Problem creating GPO samba4 beta6

Andrew Bartlett abartlet at samba.org
Mon Aug 27 15:51:01 MDT 2012 

On Mon, 2012-08-27 at 11:05 +0200, Dieter Modig wrote:
> Hi! 
> 
> Since one of the updates on our Samba4 environment (from alpa17 to beta4) we can't seem to create new GPOs using windows GPO manager. We can edit the existing ones but not create new ones. When trying to create a new GPO I get an error message saying something like "File/object not found". Removing this message and trying again (with the same name) gets me a different error message saying "Access denied". No logs seem to catch this so there is no further debug info. 
> 
> We could however create a GPO from the linux command line using samba-tool and that works but this GPO can't be used from windows GPO manager. 
> 
> It seems to be a problem with access rights. Looking in the folder /usr/local/samba/var/locks/sysvol/input.se/Policies/ we can see that existing policies have different owners and groups. Some of them have local linux users as owners and some of them have users from the domain as owners. The theory that the problem is all rights based is corraborated by the fact that sometimes we get an error message saying "The permissions for this GPO in the sysvol folder are inconsistent with those in active directory" and the option to repair this. It does not, however, help to repair it :( 
> 
> What are the rights supposed to be? Is the Policies folder supposed to be owned by local linux user (which is running the processes) or a domain user (which is the one accessing the files)? Are there any checks/fixes that we can run in order to see if there are errors in the setup? This was working just fine before updating to the beta release so has there been any changes in how the rights are suppose to be set? 

G'day,

I've been working to make this handle much better, and the beta7 due
today (and current master) will work much better for you. 

In particular, the new tool 'samba-tool ntacl sysvolreset' will set
posix permissions to match the NT ACL, the lack of which is I hope the
cause of your problems.

Let me know if it does or doesn't help, and I'll see what I can do. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list