I'm running rc6, but it's not a clean installation, it's samba3 upgraded to 4.0 in ages of beta2. samba-tool ntacl sysvolcheck dies with message about incorrect acl on gpo, but that acl is set by sysvolreset. $ sudo samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/shch8.brnv.rw/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 245, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1576, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1527, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1477, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
There is an output of getfacl: # file: {6AC1786C-016F-11D2-945F-00C04FB984F9}/ # owner: 0 # group: 513 user::rwx user:0:rwx group::--- group:512:rwx group:513:--- group:3000004:r-x group:3000007:rwx group:3000053:rwx group:3000054:r-x mask::rwx other::--- default:user::rwx default:user:0:rwx default:group::--- default:group:512:rwx default:group:513:--- default:group:3000004:r-x default:group:3000007:rwx default:group:3000053:rwx default:group:3000054:r-x default:mask::rwx default:other::--- As you can see owner is set to root/Administrator while it should be 512. I tried to set correct ACL by hand using chown+setfacl, but sysvolreset turned it back into incorrect one you see above.
So, what is happening here is that when you have 'Domain Admins' mapped in idmap.ldb as IDMAP_GID, we have a problem when that group is required to own a file. There is no UID value we can safely assign. What we do is to instead assign the UID from 'Administrator', as a stop-gap measure. From there, I tried to ensure that Windows would see the 'Domain Admins' owner (and not the posix owner), but this may not have worked out right.
Andrew, is this related to https://bugzilla.samba.org/show_bug.cgi?id=9340 and already fixed?
Andrew, any updates?
closing this 10 yo bug now. It also works fine for me. My advice is actually not to use rfc2307 idmappings on AD DCs generally. rfc2307 helps you shoot into your knee here and can lead to problems like this.
*** Bug 13288 has been marked as a duplicate of this bug. ***