On 09/10/2013 16:41, Alex Matthews wrote:
Hi all,
I'm afraid I'm back to my old issue of GPO permissions.
I have two ADDCs providing an AD Domain (internal.stmaryscollege.co.uk
(short-name 'SMC')). Servers are called 'ad-01' and 'tainan'. ad-01 is
'Version 4.0.10' and tainan is 'Version 4.1.0rc4' (the latest version
in the package repos of the respective OSs (arch and gentoo))
I have set up a script that synchronises the two sysvol shares (using
rsync) that I run manually when I make a change to a GPO.
However I have found that even after running `samba-tool ntacl
sysvolreset` I still get 'Access Denied' or the more long winded:
'Configuration information could not be read from the domain
controller, either because the machine is unavailable or access has
been denied.' when accessing some 'gpt.ini' files.
For reference here is the getfacl output for the GPT.INI file in
question from the two servers:
TAINAN:
getfacl GPT.INI
# file: GPT.INI
# owner: SMC\134administrator
# group: SMC\134Domain\040Admins
user::rwx
user:SMC\134administrator:rwx
group::rwx
group:SMC\134Domain\040Admins:rwx
group:3000002:rwx
group:3000003:r-x
group:SMC\134Enterprise\040Admins:rwx
group:3000011:r-x
mask::rwx
other::---
AD-01:
getfacl GPT.INI
# file: GPT.INI
# owner: SMC\134administrator
# group: SMC\134Domain\040Admins
user::rwx
user:SMC\134administrator:rwx
group::rwx
group:SMC\134Domain\040Admins:rwx
group:SMC\134Enterprise\040Admins:rwx
group:3000008:r-x
group:3000016:rwx
group:3000018:r-x
mask::rwx
other::---
I would assume the inconsisteny is due to idmap being different, I'm
not sure.
The output of `samba-tool ntacl sysvolcheck` from the two servers is
as follows:
tainan:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line 249, in run
lp)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1695, in checksysvolacl
direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1646, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1593, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))
ad-01:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/srv/samba/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
245, in run
lp)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1685, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1636, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1586, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))
Would it also be possible, as an update to sysvolcheck, to not throw
an uncaught exception but more gracefully give the errors and continue
after the first one?
Thanks,
Alex
Hi all,
Just a quick follow up.
I found a GPO entitled 'sysvol share compatibility' which has the
following blurb:
This setting controls whether or not the Sysvol share created by the Net
Logon service on a domain controller (DC) should support compatibility
in file sharing semantics with earlier applications.
When this setting is enabled, the Sysvol share will honor file sharing
semantics that grant requests for exclusive read access to files on the
share even when the caller has only read permission.
When this setting is disabled or not configured, the Sysvol share will
grant shared read access to files on the share when exclusive access is
requested and the caller has only read permission.
By default, the Sysvol share will grant shared read access to files on
the share when exclusive access is requested.
Note: The Sysvol share is a share created by the Net Logon service for
use by Group Policy clients in the domain. The default behavior of the
Sysvol share ensures that no application with only read permission to
files on the sysvol share can lock the files by requesting exclusive
read access, which might prevent Group Policy settings from being
updated on clients in the domain. When this setting is enabled, an
application that relies on the ability to lock files on the Sysvol share
with only read permission will be able to deny Group Policy clients from
reading the files, and in general the availability of the Sysvol share
on the domain will be decreased.
The last part is the most interesting (after 'Note:'). Is this how samba
works too when it comes to providing the sysvol share?
Thanks,
Alex
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
