[Samba] SYSVOL ACLs and GPOs

Alex Matthews qoole.samba at lillimoth.com
Wed Oct 24 10:25:34 MDT 2012

On 24/10/2012 12:09, Andrew Bartlett wrote:
> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
>> Hi,
>> I have installed a virtual testing network consisting of one samba4 PDC
>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
>> I have successfully provisioned an AD Domain and joined the XP machine
>> to it.
>> When I run the gpmc on the XP Pro machine and select:
>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
>> Objects -> Default Domain [Controller | Policy]
>> I get the following error:
>> "The permissions for this GPO in the SYSVOL folder are inconsistent with
>> those in Active Directory.
>> It is recommended that these permissions be consistent.
>> To change the SYSVOL permissions to those in Active Directory, click OK."
>> Hitting ok I get no error but as soon as I reselect THE SAME entry I get
>> the same error, it doesn't seem to be able to fix the ACL.
>> I have found one post about this on the list
>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
>> "fixed" a long time ago.
>> Seeing as I'm using the latest version I would assume this is a
>> different issue.
>> If I try to change any of the ACLs on either of the folders in
>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
>> the change doesn't stick.
>> Looking at the samba log files:
>> I get this when I start gpmc and click ok:
>> http://pastebin.com/7rBKyU1B
>> I get this when I start gpmc and don't click ok:
>> http://pastebin.com/B3DMSE1T
>> I get this when I alter the ACLs manually (after line 479 is when I
>> actually alter the ACLs):
>> http://pastebin.com/2mEvWX6K
>> My smb.conf is stock. No alterations.
>> The server OS is Ubuntu 12.04.
>> The filesystem is ext4 mounted with the following options:
>> "errors=remount-ro,acl,user_xattr,barrier=1".
>> I have all acl packages installed that I have seen referenced by samba
>> or in posts of a similar nature.
> If you are in the mood for some testing, can you try my acl-fixes2
> branch?
> git remote add abartlet git://git.samba.org/abartlet/samba.git
> git fetch abartlet
> git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
> I'm trying to get these changes into master, but I'm not quite finished.
> You should only put these on a test server, as I may change data formats
> etc.
> I would be very curious to know if this fixes the issue.
> Otherwise or in addition, if you can show me the contents of your
> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
> going wrong here, and fix it.
> Thanks,
> Andrew Bartlett
I assume

git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2

should be:

git checkout abartlet/fix-acls2 -b abartlet-fix-acls2

I'm rebuilding now, will keep you posted!



More information about the samba-technical mailing list