Bug 11309 - ACL on sysvol broken after create/modify GPO
Summary: ACL on sysvol broken after create/modify GPO
Status: RESOLVED DUPLICATE of bug 14927
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.17
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2015-06-02 13:28 UTC by Yuriy Tabolin
Modified: 2021-12-07 17:19 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Yuriy Tabolin 2015-06-02 13:28:42 UTC
I have samba server 4.1.17 as a domain DC. smb.conf:
        workgroup = AD-TEST
        realm = ad-test.stc
        netbios name = DC1
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        server services = +smb -s3fs
        dcerpc endpoint servers = +winreg +srvsvc
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        load printers = no
        show add printer wizard = no
        printcap name = /dev/null
        disable spoolss = yes
        path = /var/db/samba4/sysvol/ad-test.stc/scripts
        read only = No
        path = /var/db/samba4/sysvol
        read only = No

There are no errors in samba-tool ntacl sysvolcheck. After I create new or modify any existent GPO on RSAT Group Ploicy Management sysvol ACL are broken:

[root@dc1 /usr/home/tabolin]# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO file /var/db/samba4/sysvol/ad-test.stc/Policies/{89126A8B-1349-40FB-9BB0-47F9F0DC2A87}/Machine/Preferences/Groups/Groups.xml O:S-1-5-21-2864478947-2530200069-463850822-2348G:BAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;S-1-5-21-2864478947-2530200069-463850822-2348)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 249, in run
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1634, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

I have to run "samba-tool ntacl sysvolreset --use-ntvfs" to fix ACL. After that there are no errors in "samba-tool ntacl sysvolcheck". When I modify GPO again, I have to run sysvolreset again too.
Comment 1 Björn Jacke 2021-12-07 17:19:39 UTC

*** This bug has been marked as a duplicate of bug 14927 ***