[Samba] SYSVOL ACLs and GPOs
Alex Matthews
qoole.samba at lillimoth.com
Thu Oct 25 03:01:49 MDT 2012
On 25/10/2012 02:31, Andrew Bartlett wrote:
> On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote:
>> On 24/10/2012 17:25, Alex Matthews wrote:
>>> On 24/10/2012 12:09, Andrew Bartlett wrote:
>>>> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
>>>>> Hi,
>>>>>
>>>>> I have installed a virtual testing network consisting of one samba4 PDC
>>>>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
>>>>>
>>>>> I have successfully provisioned an AD Domain and joined the XP machine
>>>>> to it.
>>>>> When I run the gpmc on the XP Pro machine and select:
>>>>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
>>>>> Objects -> Default Domain [Controller | Policy]
>>>>> I get the following error:
>>>>>
>>>>> "The permissions for this GPO in the SYSVOL folder are inconsistent
>>>>> with
>>>>> those in Active Directory.
>>>>> It is recommended that these permissions be consistent.
>>>>> To change the SYSVOL permissions to those in Active Directory, click
>>>>> OK."
>>>>>
>>>>> Hitting ok I get no error but as soon as I reselect THE SAME entry I
>>>>> get
>>>>> the same error, it doesn't seem to be able to fix the ACL.
>>>>>
>>>>> I have found one post about this on the list
>>>>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
>>>>> "fixed" a long time ago.
>>>>> Seeing as I'm using the latest version I would assume this is a
>>>>> different issue.
>>>>>
>>>>> If I try to change any of the ACLs on either of the folders in
>>>>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
>>>>> the change doesn't stick.
>>>>>
>>>>>
>>>>> Looking at the samba log files:
>>>>>
>>>>> I get this when I start gpmc and click ok:
>>>>> http://pastebin.com/7rBKyU1B
>>>>>
>>>>> I get this when I start gpmc and don't click ok:
>>>>> http://pastebin.com/B3DMSE1T
>>>>>
>>>>> I get this when I alter the ACLs manually (after line 479 is when I
>>>>> actually alter the ACLs):
>>>>> http://pastebin.com/2mEvWX6K
>>>>>
>>>>> My smb.conf is stock. No alterations.
>>>>> The server OS is Ubuntu 12.04.
>>>>> The filesystem is ext4 mounted with the following options:
>>>>> "errors=remount-ro,acl,user_xattr,barrier=1".
>>>>> I have all acl packages installed that I have seen referenced by samba
>>>>> or in posts of a similar nature.
>>>> If you are in the mood for some testing, can you try my acl-fixes2
>>>> branch?
>>>>
>>>> git remote add abartlet git://git.samba.org/abartlet/samba.git
>>>> git fetch abartlet
>>>> git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
>>>>
>>>> I'm trying to get these changes into master, but I'm not quite finished.
>>>> You should only put these on a test server, as I may change data formats
>>>> etc.
>>>>
>>>> I would be very curious to know if this fixes the issue.
>>>>
>>>> Otherwise or in addition, if you can show me the contents of your
>>>> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
>>>> going wrong here, and fix it.
>>>>
>>>> Thanks,
>>>>
>>>> Andrew Bartlett
>>>>
>>> I assume
>>>
>>> git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
>>>
>>> should be:
>>>
>>> git checkout abartlet/fix-acls2 -b abartlet-fix-acls2
>>>
>>> I'm rebuilding now, will keep you posted!
>>>
>>> Thanks,
>>>
>>> Alex
>>>
>> I have tried your branch. Rebuilt and the XP machine still throws the
>> same issue.
>>
>> Do I need to reprovision?
> You need to at least run 'samba-tool ntacl sysvolreset' to get the new
> ACLs on disk.
>
> Andrew Bartlett
>
Hiya,
No luck I'm afraid, still the same issue!
Thanks,
Alex
More information about the samba
mailing list