Author Topic: GPO permission problems following upgrade from 3.3 to 3.4  (Read 3788 times)

pico

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
GPO permission problems following upgrade from 3.3 to 3.4
« on: April 17, 2014, 02:54:14 am »
Hi all,

I'm managing a client site who have a SBS 2003 DC running as a KVM virtual machine on an Ubuntu host.  They would like to retire that server and we have been trying Zentyal (also running as a virtual machine on the same host).

We installed version 3.3 and configured it to run as a secondary DC to the SBS machine.  That was working perfectly until we upgraded the system to 3.4 using the web GUI.  Since then Group Policy has been failing on the SBS machine.  The SBS event logs are full of messages like:

Quote
Windows cannot access the file gpt.ini for GPO cn={GUID},cn=policies,cn=system,DC=Site,DC=local. The file must be present at the location <\\Site.local\SysVol\Site.local\Policies\{GUID}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

I think the problem may lie in Samba as I get a number of errors in running the following commands:

Quote
sudo samba-tool dbcheck
Checking 404 objects
Not fixing nTSecurityDescriptor on DC=i.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=1M,DC=local

...

Please use --fix to fix these errors
Checked 404 objects (231 errors)

(not sure what I may break if I run the --fix command since I can't find much doco).

Quote
sudo samba-tool ntacl sysvolcheck
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[s_drive]"
Processing section "[print$]"
Processing section "[printers]"
Processing section "[FakePrinter]"
Processing section "[HL2250DN]"
Processing section "[HL4040CN]"
Processing section "[iR6000]"
Processing section "[iRC3380_BW]"
Processing section "[iRC3380_Colour]"
Processing section "[KyoceraA3]"
Processing section "[KyoceraA4]"
Processing section "[Plotter]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory /var/lib/samba/sysvol/1m.local O:BAG:SYD:(A;ID;0x001200a9;;;AU)(A;OICIIOID;0x001200a9;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;0x001200a9;;;SO)(A;ID;0x001f01ff;;;BA)(A;OICIIOID;0x001f01ff;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;0x001f01ff;;;SY)(A;OICIIOID;0x001f01ff;;;CO) does not match expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from provision
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1691, in checksysvolacl
    raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))

Quote
sudo samba-tool gpo aclcheck
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, in run
    ds_sd_ndr = m['nTSecurityDescriptor'][0]

If there is an easy way of reconnecting the DC to the domain or resetting the Samba configuration without affecting the SBS server that would be great.  The fallback option is to install a fresh copy of 3.4 however I would like to avoid that if possible.

ScottDC

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: GPO permission problems following upgrade from 3.3 to 3.4
« Reply #1 on: April 25, 2014, 12:26:17 pm »
I've got a similar issue after upgrading.
The Win7 GPO Log shows:
Quote
Found file system path of:  <\\llama.lan\sysvol\llama.lan\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}>
NetDfsGetClientInfo() failed with error=0xa66 for GPT Path=\\llama.lan\sysvol\llama.lan\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
Couldn't find the group policy template file <\\llama.lan\sysvol\llama.lan\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>, error = 0x2. DC: <null>
No errors listed with samba-tool dbcheck, but do get the same samba.provision.ProvisioningError with  samba-tool ntacl sysvolcheck

The sysvol share is listed when accessed via explorer: \\llama.lan  - but the share is not accessible.

It can be accessed by using the name of the domain controller/Zentyal server 'dc01':
 \\dc01.llama.lan\sysvol works
 So does \\dc01\sysvol

This may be what's causing slow logins on my Windows 7 machine (2-5 minutes) while waiting for the Machine policies to be applied.
If I reboot the windows machine and leave it for 10 minutes then login only takes a couple of seconds.
I've tried all the suggested solutions for this issue - but it looks like it might be a permission/configuration problem.




jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: GPO permission problems following upgrade from 3.3 to 3.4
« Reply #2 on: April 25, 2014, 01:26:32 pm »
Wheat about running samba-tool ntacl sysvolreset?

jfeyen

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: GPO permission problems following upgrade from 3.3 to 3.4
« Reply #3 on: June 05, 2014, 04:36:02 pm »
I have the same issue with a clean install of version 3.4.3.

It was not working on my two servers.
PDC had all the scripts, BDC had no gpo / scripts.

Step1:
Reset needs to be done on both servers.
sudo samba-tool ntacl sysvolreset
Step2:
Do a manual sync on the empty server.
sudo net rpc share migrate files sysvol -k --destination=zyal01.ICT.LAN -S zyal03.ICT.LAN --acls -U "ICT.LAN\\dcadmin"

It is a good workarround but not a solution.. is there a solution? I have opened a bug request but no answer...