[Samba] SYSVOL ACLs and GPOs

Andrew Bartlett abartlet at samba.org
Thu Oct 25 03:20:16 MDT 2012 

On Thu, 2012-10-25 at 10:01 +0100, Alex Matthews wrote:
> On 25/10/2012 02:31, Andrew Bartlett wrote:
> > On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote:
> >> On 24/10/2012 17:25, Alex Matthews wrote:
> >>> On 24/10/2012 12:09, Andrew Bartlett wrote:
> >>>> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
> >>>>> Hi,
> >>>>>
> >>>>> I have installed a virtual testing network consisting of one samba4 PDC
> >>>>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
> >>>>>
> >>>>> I have successfully provisioned an AD Domain and joined the XP machine
> >>>>> to it.
> >>>>> When I run the gpmc on the XP Pro machine and select:
> >>>>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
> >>>>> Objects -> Default Domain [Controller | Policy]
> >>>>> I get the following error:
> >>>>>
> >>>>> "The permissions for this GPO in the SYSVOL folder are inconsistent
> >>>>> with
> >>>>> those in Active Directory.
> >>>>> It is recommended that these permissions be consistent.
> >>>>> To change the SYSVOL permissions to those in Active Directory, click
> >>>>> OK."
> >>>>>
> >>>>> Hitting ok I get no error but as soon as I reselect THE SAME entry I
> >>>>> get
> >>>>> the same error, it doesn't seem to be able to fix the ACL.
> >>>>>
> >>>>> I have found one post about this on the list
> >>>>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
> >>>>> "fixed" a long time ago.
> >>>>> Seeing as I'm using the latest version I would assume this is a
> >>>>> different issue.
> >>>>>
> >>>>> If I try to change any of the ACLs on either of the folders in
> >>>>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
> >>>>> the change doesn't stick.
> >>>>>
> >>>>>
> >>>>> Looking at the samba log files:
> >>>>>
> >>>>> I get this when I start gpmc and click ok:
> >>>>> http://pastebin.com/7rBKyU1B
> >>>>>
> >>>>> I get this when I start gpmc and don't click ok:
> >>>>> http://pastebin.com/B3DMSE1T
> >>>>>
> >>>>> I get this when I alter the ACLs manually (after line 479 is when I
> >>>>> actually alter the ACLs):
> >>>>> http://pastebin.com/2mEvWX6K
> >>>>>
> >>>>> My smb.conf is stock. No alterations.
> >>>>> The server OS is Ubuntu 12.04.
> >>>>> The filesystem is ext4 mounted with the following options:
> >>>>> "errors=remount-ro,acl,user_xattr,barrier=1".
> >>>>> I have all acl packages installed that I have seen referenced by samba
> >>>>> or in posts of a similar nature.
> >>>> If you are in the mood for some testing, can you try my acl-fixes2
> >>>> branch?
> >>>>
> >>>> git remote add abartlet git://git.samba.org/abartlet/samba.git
> >>>> git fetch abartlet
> >>>> git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
> >>>>
> >>>> I'm trying to get these changes into master, but I'm not quite finished.
> >>>> You should only put these on a test server, as I may change data formats
> >>>> etc.
> >>>>
> >>>> I would be very curious to know if this fixes the issue.
> >>>>
> >>>> Otherwise or in addition, if you can show me the contents of your
> >>>> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
> >>>> going wrong here, and fix it.
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Andrew Bartlett
> >>>>
> >>> I assume
> >>>
> >>> git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
> >>>
> >>> should be:
> >>>
> >>> git checkout abartlet/fix-acls2 -b abartlet-fix-acls2
> >>>
> >>> I'm rebuilding now, will keep you posted!
> >>>
> >>> Thanks,
> >>>
> >>> Alex
> >>>
> >> I have tried your branch. Rebuilt and the XP machine still throws the
> >> same issue.
> >>
> >> Do I need to reprovision?
> > You need to at least run 'samba-tool ntacl sysvolreset' to get the new
> > ACLs on disk.
> >
> > Andrew Bartlett
> >
> Hiya,
> 
> No luck I'm afraid, still the same issue!

Drat.  OK, we will need to dig in further.  Can you show me your
idmap.ldb?

What does 'samba-tool ntacl sysvolcheck' show?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list