Re: [Samba] ACL on GPO directory does not match expected value from GPO object. AGAIN.

2013-01-10 Thread Hleb Valoshka 
On 1/10/13, Alex Matthews  wrote:
> Comparing the two ACLs
>
> O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> The only difference I can see is the 'DAG' vs 'LAG' at the beginning
> (Directory ACL vs File ACL?)

Take a look here: https://bugzilla.samba.org/show_bug.cgi?id=9483
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL on GPO directory does not match expected value from GPO object. AGAIN.

2013-01-10 Thread Alex Matthews 

Hi all,

Some (then all) of our workstations were complaining about incorrect 
ACLs on GPOs and were unable to read the gpt.ini to apply the GPOs.
So I did a sysvolcheck and sure enough I'd lost the ACLs when I moved 
our sysvol share to a new location on the server (whoops, mea culpa).


I ran a sysvolreset which took a long time to return (some 5 minutes, 
please see my post on slow winbind lookups).


Just to make sure everything went as planned I re-ran the sysvolcheck 
and I get the following error:


ERROR(): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run

return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 
245, in run

lp)
  File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1599, in checksysvolacl

direct_db_access)
  File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1550, in check_gpos_acl

domainsid, direct_db_access)
  File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1500, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))


Comparing the two ACLs

O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 



The only difference I can see is the 'DAG' vs 'LAG' at the beginning 
(Directory ACL vs File ACL?)


Thanks,

Alex

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba