11309 – ACL on sysvol broken after create/modify GPO

Bug 11309 - ACL on sysvol broken after create/modify GPO

Summary: ACL on sysvol broken after create/modify GPO

Status:	RESOLVED DUPLICATE of bug 14927

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.1.17
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-06-02 13:28 UTC by Yuriy Tabolin
Modified:	2021-12-07 17:19 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yuriy Tabolin 2015-06-02 13:28:42 UTC

I have samba server 4.1.17 as a domain DC. smb.conf:
[global]
        workgroup = AD-TEST
        realm = ad-test.stc
        netbios name = DC1
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        server services = +smb -s3fs
        dcerpc endpoint servers = +winreg +srvsvc
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        load printers = no
        show add printer wizard = no
        printcap name = /dev/null
        disable spoolss = yes
[netlogon]
        path = /var/db/samba4/sysvol/ad-test.stc/scripts
        read only = No
[sysvol]
        path = /var/db/samba4/sysvol
        read only = No

There are no errors in samba-tool ntacl sysvolcheck. After I create new or modify any existent GPO on RSAT Group Ploicy Management sysvol ACL are broken:

[root@dc1 /usr/home/tabolin]# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO file /var/db/samba4/sysvol/ad-test.stc/Policies/{89126A8B-1349-40FB-9BB0-47F9F0DC2A87}/Machine/Preferences/Groups/Groups.xml O:S-1-5-21-2864478947-2530200069-463850822-2348G:BAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;S-1-5-21-2864478947-2530200069-463850822-2348)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 249, in run
    lp)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
    direct_db_access)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1634, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

I have to run "samba-tool ntacl sysvolreset --use-ntvfs" to fix ACL. After that there are no errors in "samba-tool ntacl sysvolcheck". When I modify GPO again, I have to run sysvolreset again too.

Comment 1 Björn Jacke 2021-12-07 17:19:39 UTC


*** This bug has been marked as a duplicate of bug 14927 ***