[Samba] Issues with migrated SYSVOL GPOs

Tue Apr 24 02:05:47 MDT 2012

On 04/23/2012 12:40 AM, Andreas Oster wrote:
> Am 23.04.2012 06:35, schrieb Matthieu Patou:
>> Hello Andreas,
>>
>> On 03/22/2012 01:31 AM, Andreas Oster wrote:
>>> Hello all,
>>>
>>> some time ago I've posted on samba.internals but did get no answer to my
>>> question. I hope that someone on this list can give me some help.
>>>
>>> I have migrated a Win2k AD to samba4 and copied SYSVOL as decribed in
>>> this post:
>>>
>>> https://lists.samba.org/archive/samba-technical/2011-October/080026.html
>>>
>>> Now I have the problem that only the builtin Administrator can
>>> sucessfull modify/add GPOs. Users which are assigned to the
>>> "domain admin" group can open/view GPOs but when trying to change
>>> anything an error message pops up stating that the user is not allowed
>>> to do it. Unfortunately the GPO does not work anymore afterwards and
>>> needs to be rebuild by the administrator.
>> I'm pretty sure that the problem you have is the following, the default
>> group for the administrator user is 'administrators' and so on the *ix
>> side file are group owned by this group.
>> Members of the domain admin group get an access denied while trying to
>> store the file because they are not seen as member of the administrators
>> group (which is the case) and because other group membership that should
>> give them write access are not translated to posix acls.
>> The way to solve it to give the group membership to either "domain
>> admins" or "enterprise admins" and make sure that they can write.
>> In order to get the gid for this group you can use wbinfo
>> --group-info="domain admins".
>> The second problem you'll face is that you can create new policy by
>> default with just admin users. This is due to a limitation of the
>> posix/acl layer, the root of the problem is that when the group policy
>> console try to create the new policy it creates a folder and the ACLs
>> specified by windows set the group ownership to domain users and the
>> user ownership to "domain admins" as ACLs for domain users are limited
>> posix rights are translated to rx so when it tries to create a GPT.INI
>> file, Windows is denied to do so because at the end the user hasn't the
>> right to write in this newly created dir (directory_user != user&&
>> directory_group_right forbid write).
>>
>> The way to solve this problem is to force the directory mask to be 775,
>> it's not the most elegant situation but it works.
>>
>> Matthieu.
>>
> Hello Matthieu,
>
> thank you for your explanations, but I am a little unsure waht to do :-)
>
> 1) do I have to change the file group for all the files and directories
>     in the SYSVOL dir to "domain admins" ?
>
> 2) should the force directory mask be placed in the Sysvol section ?
>
>     [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
> 	force directory mode = 0775
>          read only = No

I think the answer is "both", for point 1) you need to get the gid of 
the "domain admins" group and basically do a chmod g+w -R on sysvol + 
chgrp <gid> -R on sysvol too.

For point 2) you need to be sure that users can't log on the linux box 
where you have you sysvol otherwise they will be able to modify the 
content of sysvol.
Alternatively you can try to set posix acls to give by default the write 
right to domain admins for file in sysvol (something like setfacl -m 
d:g:<gid>:rwx -n <dns.name.of.domain.tld>)
Be sure to validate that it works even if the default unix rights for 
the group set to rx that the posix acl for the domain admin group is rwx.

Good Luck.

Matthieu