ntacl sysvolreset can take a long time
L.P.H. van Belle
belle at bazuin.nl
Fri Jul 21 14:41:21 UTC 2017
Hai,
Thats a bit hard Rowland, but true.. (Sorry Björn).. It really true..
But if your working on sysvolreset glad to help a bit, since this helps a lot of people..
Only i can say about that is, if ID_BOTH and SYSTEM are not able to match the windows acl.
Then i would suggest, to only setup sysvol with ignore systemacls, because then GPOs work always.
Also, im wondering what people put in sysvol except some scripts in netlogon or some.dnsdom.tld/scripts and the GPO's.
Deployments for example, put these on a file server not in sysvol, or create a new share,
which wont confict with the needed rights for sysvol.
>In a small setup ?
Define small, (number of folders and dirs?)
Define large, ... file folders?
My setup: 568 files, 286 folders
I reset with setfacl and not sysvolreset, that breaks my GPO.
This take about <1 seconds for me.
This is what i use, but after setting this once, its only needed if i mess things up myself.
.. And that happens sometimes.. , we are all human.. :-/
I did a getfacl sysvol, took the rights and added in the small script.
#!/bin/bash
set -e
RIGHTSFILE="default-rights-sysvol.acl"
# can be different per server, check this.
#(3000002 = SYSTEM )
#(3000003 = verified users )
cat << EOF > /tmp/${RIGHTSFILE}
# file: sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
EOF
if [ -z $1 ]; then
echo "You need do assign the folder to set the default rights to"
echo "We dont set the rights recursive! that can mess up current gpo's.."
echo "exiting now .. "
fi
if [ $(echo ${1} | egrep "/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc|/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var" | wc -l ) -gt 0 ]; then
echo "Warning, detected un safe change or location, exiting now. "
exit 1
fi
if [ ! -d $1 ]; then
echo "Error, directory does not exist, exiting now."
exit 1
else
setfacl -R -b --modify-file /tmp/$RIGHTSFILE $1
setfacl -R -m default:user:root:rwx $1
setfacl -R -m default:group:"BUILTIN\134administrators":rwx $1
fi
rm /tmp/${RIGHTSFILE}
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:samba-technical-bounces at lists.samba.org] Namens
> Rowland Penny via samba-technical
> Verzonden: vrijdag 21 juli 2017 15:55
> Aan: samba-technical at lists.samba.org
> Onderwerp: Re: ntacl sysvolreset can take a long time
>
> On Fri, 21 Jul 2017 15:25:19 +0200
> Bjoern Baumbach via samba-technical <samba-technical at lists.samba.org>
> wrote:
>
> > Hi!
> >
> > Depending on the amount of data in the sysvol directory, the
> > samba-tool ntacl sysvol reset consumes a lot of time.
> > But there is an additional cause for highly increased
> duration of the
> > process. In a small setup it takes round about half a minute when
> > Samba is running and just 4 seconds when Samba is not running.
> >
> > One distinct difference between samba is running and not running is
> > the amount of fcntl() calls.
> >
> > I count 1722462 when samba is up, but just 147214 if samba is not
> > running, which is a large difference. Maybe somebody have
> some ideas
> > how we can improve this :-)
> >
> > Best regards,
> > Björn
> >
>
> very easily, do not run sysvolreset ;-)
> Do anything to do with GPOs from windows.
> Do not give 'Domain Admins' a gidNumber
>
> Not sure if doing the above will help with your count, but it
> will stop you breaking sysvol.
>
> Rowland
>
>
>
More information about the samba-technical
mailing list