[Samba] SYSVOL ACLs and GPOs

Alex Matthews qoole at lillimoth.com
Wed Oct 24 11:33:49 MDT 2012

On 24/10/2012 17:25, Alex Matthews wrote:
> On 24/10/2012 12:09, Andrew Bartlett wrote:
>> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
>>> Hi,
>>> I have installed a virtual testing network consisting of one samba4 PDC
>>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
>>> I have successfully provisioned an AD Domain and joined the XP machine
>>> to it.
>>> When I run the gpmc on the XP Pro machine and select:
>>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
>>> Objects -> Default Domain [Controller | Policy]
>>> I get the following error:
>>> "The permissions for this GPO in the SYSVOL folder are inconsistent 
>>> with
>>> those in Active Directory.
>>> It is recommended that these permissions be consistent.
>>> To change the SYSVOL permissions to those in Active Directory, click 
>>> OK."
>>> Hitting ok I get no error but as soon as I reselect THE SAME entry I 
>>> get
>>> the same error, it doesn't seem to be able to fix the ACL.
>>> I have found one post about this on the list
>>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
>>> "fixed" a long time ago.
>>> Seeing as I'm using the latest version I would assume this is a
>>> different issue.
>>> If I try to change any of the ACLs on either of the folders in
>>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
>>> the change doesn't stick.
>>> Looking at the samba log files:
>>> I get this when I start gpmc and click ok:
>>> http://pastebin.com/7rBKyU1B
>>> I get this when I start gpmc and don't click ok:
>>> http://pastebin.com/B3DMSE1T
>>> I get this when I alter the ACLs manually (after line 479 is when I
>>> actually alter the ACLs):
>>> http://pastebin.com/2mEvWX6K
>>> My smb.conf is stock. No alterations.
>>> The server OS is Ubuntu 12.04.
>>> The filesystem is ext4 mounted with the following options:
>>> "errors=remount-ro,acl,user_xattr,barrier=1".
>>> I have all acl packages installed that I have seen referenced by samba
>>> or in posts of a similar nature.
>> If you are in the mood for some testing, can you try my acl-fixes2
>> branch?
>> git remote add abartlet git://git.samba.org/abartlet/samba.git
>> git fetch abartlet
>> git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
>> I'm trying to get these changes into master, but I'm not quite finished.
>> You should only put these on a test server, as I may change data formats
>> etc.
>> I would be very curious to know if this fixes the issue.
>> Otherwise or in addition, if you can show me the contents of your
>> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
>> going wrong here, and fix it.
>> Thanks,
>> Andrew Bartlett
> I assume
> git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
> should be:
> git checkout abartlet/fix-acls2 -b abartlet-fix-acls2
> I'm rebuilding now, will keep you posted!
> Thanks,
> Alex

I have tried your branch. Rebuilt and the XP machine still throws the 
same issue.

Do I need to reprovision?



More information about the samba mailing list