Author Topic: GPUpdate not working / Policies do not match expected value  (Read 1906 times)

JSpeer

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
GPUpdate not working / Policies do not match expected value
« on: March 24, 2017, 11:59:58 pm »
Hey!
I'm unable to apply GPUpdates to pcs on my new DC. when i do try, I get the following errors in Event Viewer:
  • 1001: Security policy cannot be propagated. Cannot access the template. Error code = 3.
  • 1096: The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

The server is a freshly installed zentyal 5.0 with the latest packages, it has no secondary controllers, it has no GPO except for the builtin ones, and i got the same error before reinstalling. If I run samba-tool netacl sysvolcheck on it, i get :
Code: [Select]
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))

if i manually set them all, "samba-tool netacl sysvolreset" brings them back to their incorrect state. I made a script(https://github.com/SpeerJ/zentyal_force_acl/blob/master/force_correct_acl.rb) to manually set the values based on the expected ones, after running it works but i don't know enough about samba to say if this is secure or a good idea. Is there any real fix available or is this a new bug? Should i use my temporary fix for now?