[Samba] SYSVOL ACLs and GPOs

Jeremy Allison jra at samba.org
Mon Oct 29 17:42:52 MDT 2012

On Mon, Oct 29, 2012 at 09:22:31PM +1100, Andrew Bartlett wrote:
> Jeremy,
> I'm wondering if I can get your assistance on this one?

Sure, I'll try and help asap !

> In short, both Alex and Luiz have an issue where vfs_acl_xattr does not
> return the NT ACL that has been set.  The details in in this thread, but
> we have the particularly odd situation where running 'samba-tool ntacl
> sysvolreset' doesn't seem to fix it.  This isn't the case of the tools
> expecting the wrong value - the 'got' ACL is clearly one mapped back
> from POSIX.  Running the Group Policy tools on a domain member seems to
> be a particular trigger - but it shouldn't be able to make a
> modification that doesn't go via vfs_acl_xattr.
> For Alex, before running the Group Policy tools on WinXP, he gets (at
> level 10 on samba-tool ntacl sysvolcheck):
> get_nt_acl_internal: blob hash matches for
> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> then after, he gets:
> get_nt_acl_internal: blob hash does not match for
> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} - returning file system SD mapping.

Is this message from smbd, or from samba-tool ?

We can give him some custom patches that should
help work out where the blob hash mistmatch is
being caused.

Give me a little time to read the messages in
the thread and try and catch up.


More information about the samba-technical mailing list