I'm running rc6, but it's not a clean installation, it's samba3 upgraded to 4.0 in ages of beta2. samba-tool ntacl sysvolcheck dies with message about incorrect acl on gpo, but that acl is set by sysvolreset. $ sudo samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/shch8.brnv.rw/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 245, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1576, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1527, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1477, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
There is an output of getfacl: # file: {6AC1786C-016F-11D2-945F-00C04FB984F9}/ # owner: 0 # group: 513 user::rwx user:0:rwx group::--- group:512:rwx group:513:--- group:3000004:r-x group:3000007:rwx group:3000053:rwx group:3000054:r-x mask::rwx other::--- default:user::rwx default:user:0:rwx default:group::--- default:group:512:rwx default:group:513:--- default:group:3000004:r-x default:group:3000007:rwx default:group:3000053:rwx default:group:3000054:r-x default:mask::rwx default:other::--- As you can see owner is set to root/Administrator while it should be 512. I tried to set correct ACL by hand using chown+setfacl, but sysvolreset turned it back into incorrect one you see above.
So, what is happening here is that when you have 'Domain Admins' mapped in idmap.ldb as IDMAP_GID, we have a problem when that group is required to own a file. There is no UID value we can safely assign. What we do is to instead assign the UID from 'Administrator', as a stop-gap measure. From there, I tried to ensure that Windows would see the 'Domain Admins' owner (and not the posix owner), but this may not have worked out right.
Andrew, is this related to https://bugzilla.samba.org/show_bug.cgi?id=9340 and already fixed?
Andrew, any updates?