SYSVOL ACLs, GPOs, other "Domain Admins" and root overrides for changing ownership and groups

Andrew Bartlett abartlet at
Tue Nov 13 16:32:09 MST 2012

On Tue, 2012-11-13 at 15:26 -0800, Jeremy Allison wrote:
> On Wed, Nov 14, 2012 at 10:07:43AM +1100, Andrew Bartlett wrote:
> > I'm making some progress on the SYSVOL issue. 
> > 
> > I've reinstalled my domain locally, and clicking on "Default Domain
> > Policy" in GPMC I get the "inconsistent SYSVOL ACLs" error.  I also get
> > "access denied" when I try and fix them.
> > 
> > The changes I've made in my testing have been the reinstall, but also
> > that I'm now testing as a member of "Domain Admins", not
> > "Administrator".
> > 
> > Part of the reason is quite clear:  The ACL calls from GPMC try to set
> > the ACL, chown and chgrp the file.  This is permitted by the NT ACL, but
> > not by posix, and Samba strictly honours POSIX in almost all cases.
> > 
> > This happens because the file is owned by a group - so nobody actually
> > has 'owner' rights on it. 
> There are cases where we override POSIX. Check out the lp_dos_filemode()
> case in try_chown() and the acl_group_override() cases in source3/smbd/posix_acls.c.
> It looks like we need to expand these to cover this particular case.
> There's also the lp_profile_acls() flag which may be useful here. I
> have no problem with different behavior on a share marked as SYSVOL.

We probably should just do it in general, if we are using the
vfs_acl_xattr stuff for real NT emulation.  

In any case, can you look into what would be required to do this?

You might need to setup an AD domain and run GPMC, but that will
probably be worthwhile to get a good grasp and second set of developer
eyes on this anyway.


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list