samba4 sysvol permissions?

[Jeff Sadowski]

On Thu, Sep 22, 2011 at 8:30 PM, Matthieu Patou <mat at samba.org> wrote:
> Hi Jeff,
>
> In Samba4 (and samba 3.x with the xattr_acl module) we store NT acls as
> extended attributes (security.ntacls). You can dump it with getfattr -d -m
> "" <myfile>.
> The best way to set ACLs for the moment is to do them in windows.
>
> Once you've defined the acls as you want you can use samba-tool to affect
> acls on other files, you just have to specify the sddl of your acls, for
> instance:
>
>
> ./bin/samba-tool ntacl set
> O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
>  /tmp/p/sysvol/mydir
>
> Will set the NTACL for this folder to
> O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU).
>
> You can have more information about SDDL at
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa379567%28v=vs.85%29.aspx
>
>
> The best way to get a SDDL is to dump it on a folder/file where you know
> that you have set it the way you want.
> For instance:
> ./bin/samba-tool ntacl get --as-sddl /tmp/p/sysvol
>
> Will output
> O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
>
> Trying without the --sddl will output something more user readable but it
> can't be reused.
>
> Hope it makes (more) sense.
>
> --
> Matthieu Patou
> Samba Team
> http://samba.org
>
>

Ok I finnaly got around to playing with this and here are the results.
I logged into the windows 2003 server that is my pdc and looked at the
permissions of the sysvol directory
I copyed all the permissions to my linux sysvol directories
then as you suggested I ran the following

 sbin/samba-tool ntacl get --as-sddl
/usr/local/samba/var/locks/sysvol/mvdexpress.mvdexpress.local

it output as follows

O:S-1-5-21-2291964932-2965212792-561696389-1843G:S-1-5-21-2291964932-2965212792-561696389-513D:(A;OICI;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;BU)

next I tried the set command (I first tried it without quotes but it
was complaining so I added them) to set the permissions of the base
directory the same.

sbin/samba-tool ntacl set
"O:S-1-5-21-2291964932-2965212792-561696389-1843G:S-1-5-21-2291964932-2965212792-561696389-513D:(A;OICI;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;BU)"
/usr/local/samba/var/locks/sysvol

now I get the error
Unknown parameter encountered: "secrets database"

Any clue as how to fix this error?