[Samba] ntacl sysvolreset does not create correct ACL's
steve
steve at steve-ss.com
Thu Oct 11 03:29:18 MDT 2012
Hi
Version 4.1.0pre1-GIT-957f9fa
openSUSE 12.2
After running samba-tool ntaclreset These are the ACE's produced:
getfacl sysvol/
# file: sysvol/
# owner: root
# group: wheel
# flags: s--
user::rwx
user:root:rwx
group::r--
group:wheel:r--
group:3000000:r--
group:3000001:r--
group:3000002:r--
mask::rwx
other::---
I got the group names from wbinfo. The group numbers correspond to:
3000000 BUILTIN\Server Operators 4
3000001 NT AUTHORITY\SYSTEM 5
3000002 NT AUTHORITY\Authenticated Users 5
Problem: GPO's do not work. I think this is due to the r-- only ACE.
Users, authenticated or not do not have access to sysvol to be able to
read the GPO's because of the r--
I changed the ACL by adding an r-x and rwx after comparing what a
working installation on Ubuntu gave:
# file: usr/local/samba/var/locks/sysvol/
# owner: root
# group: wheel
# flags: s--
user::rwx
user:root:rwx
group::r-x
group:wheel:r-x
group:3000000:r-x
group:3000001:rwx
group:3000002:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:3000000:r-x
default:group:3000001:rwx
default:group:3000002:r-x
default:mask::rwx
default:other::---
and now the GPO's work again. However, running sysvolreset returns the
ACL to the r-- state.
I tested this on Ubuntu where sysvolreset works fine, producing r-x and
rwx ACE's in the correct place. I think the problem must be distro
specific. Works for Ubuntu, not for openSUSE.
Is there something in the script which makes it distro dependent? I
notice Ubuntu uses different owning groups (adm Ubuntu, wheel, openSUSE)?
Cheers,
Steve
More information about the samba
mailing list