I have samba server 4.1.17 as a domain DC. smb.conf: [global] workgroup = AD-TEST realm = ad-test.stc netbios name = DC1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes server services = +smb -s3fs dcerpc endpoint servers = +winreg +srvsvc nsupdate command = /usr/local/bin/samba-nsupdate -g load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes [netlogon] path = /var/db/samba4/sysvol/ad-test.stc/scripts read only = No [sysvol] path = /var/db/samba4/sysvol read only = No There are no errors in samba-tool ntacl sysvolcheck. After I create new or modify any existent GPO on RSAT Group Ploicy Management sysvol ACL are broken: [root@dc1 /usr/home/tabolin]# samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO file /var/db/samba4/sysvol/ad-test.stc/Policies/{89126A8B-1349-40FB-9BB0-47F9F0DC2A87}/Machine/Preferences/Groups/Groups.xml O:S-1-5-21-2864478947-2530200069-463850822-2348G:BAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;S-1-5-21-2864478947-2530200069-463850822-2348)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1726, in checksysvolacl direct_db_access) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl domainsid, direct_db_access) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1634, in check_dir_acl raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl)) I have to run "samba-tool ntacl sysvolreset --use-ntvfs" to fix ACL. After that there are no errors in "samba-tool ntacl sysvolcheck". When I modify GPO again, I have to run sysvolreset again too.
*** This bug has been marked as a duplicate of bug 14927 ***