SYSVOL ACLs, GPOs, other "Domain Admins" and root overrides for changing ownership and groups
jra at samba.org
Tue Nov 13 16:26:34 MST 2012
On Wed, Nov 14, 2012 at 10:07:43AM +1100, Andrew Bartlett wrote:
> I'm making some progress on the SYSVOL issue.
> I've reinstalled my domain locally, and clicking on "Default Domain
> Policy" in GPMC I get the "inconsistent SYSVOL ACLs" error. I also get
> "access denied" when I try and fix them.
> The changes I've made in my testing have been the reinstall, but also
> that I'm now testing as a member of "Domain Admins", not
> Part of the reason is quite clear: The ACL calls from GPMC try to set
> the ACL, chown and chgrp the file. This is permitted by the NT ACL, but
> not by posix, and Samba strictly honours POSIX in almost all cases.
> This happens because the file is owned by a group - so nobody actually
> has 'owner' rights on it.
There are cases where we override POSIX. Check out the lp_dos_filemode()
case in try_chown() and the acl_group_override() cases in source3/smbd/posix_acls.c.
It looks like we need to expand these to cover this particular case.
There's also the lp_profile_acls() flag which may be useful here. I
have no problem with different behavior on a share marked as SYSVOL.
More information about the samba-technical