[Samba] SYSVOL ACLs and GPOs

Andrew Bartlett abartlet at samba.org
Mon Oct 29 18:00:31 MDT 2012

On Mon, 2012-10-29 at 16:42 -0700, Jeremy Allison wrote:
> On Mon, Oct 29, 2012 at 09:22:31PM +1100, Andrew Bartlett wrote:
> > Jeremy,
> > 
> > I'm wondering if I can get your assistance on this one?
> Sure, I'll try and help asap !


> > In short, both Alex and Luiz have an issue where vfs_acl_xattr does not
> > return the NT ACL that has been set.  The details in in this thread, but
> > we have the particularly odd situation where running 'samba-tool ntacl
> > sysvolreset' doesn't seem to fix it.  This isn't the case of the tools
> > expecting the wrong value - the 'got' ACL is clearly one mapped back
> > from POSIX.  Running the Group Policy tools on a domain member seems to
> > be a particular trigger - but it shouldn't be able to make a
> > modification that doesn't go via vfs_acl_xattr.
> > 
> > For Alex, before running the Group Policy tools on WinXP, he gets (at
> > level 10 on samba-tool ntacl sysvolcheck):
> > 
> > get_nt_acl_internal: blob hash matches for
> > file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> > 
> > then after, he gets:
> > 
> > get_nt_acl_internal: blob hash does not match for
> > file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} - returning file system SD mapping.
> Is this message from smbd, or from samba-tool ?

That's what vfs_acl_common is printing, being run from samba-tool ntacl
sysvolcheck.  It links to the VFS layer.

> We can give him some custom patches that should
> help work out where the blob hash mistmatch is
> being caused.
> Give me a little time to read the messages in
> the thread and try and catch up.


Since I wrote that, it's interesting to note that Luiz reproduces this
without needing Windows (which will clearly be easier to debug), but
might just be some other issue with FreeBSD. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list