20A9F83F-172B-4F62-8B1A-5732474FD71D}*" />
<Execution ProcessID="*1156*" ThreadID="*1872*" />
<Channel>System</Channel>
<Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
<Security UserID="*S-1-5-18*" />
</System>
- <EventData>
<Data Name="*SupportInfo1*">1</Data>
<Data Name="*SupportInfo2*">2052</Data>
<Data Name="*ProcessingMode*">0</Data>
<Data Name="*ProcessingTimeInMilliseconds*">3495</Data>
<Data Name="*ErrorCode*">5</Data>
<Data Name="*ErrorDescription*">???????????????</Data>
</EventData>
</Event>
- <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
<http://schemas.microsoft.com/win/2004/08/events/event>*">
- <System>
<Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
*{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
<EventID>1053</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="*2016-08-03T02:25:58.220969800Z*" />
<EventRecordID>237426</EventRecordID>
<Correlation ActivityID="*{81CBE41A-C06F-4C33-9A59-DA9418903184}*" />
<Execution ProcessID="*1156*" ThreadID="*4516*" />
<Channel>System</Channel>
<Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
<Security UserID="*S-1-5-21-3560897929-3766931875-2087304217-2002*" />
</System>
- <EventData>
<Data Name="*SupportInfo1*">1</Data>
<Data Name="*SupportInfo2*">2052</Data>
<Data Name="*ProcessingMode*">0</Data>
<Data Name="*ProcessingTimeInMilliseconds*">3541</Data>
<Data Name="*ErrorCode*">5</Data>
<Data Name="*ErrorDescription*">???????????????</Data>
</EventData>
</Event>
On Mon, Jul 25, 2016 at 2:51 AM, Sébastien Le Ray <sebastien-
Hi,
That's look more like a gpupdate output than an event log entry :-)
Post by Min Wai Chan
Hello Sébastien Le Ray,
The PC reply the following...
The processing of Group Policy failed. Windows could not resolve the
user
Post by Min Wai Chan
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on
another
Post by Min Wai Chan
domain controller has not replicated to the current domain
controller).
Post by Min Wai Chan
The processing of Group Policy failed. Windows could not resolve the
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on
another
Post by Min Wai Chan
domain controller has not replicated to the current domain
controller).
Post by Min Wai Chan
To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from
the command line to access information about Group Policy results.
On Sun, Jul 24, 2016 at 3:56 PM, Sébastien Le Ray <
Hi,
Do you have any specific error message in Windows events log
concerning
Post by Min Wai Chan
GPO?
Regards
Dear All,
Post by Min Wai Chan
I've recently upgrade from samba 4.1.x to samba 4.2.14 and found
that
Post by Min Wai Chan
Post by Min Wai Chan
GPO
are having issue
Specifically when I'm adding new using they *never *got the
gpupdate
Post by Min Wai Chan
Post by Min Wai Chan
success fully.
When I run samba-tool ntacl sysvolcheck or samba-tool ntacl
sysvolreset
Post by Min Wai Chan
Post by Min Wai Chan
But don't seem to got it fix..
Any suggestion?
Thank in advance.
#samba-tool ntacl sysvolcheck
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[dfs]"
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
Post by Min Wai Chan
Post by Min Wai Chan
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
<http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-
00C04FB984F9%7D>
Post by Min Wai Chan
Post by Min Wai Chan
<
http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-
00C04FB984F9%7D
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
0a9;;;AU)(A;OICI;0x001200a9;;;ED)
Post by Min Wai Chan
Post by Min Wai Chan
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
0a9;;;AU)(A;OICI;0x001200a9;;;ED)
Post by Min Wai Chan
Post by Min Wai Chan
from GPO object
File "/usr/lib64/python2.7/site-
packages/samba/netcmd/__init__.py",
Post by Min Wai Chan
Post by Min Wai Chan
line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-
packages/samba/netcmd/ntacl.py",
Post by Min Wai Chan
Post by Min Wai Chan
line
249, in run
lp)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does
not
Post by Min Wai Chan
Post by Min Wai Chan
match
expected value %s from GPO object' % (acl_type(direct_db_access),
path,
Post by Min Wai Chan
Post by Min Wai Chan
fsacl_sddl, acl))
Regards,
Min Wai
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-03 06:14:46 UTC
Permalink
Hai Min Wai,

Please read these links, MS change some things in GPO.

MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398

The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622


In sum:
Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.

See if above helps you.
If not, enable GPO operational logging.
Open registry editor, navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion

- Right click CurrentVersion->New->Key
- Rename the newly created key to Diagnostics
- Right click on Diagnostics->New->DWORD(32-bit)value, rename the new DWORD entry to GPSvcDebugLevel and set the value as 0x30002 (hexadecimal)

- After you modified the registry, please run the command gpupdate /force at command prompt to refresh the policy. Reboot the computer to reproduce the issue.

The log file is written to the %SystemRoot%\Debug\UserMode folder.
And see if you get more/better info from the debug log.



Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 4:45
Aan: Sébastien Le Ray
Onderwerp: Re: [Samba] Samba 4.2.14 GPO issue
Dear Sébastien,
Sorry for the delay,
Please check on the log below.
As for the word "???????????????" it should translate to Access Deny...
Please help.
- <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
<http://schemas.microsoft.com/win/2004/08/events/event>*">
- <System>
<Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
*{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
<EventID>1055</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="*2016-08-03T02:25:58.236569500Z*" />
<EventRecordID>237427</EventRecordID>
<Correlation ActivityID="*{20A9F83F-172B-4F62-8B1A-5732474FD71D}*" />
<Execution ProcessID="*1156*" ThreadID="*1872*" />
<Channel>System</Channel>
<Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
<Security UserID="*S-1-5-18*" />
</System>
- <EventData>
<Data Name="*SupportInfo1*">1</Data>
<Data Name="*SupportInfo2*">2052</Data>
<Data Name="*ProcessingMode*">0</Data>
<Data Name="*ProcessingTimeInMilliseconds*">3495</Data>
<Data Name="*ErrorCode*">5</Data>
<Data Name="*ErrorDescription*">???????????????</Data>
</EventData>
</Event>
- <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
<http://schemas.microsoft.com/win/2004/08/events/event>*">
- <System>
<Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
*{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
<EventID>1053</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="*2016-08-03T02:25:58.220969800Z*" />
<EventRecordID>237426</EventRecordID>
<Correlation ActivityID="*{81CBE41A-C06F-4C33-9A59-DA9418903184}*" />
<Execution ProcessID="*1156*" ThreadID="*4516*" />
<Channel>System</Channel>
<Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
<Security UserID="*S-1-5-21-3560897929-3766931875-2087304217-2002*" />
</System>
- <EventData>
<Data Name="*SupportInfo1*">1</Data>
<Data Name="*SupportInfo2*">2052</Data>
<Data Name="*ProcessingMode*">0</Data>
<Data Name="*ProcessingTimeInMilliseconds*">3541</Data>
<Data Name="*ErrorCode*">5</Data>
<Data Name="*ErrorDescription*">???????????????</Data>
</EventData>
</Event>
On Mon, Jul 25, 2016 at 2:51 AM, Sébastien Le Ray <sebastien-
Hi,
That's look more like a gpupdate output than an event log entry :-)
Post by Min Wai Chan
Hello Sébastien Le Ray,
The PC reply the following...
The processing of Group Policy failed. Windows could not resolve the
user
Post by Min Wai Chan
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).
The processing of Group Policy failed. Windows could not resolve the
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another
domain controller has not replicated to the current domain controller).
To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from
the command line to access information about Group Policy results.
On Sun, Jul 24, 2016 at 3:56 PM, Sébastien Le Ray <
Hi,
Do you have any specific error message in Windows events log
concerning
Post by Min Wai Chan
GPO?
Regards
Dear All,
Post by Min Wai Chan
I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that
GPO
are having issue
Specifically when I'm adding new using they *never *got the gpupdate
success fully.
When I run samba-tool ntacl sysvolcheck or samba-tool ntacl
sysvolreset
Post by Min Wai Chan
Post by Min Wai Chan
But don't seem to got it fix..
Any suggestion?
Thank in advance.
#samba-tool ntacl sysvolcheck
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[dfs]"
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
Post by Min Wai Chan
Post by Min Wai Chan
ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/
kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
<http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-
00C04FB984F9%7D>
Post by Min Wai Chan
Post by Min Wai Chan
<
http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-
00C04FB984F9%7D
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
0a9;;;AU)(A;OICI;0x001200a9;;;ED)
Post by Min Wai Chan
Post by Min Wai Chan
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
0a9;;;AU)(A;OICI;0x001200a9;;;ED)
Post by Min Wai Chan
Post by Min Wai Chan
from GPO object
File "/usr/lib64/python2.7/site-
packages/samba/netcmd/__init__.py",
Post by Min Wai Chan
Post by Min Wai Chan
line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line
249, in run
lp)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1730, in checksysvolacl
direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1681, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match
expected value %s from GPO object' % (acl_type(direct_db_access),
path,
Post by Min Wai Chan
Post by Min Wai Chan
fsacl_sddl, acl))
Regards,
Min Wai
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Loading...