Samba-tool ntacl sysvolcheck gives the following output: root@dc1:~# samba-tool ntacl sysvolcheck rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[netlogon]" Processing section "[sysvol]" ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/samba.merit.unu.edu/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1695, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1646, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1593, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Running samba-tool ntacl sysvolreset fixes things. Background info: This is server running (and classicupgraded with) sernet samba4.1.6. Domain is running very well, but GPO's fail with: "Windows attempted to read the file blahblah\gpt.ini from a domain controller and was not successful". Note: the sysvol with the error is available on request.
Hi all, having a similar error, that probably is related to the particular object number (see error message). I am running Samba 4.1.12/Sernet on Debian Wheezy 64bit. When I run "samba-tool ntacl sysvolreset" I get an empty prompt without error message. But it doesn't fix the issue. Here's the output: root@dc1:~$ samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/mydom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1624, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) root@dc1:/var/lib/samba/sysvol/mydom.example.com/Policies$ ls -lh insgesamt 144K drwxrwx---+ 4 root 500 4,0K Nov 1 22:22 {1AC9641E-1234-47C7-8D8C-43A199220635} drwxrwx---+ 5 root 500 4,0K Okt 25 20:47 {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrwx---+ 3 root 500 4,0K Nov 2 00:55 {562AB030-6351-42C1-9850-D5B12BF45570} drwxrwx---+ 4 root 500 4,0K Nov 1 02:30 {58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F} drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:12 {61160F2C-67CA-4A47-970D-6A02F5550FBA} drwxrwx---+ 4 root 500 4,0K Okt 6 12:25 {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrwx---+ 3 root 3000000 4,0K Nov 1 21:25 {A124ED05-EF3B-44A9-8AD8-950D444B0414} drwxrwx---+ 3 root 500 4,0K Nov 1 22:30 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7} drwxrwx---+ 4 root 3000000 4,0K Nov 1 21:25 {C670A447-2A80-4FDC-8940-BA241597F9E5} drwxrwx---+ 2 root 3000000 4,0K Okt 31 20:10 {C7115EF1-5DD8-47BB-BFFA-5ECE074A3233} drwxrwxr-x+ 5 root 500 4,0K Okt 31 20:17 {C9E26EE9-6C23-495A-92C2-8D2FBB4B75CB} drwxrwx---+ 4 root 3000000 4,0K Nov 1 02:50 {D198C658-98FC-49CD-B71C-D07556FF6ADB} drwxrwx---+ 4 root 500 4,0K Nov 1 22:15 {D55B1C00-2313-4052-AB61-A022B3154D01} drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:08 {D651BB93-342C-466B-9155-0506988771C9} drwxrwx---+ 3 root 500 4,0K Nov 2 01:08 {DDA5BF82-3A1C-4D5E-BE56-51229772DF93} drwxrwx---+ 2 root 3000000 4,0K Nov 1 02:40 {EC6B4379-B7DE-49FC-A504-5BD55D23AEDC} drwxrwx---+ 3 root 3000000 4,0K Nov 1 22:15 {F80CBDB5-646E-4E69-9935-4C7966079202} drwxrwx---+ 4 root 500 4,0K Nov 2 01:02 {FB1BD0C7-B22B-4F3C-84E6-61958C733AA4} Looks like te particular directory "{31B2F340-016D-11D2-945F-00C04FB984F9}" somehow is broken? I run into the same issue on my second domain controller, but on dc2 another directory is reported as bad, see output here: root@dc2:~$ samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/mydom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1624, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) root@dc2:/var/lib/samba/sysvol/mydom.example.com/Policies$ ls -lh insgesamt 144K drwxrwx---+ 4 root 500 4,0K Nov 1 22:22 {1AC9641E-1234-47C7-8D8C-43A199220635} drwxrwx---+ 5 root 500 4,0K Okt 25 20:47 {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrwx---+ 3 root 500 4,0K Nov 2 00:55 {562AB030-6351-42C1-9850-D5B12BF45570} drwxrwx---+ 4 root 500 4,0K Nov 1 02:30 {58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F} drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:12 {61160F2C-67CA-4A47-970D-6A02F5550FBA} drwxrwx---+ 4 root 500 4,0K Okt 6 12:25 {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrwx---+ 3 root 3000000 4,0K Nov 1 21:25 {A124ED05-EF3B-44A9-8AD8-950D444B0414} drwxrwx---+ 3 root 500 4,0K Nov 1 22:30 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7} drwxrwx---+ 4 root 3000000 4,0K Nov 1 21:25 {C670A447-2A80-4FDC-8940-BA241597F9E5} drwxrwx---+ 2 root 3000000 4,0K Okt 31 20:10 {C7115EF1-5DD8-47BB-BFFA-5ECE074A3233} drwxrwxr-x+ 5 root 500 4,0K Okt 31 20:17 {C9E26EE9-6C23-495A-92C2-8D2FBB4B75CB} drwxrwx---+ 4 root 3000000 4,0K Nov 1 02:50 {D198C658-98FC-49CD-B71C-D07556FF6ADB} drwxrwx---+ 4 root 500 4,0K Nov 1 22:15 {D55B1C00-2313-4052-AB61-A022B3154D01} drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:08 {D651BB93-342C-466B-9155-0506988771C9} drwxrwx---+ 3 root 500 4,0K Nov 2 01:08 {DDA5BF82-3A1C-4D5E-BE56-51229772DF93} drwxrwx---+ 2 root 3000000 4,0K Nov 1 02:40 {EC6B4379-B7DE-49FC-A504-5BD55D23AEDC} drwxrwx---+ 3 root 3000000 4,0K Nov 1 22:15 {F80CBDB5-646E-4E69-9935-4C7966079202} drwxrwx---+ 4 root 500 4,0K Nov 2 01:02 {FB1BD0C7-B22B-4F3C-84E6-61958C733AA4} On DC2 the directory "{6AC1786C-016F-11D2-945F-00C04FB984F9}" seems to be the culprit. As I said before "samba-tool ntacl sysvolreset" didn't help, neither on DC1 and nore on DC2. Any help appreciated. Mirco.
(In reply to Mirco from comment #1) I did make following experience. I am doing "samba-tool ntacl sysvolreset" on DC2. After that the command "ls -l" inside the sysvol/Policies directory outputs: drwxrwx---+ 5 root 500 4,0K Okt 25 20:47 {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrwx---+ 3 root 3000000 4,0K Nov 2 00:55 {562AB030-6351-42C1-9850-D5B12BF45570} drwxrwx---+ 4 root 500 4,0K Nov 1 02:30 {58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F} drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:12 {61160F2C-67CA-4A47-970D-6A02F5550FBA} drwxrwx---+ 4 root 500 4,0K Okt 6 12:25 {6AC1786C-016F-11D2-945F-00C04FB984F9} drwxrwx---+ 3 root 3000000 4,0K Nov 1 21:25 {A124ED05-EF3B-44A9-8AD8-950D444B0414} drwxrwx---+ 3 root 3000000 4,0K Nov 1 22:30 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7} drwxrwx---+ 4 root 3000000 4,0K Nov 1 21:25 {C670A447-2A80-4FDC-8940-BA241597F9E5} drwxrwx---+ 2 root 3000000 4,0K Okt 31 20:10 {C7115EF1-5DD8-47BB-BFFA-5ECE074A3233} drwxrwxr-x+ 5 root 500 4,0K Okt 31 20:17 {C9E26EE9-6C23-495A-92C2-8D2FBB4B75CB} drwxrwx---+ 4 root 3000000 4,0K Nov 1 02:50 {D198C658-98FC-49CD-B71C-D07556FF6ADB} drwxrwx---+ 4 root 3000000 4,0K Nov 1 22:15 {D55B1C00-2313-4052-AB61-A022B3154D01} drwxrwx---+ 4 root 3000000 4,0K Okt 31 20:08 {D651BB93-342C-466B-9155-0506988771C9} drwxrwx---+ 3 root 3000000 4,0K Nov 2 01:08 {DDA5BF82-3A1C-4D5E-BE56-51229772DF93} drwxrwx---+ 2 root 3000000 4,0K Nov 1 02:40 {EC6B4379-B7DE-49FC-A504-5BD55D23AEDC} drwxrwx---+ 3 root 3000000 4,0K Nov 1 22:15 {F80CBDB5-646E-4E69-9935-4C7966079202} drwxrwx---+ 4 root 3000000 4,0K Nov 2 01:02 {FB1BD0C7-B22B-4F3C-84E6-61958C733AA4} There are 4 directories that have owner=root and group=500. As explained on my last posting, when I run "samba-tool ntacl sysvolcheck" I get an output with that error message: $ samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/mydom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1624, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) He failed at directory {6AC1786C-016F-11D2-945F-00C04FB984F9}. So I though for testing purpose I move these 4 directories which are carrying the group=500 to /root/temp/ and run the "samba-tool ntacl sysvolcheck" command again. Then I get this error message: $ samba-tool ntacl sysvolcheck ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in getntacl xattr.XATTR_NTACL_NAME) Mirco.
*** This bug has been marked as a duplicate of bug 14927 ***