[Samba] SYSVOL ACLs and GPOs

Andrew Bartlett abartlet at samba.org
Tue Oct 30 05:06:00 MDT 2012 

On Tue, 2012-10-30 at 01:55 -0700, Andriesvn wrote:
> Hi Andrew
> 
> I appear to be having the same problem that Alex has. Except i am running
> Ubuntu Server 12.04 x64. I have been experiencing this problem since RC2 and
> thought i might have installed incorrectly. I have done about 5 Fresh Server
> installs and all of them end with the same results. Clients cant access GPO,
> sysvolreset has no effect and sysvolcheck keeps poping up a "VFS ACL on GPO
> directory" error. getfacl after sysvolreset on a gpo dir returns the
> following:
> 
>  # file: {yadayada}
>  # owner : 3000008
>  # group : users
> user::rwx
> user:3000008:rwx
> group::---
> group:3000002:r--
> group:3000003:r--
> group:3000006:r--
> group:3000008:r--
> group:3000010:r--
> mask::rwx
> other::---
> 
> On some GPO dir`s i get an extra default as follows:
> default:user::rwx
> default:user:3000008:rwx
> default:group::---
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000006:rwx
> default:group:3000008:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
> 
> since i saw the default popup it tried setting the default as the effective
> permissions but still no result.
> 
> sysvol permissions are always as follows:
> root at samba4:/usr/local/samba # getfacl var/locks/sysvol 
> # file: var/locks/sysvol 
> # owner: root 
> # group: 3000000 
> user::rwx 
> user:root:rwx 
> group::r-- 
> group:3000000:r-- 
> group:3000001:r-- 
> group:3000002:r-- 
> group:3000003:r-- 
> mask::rwx 
> other::--- 
> 
> a workaround that seemed to work for me was to set all permissions on sysvol
> to rwx. This allowed clients to read and apply the GPO`s. I know the
> permissions are not correct but i needed a fix.
> 
> So this appears to be a problem not only related to FreeBSD.

This is most frustrating, as I thought I had this working.  The same
happens here on Fedora 17.

I've CC'ed Jeremy, owner of our posix ACL conversion code, to see if he
can help.  It makes no sense that execute permissions would not be
granted on the directories!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list