[Samba] Samba4: Folder Redirection GPO not working with Windows 7 [SOLVED]

steve steve at steve-ss.com
Wed Oct 10 01:53:37 MDT 2012 

On 09/10/12 21:18, Ludek Finstrle wrote:
> Hello steve,
>
> Tue, Oct 09, 2012 at 05:54:48PM +0200, steve napsal(a):
>> On 09/10/12 17:36, steve wrote:
>>> On 08/10/12 18:23, steve wrote:
>>>> On 08/10/12 17:40, mat at matws.net wrote:
>>
>>> samba-tool ntacl sysvolreset --use-s3fs
>>>
>>> Now no user can enter sysvol:
>>> getfacl sysvol/
>>> # file: sysvol/
>>> # owner: root
>>> # group: wheel
>>> # flags: s--
>>> user::rwx
>>> user:root:rwx
>>> group::r--
>>> group:wheel:r--
>>> group:3000000:r--
>>> group:3000001:r--
>>> group:3000002:r--
>>> mask::rwx
>>> other::---
>>>
>>
>> Using wbinfo:
>> 3000000 BUILTIN\Server Operators 4
>> 3000001 NT AUTHORITY\SYSTEM 5
>> 3000002 NT AUTHORITY\Authenticated Users 5
>>
>> but Authenticated Users do not get read access. . .
>
>    maybe I'm wrong but in unix world you need x bit to be able to go into the directory.
>
> Luf
>

Hi Luf, hi everyone
OK, this was the clue I needed.
I set the ACE's to r-x:

setfacl  -Rm g:3000000:rx sysvol/
setfacl  -Rm g:3000001:rx sysvol/
setfacl  -Rm g:3000002:rx sysvol/
setfacl  -Rm g::rx sysvol/
setfacl  -Rm g:wheel:rx sysvol/
and same for the default ACE's:
setfacl  -d -Rm g:3000000:rx sysvol/
  (...)

The ACE's now look like this:
getfacl sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: wheel
# flags: s--
user::rwx
user:root:r-x
group::r-x
group:wheel:r-x
group:3000000:r-x
group:3000001:r-x
group:3000002:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:3000001:r-x
default:group:3000002:r-x
default:mask::r-x
default:other::---

Conclusion: The sysvol ACL's are not set correctly after running:
samba-tool ntacl sysvolreset
because e.g. authenticated users cannot get into the share to read the GPO's

Maybe this is just with my distro, openSUSE as others have not reported 
any problems.

Could a dev have a look at it? I'm sure I've not set the sysvol ACL's 
correctly but at least now folder redirection works.
Cheers,
Steve

More information about the samba mailing list