samba-tool ntacl sysvolreset error

steve steve at steve-ss.com
Fri Aug 31 10:30:45 MDT 2012 

On 31/08/12 10:46, Mark Rutherford wrote:
> Showing something similar but not quite the same:
>
> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_ACCESS_DENIED.
> ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
>    File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> line 160, in _run
>      return self.run(*args, **kwargs)
>    File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/ntacl.py",
> line 180, in run
>      lp, use_ntvfs=use_ntvfs)
>    File
> "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py",
> line 1446, in setsysvolacl
>      setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs)
>    File "/usr/local/samba/lib/python2.6/site-packages/samba/ntacls.py",
> line 108, in setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL, sd)
>

Hi Mark
Could you post your sysvol file listing?
Here is mine:

>> Here is the directory:
>>
>> hh1:/usr/local/samba/var/locks/sysvol # ls -l
>> total 8
>> drwxrwx---+ 4 2000010 wheel 4096 Aug 28 16:37 hh3.site
>> hh1:/usr/local/samba/var/locks/sysvol # ls -l
>> total 8
>> drwxrwx---+ 4 Administrator wheel 4096 Aug 28 16:37 hh3.site
>> hh1:/usr/local/samba/var/locks/sysvol # getfacl hh3.site
>> # file: hh3.site
>> # owner: Administrator
>> # group: wheel
>> user::rwx
>> user:Administrator:rwx
>> group::rwx
>> group:wheel:rwx
>> group:3000014:r-x
>> group:3000018:rwx
>> group:3000021:r-x
>> mask::rwx
>> other::---
>>
>> What are the groups 3000014, 3000018 and 3000021 supposed to map to? I
>> suspect 3000018 to be Domain Admins but could anyone give me definite
>> names from a working sysvol?
>>

I found these stored in idmap.ldb:
hh1:/home/steve # wbinfo --sid-to-uid=S-1-5-11
3000014
hh1:/home/steve # wbinfo --sid-to-name=S-1-5-11
NT AUTHORITY\Authenticated Users 5

hh1:/home/steve # wbinfo --sid-to-uid=S-1-5-18
3000018
hh1:/home/steve # wbinfo --sid-to-name=S-1-5-18
NT AUTHORITY\SYSTEM 5

hh1:/home/steve # wbinfo --sid-to-uid=S-1-5-32-549
3000021
hh1:/home/steve # wbinfo --sid-to-name=S-1-5-32-549
BUILTIN\Server Operators 4

But I have:
idmap_ldb:use rfc2307 = Yes
in smb.conf

Should I be giving Authenticated Users, SYSTEM and Server Operators 
posixGroup and gidNumber in AD?

I am using nss-pam-ldapd for mapping.
Thanks,
Steve

More information about the samba-technical mailing list