[Samba] samba4, GPO and SYSVOL permissions errors

Michael Wood esiotrot at gmail.com
Fri Jan 7 05:07:55 MST 2011


On 6 January 2011 04:38, Leo Lutz <skeemer at gmail.com> wrote:
> On Thu, Jan 6, 2011 at 04:10, Michael Wood <esiotrot at gmail.com> wrote:
>> On 5 January 2011 11:50, Leo Lutz <skeemer at gmail.com> wrote:
>>> I'm getting an interesting problem. I can create/rename/delete/edit policies,
>>> but I can't change the security filtering or delegation settings.
>>>
>>> When I first open any policy, I get the following:
>>>
>>> "The permissions for this GPO in the SYSVOL folder are inconsistent with those
>>> in Active Directory. It is recommended that these permissions be consistent.
>>> To change the SYSVOL permissions to those in Active Directory, click OK."
>>>
>>> So I click OK and I get "Access is denied."
>>>
>>> The error I get in samba.log follows:
>>>
>>> [Wed Jan  5 18:34:18 2011 PWT, 0
>>> ../ntvfs/posix/pvfs_acl.c:567:pvfs_access_check_unix()]
>>> ../ntvfs/posix/pvfs_acl.c:567 denied access to
>>> '/var/lib/samba/sysvol/pcd.example.com/Policies/
>>> {3D1F2B0A-B0F7-44C1-BA1A-2C5D03DFC0ED}' -
>>> wanted 0x00060000 but got 0xfef3ffff (missing 0x00040000)
>>>
>>> How do I fix this?
>>
>> What version of Samba 4 is that?
> 4.0.0alpha12-GIT-UNKNOWN

Did you use the "rsync" method mentioned in the Samba 4 HOWTO to get
the source code?  It seems you did not have git installed when you
compiled Samba 4, so there's no revision specified.

>> Have you tried increasing the debug level to see if it gives you more
>> information?
> Nope, this is all new to me. What's the default level and what should
> I up it too?

testparm will tell you what it's currently set to, but 0 is the default.

$ testparm --suppress-prompt -v | grep "log level"
	log level = 0

Perhaps try setting it to 10 while troubleshooting this issue.

>> What ACLs do you have on the Policies directory?

> Everyone and Administrators groups have read access. Administrator has
> full access, but even logged in as that account, I run into problems.
> The permissions of each policy's directory are a jumbled mess. I would
> have thought there would be some inheritance being used.

Well, I'm not using Samba 4 for file sharing, policies, etc. so I
can't really help you there.  Perhaps someone else can comment.

-- 
Michael Wood <esiotrot at gmail.com>


More information about the samba-technical mailing list