[Samba] Destroyed my samba4 domain

Andrew Bartlett abartlet at samba.org
Thu Feb 21 22:08:28 MST 2013

On Thu, 2013-02-21 at 22:28 +0000, Mario Giammarco wrote:
> Hello,
> I am using samba4 with zentyal distro.
> I am trying to have user homes mounted as W: and I am trying to use GPO.
> I have spurious permissions problems.
> I have fixed most of them with "samba-tool ntacl sysvolreset"
> But some users write files and cannot see them anymore to read.
> The biggest problem is that I have created group policies with Microsoft tools 
> but they are not applied. I have looked at sysvol share and I cannot see logon 
> dirs and my scripts so I suppose it is a permission problem.
> So I have given this command: "samba-tool gpo aclcheck --fix" and it has found 
> around 1700 errors ( I have more than 1000 users).

There is no --fix option to samba-tool gpo aclcheck.  What does
'samba-tool ntacl sysvolcheck' give?

> But now permissions are wrong: microsoft tools do not recognize the domain 
> anymore and I cannot browse it anymore with \\domainname.lan\
> Help me please!!!
> What can I do?

First, take a full backup. 

What about the options to fix the permissions as given by the AD tools?

> I forgot to say that I have two domain controllers based on zentyal.

Is this based on Samba 4.0.3, or if not, which version is it based on?

Which file server are you using?

Depending on which file server you are using, see the --use-ntvfs and
--use-s3fs options.  We try to guess the right mode, but perhaps it was
run in the wrong mode, or you have a patched Samba that gets this wrong?

Does using a stock Samba from the 4.0.3 tarball work better?

I'm sorry I can't help much more right now, hopefully you can find a way
to get back working.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list