[Samba] Cannot edit GPO's anymore via RSAT
George Itee
george.itee at gmail.com
Fri May 23 15:26:11 MDT 2014
Hello Marc,
Thank you for the information, I ran
*samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix*
Gave 1 error and I reset the NTSecurityDescriptor on the domain, fixed.
samba-tool dbcheck --cross-ncs --fix
The result came with 0 errors. I have reset the sysvolv acl's again and
started Samba4, but the problem still persists.
Below you can find a snip of a level 10 log level:
Calling acl_set_file:
samdom/Policies/{5ABDC733-C7C3-4435-9B93-F896C36A508A}, 0
[2014/05/24 00:14:41.655671, 10, pid=2134, effective(3000200, 100),
real(3000200, 0)]
../source3/modules/vfs_posixacl.c:111(posixacl_sys_acl_set_file)
acl_set_file failed: Operation not permitted
[2014/05/24 00:14:41.655708, 2, pid=2134, effective(3000200, 100),
real(3000200, 0), class=acls]
../source3/smbd/posix_acls.c:3014(set_canon_ace_list)
set_canon_ace_list: sys_acl_set_file type file failed for
file samdom//Policies/{5ABDC733-C7C3-4435-9B93-F896C36A508A} (Operation
not permitted).
[2014/05/24 00:14:41.655740, 3, pid=2134, effective(3000200, 100),
real(3000200, 0), class=acls] ../source3/smbd/posix_acls.c:3831(set_nt_acl)
set_nt_acl: failed to set file acl on file
samdom//Policies/{5ABDC733-C7C3-4435-9B93-F896C36A508A} (Operation not
permitted).
[2014/05/24 00:14:41.655778, 10, pid=2134, effective(3000200, 100),
real(3000200, 0)]
../source3/smbd/smb2_server.c:2657(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: idx[1] status*[NT_STATUS_ACCESS_DENIED]* ||
at ../source3/smbd/smb2_setinfo.c:128
[2014/05/24 00:14:41.655807, 10, pid=2134, effective(3000200, 100),
real(3000200, 0)]
../source3/smbd/smb2_server.c:2557(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1]
status*[NT_STATUS_ACCESS_DENIED]*body[8] dyn[yes:1] at
../source3/smbd/smb2_server.c:2705
[2014/05/24 00:14:41.655835, 10, pid=2134, effective(3000200, 100),
real(3000200, 0)]
../source3/smbd/smb2_server.c:893(smb2_set_operation_credit)
smb2_set_operation_credit: requested 1, charge 1, granted 1, current
possible/max 482/512, total granted/max/low/range 31/8192/104/31
I do not have a lot of experience in debugging Samba4, but it looks like
the groups that should have had access like Domain Admins/Group Policy
Creator, do not work anymore. If I create a new user and put him in the
same groups, it still does not work.
This is a CentOS platform that I am running on and Samba4 was compiled from
source with ./configure --enable-selftest --enable-debug (I think it was
4.10 at that time). I do have older backups of the sysvol folder, but I'm
not sure it will make any difference.
George
On Sat, May 24, 2014 at 12:01 AM, Marc Muehlfeld <mmuehlfeld at samba.org>wrote:
> Hello George,
>
> Am 23.05.2014 22:44, schrieb George Itee:
> > Trying to add/remove a user in the Security Filtering results in Access
> is
> > Denied again. My user is a member of Domain Admins, Group Policy Creator
> > Owners and Schema Admins groups.
>
> Can you do:
> # samba-tool dbcheck --cross-ncs (--fix)
>
> And if your domain was provisioned with an early 4.0 or pre 4.0, also run
> # samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
>
>
>
>
>
> > samba-tool ntacl sysvolcheck says:
>
> https://bugzilla.samba.org/show_bug.cgi?id=10606
>
> But even if sysvolcheck has several uncaught exceptions, the sysvolreset
> works.
>
>
>
>
> Regards,
> Marc
>
More information about the samba
mailing list