[Samba] SYSVOL ACLs and GPOs

Andrew Bartlett abartlet at samba.org
Wed Oct 24 05:09:56 MDT 2012

On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
> Hi,
> I have installed a virtual testing network consisting of one samba4 PDC 
> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
> I have successfully provisioned an AD Domain and joined the XP machine 
> to it.
> When I run the gpmc on the XP Pro machine and select:
> Forest: <domain name> -> Domains -> <domain name> -> Group Policy 
> Objects -> Default Domain [Controller | Policy]
> I get the following error:
> "The permissions for this GPO in the SYSVOL folder are inconsistent with 
> those in Active Directory.
> It is recommended that these permissions be consistent.
> To change the SYSVOL permissions to those in Active Directory, click OK."
> Hitting ok I get no error but as soon as I reselect THE SAME entry I get 
> the same error, it doesn't seem to be able to fix the ACL.
> I have found one post about this on the list 
> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was 
> "fixed" a long time ago.
> Seeing as I'm using the latest version I would assume this is a 
> different issue.
> If I try to change any of the ACLs on either of the folders in 
> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however 
> the change doesn't stick.
> Looking at the samba log files:
> I get this when I start gpmc and click ok:
> http://pastebin.com/7rBKyU1B
> I get this when I start gpmc and don't click ok:
> http://pastebin.com/B3DMSE1T
> I get this when I alter the ACLs manually (after line 479 is when I 
> actually alter the ACLs):
> http://pastebin.com/2mEvWX6K
> My smb.conf is stock. No alterations.
> The server OS is Ubuntu 12.04.
> The filesystem is ext4 mounted with the following options: 
> "errors=remount-ro,acl,user_xattr,barrier=1".
> I have all acl packages installed that I have seen referenced by samba 
> or in posts of a similar nature.

If you are in the mood for some testing, can you try my acl-fixes2

git remote add abartlet git://git.samba.org/abartlet/samba.git
git fetch abartlet
git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2

I'm trying to get these changes into master, but I'm not quite finished.
You should only put these on a test server, as I may change data formats

I would be very curious to know if this fixes the issue.

Otherwise or in addition, if you can show me the contents of your
idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
going wrong here, and fix it.


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list