Problem:
samba-tool ntacl sysvolcheck --mask-msad-differences shows
root@ucs:~# ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/schein.ig/Policies/{E0A39005-71A6-4705-9C8E-2206777C89A4}/GPT.INI does not match value expected from GPO object
FSACL: O:DAG:DUD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/schein.ig/Policies/{E0A39005-71A6-4705-9C8E-2206777C89A4}/GPT.INI does not match value expected from GPO object
FSACL: O:DAG:DUD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
Investigation:
FSACL and DSACLare looking almost the same.
The only difference is
FSACL: O:DAG:DU
DSACL: O:DAG:DA
This reads as
FSACL: (O)wner:(D)omain(A)dmin:(G)roup:(D)omain(U)sers
DSACL: (O)wner:(D)omain(A)dmin:(G)roup:(D)omain(A)dmin
Looking further via ls-lah
root@ucs:~# ls -lah /var/lib/samba/sysvol/schein.ig/Policies/\{E0A39005-71A6-4705-9C8E-2206777C89A4\}/
insgesamt 84K
drwxrwx---+ 4 root Domain Admins 4,0K Nov 11 11:11 .
drwxrwx---+ 652 Administrator Administrators 44K Nov 11 11:13 ..
-rwxrwx---+ 1 Administrator Domain Users 66 Nov 11 11:11 GPT.INI
drwxrwx---+ 2 Administrator Domain Users 4,0K Nov 11 11:11 Machine
drwxrwx---+ 2 Administrator Domain Users 4,0K Nov 11 11:11 User
The user who puts the GPO is in the primary Group Domain Users, but this is not expected for GPOs. So the user must be the primary group Domain Admins.
Solution:
samba-tool ntacls sysvolreset could solve the issue.
The FSACL/NTACLs are rewritten by samba-tool ntacls sysvolreset to match the DSACL/nTSecurityDescriptor.
But more sustainable is to put the user in the primary group Domain Admins.