SYSVOL ACLs, GPOs, other "Domain Admins" and root overrides for changing ownership and groups

Jeremy Allison jra at
Tue Nov 13 16:26:34 MST 2012

On Wed, Nov 14, 2012 at 10:07:43AM +1100, Andrew Bartlett wrote:
> I'm making some progress on the SYSVOL issue. 
> I've reinstalled my domain locally, and clicking on "Default Domain
> Policy" in GPMC I get the "inconsistent SYSVOL ACLs" error.  I also get
> "access denied" when I try and fix them.
> The changes I've made in my testing have been the reinstall, but also
> that I'm now testing as a member of "Domain Admins", not
> "Administrator".
> Part of the reason is quite clear:  The ACL calls from GPMC try to set
> the ACL, chown and chgrp the file.  This is permitted by the NT ACL, but
> not by posix, and Samba strictly honours POSIX in almost all cases.
> This happens because the file is owned by a group - so nobody actually
> has 'owner' rights on it. 

There are cases where we override POSIX. Check out the lp_dos_filemode()
case in try_chown() and the acl_group_override() cases in source3/smbd/posix_acls.c.

It looks like we need to expand these to cover this particular case.

There's also the lp_profile_acls() flag which may be useful here. I
have no problem with different behavior on a share marked as SYSVOL.


More information about the samba-technical mailing list