[Samba] SYSVOL ACLs and GPOs
Andrew Bartlett
abartlet at samba.org
Wed Oct 24 05:09:56 MDT 2012
On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
> Hi,
>
> I have installed a virtual testing network consisting of one samba4 PDC
> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
>
> I have successfully provisioned an AD Domain and joined the XP machine
> to it.
> When I run the gpmc on the XP Pro machine and select:
> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
> Objects -> Default Domain [Controller | Policy]
> I get the following error:
>
> "The permissions for this GPO in the SYSVOL folder are inconsistent with
> those in Active Directory.
> It is recommended that these permissions be consistent.
> To change the SYSVOL permissions to those in Active Directory, click OK."
>
> Hitting ok I get no error but as soon as I reselect THE SAME entry I get
> the same error, it doesn't seem to be able to fix the ACL.
>
> I have found one post about this on the list
> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
> "fixed" a long time ago.
> Seeing as I'm using the latest version I would assume this is a
> different issue.
>
> If I try to change any of the ACLs on either of the folders in
> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
> the change doesn't stick.
>
>
> Looking at the samba log files:
>
> I get this when I start gpmc and click ok:
> http://pastebin.com/7rBKyU1B
>
> I get this when I start gpmc and don't click ok:
> http://pastebin.com/B3DMSE1T
>
> I get this when I alter the ACLs manually (after line 479 is when I
> actually alter the ACLs):
> http://pastebin.com/2mEvWX6K
>
> My smb.conf is stock. No alterations.
> The server OS is Ubuntu 12.04.
> The filesystem is ext4 mounted with the following options:
> "errors=remount-ro,acl,user_xattr,barrier=1".
> I have all acl packages installed that I have seen referenced by samba
> or in posts of a similar nature.
If you are in the mood for some testing, can you try my acl-fixes2
branch?
git remote add abartlet git://git.samba.org/abartlet/samba.git
git fetch abartlet
git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
I'm trying to get these changes into master, but I'm not quite finished.
You should only put these on a test server, as I may change data formats
etc.
I would be very curious to know if this fixes the issue.
Otherwise or in addition, if you can show me the contents of your
idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
going wrong here, and fix it.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list