[Samba] Cannot edit GPO's anymore via RSAT
George Itee
george.itee at gmail.com
Sat May 24 01:51:36 MDT 2014
Hello Marc,
The command *getfacl /usr/local/samba/var/locks/sysvol *returns the
following:
*getfacl: Removing leading '/' from absolute path names*
*# file: usr/local/samba/var/locks/sysvol/*
*# owner: root*
*# group: 3000000*
*user::rwx*
*user:root:rwx*
*group::rwx*
*group:3000000:rwx*
*group:3000001:r-x*
*group:3000002:rwx*
*group:3000003:r-x*
*mask::rwx*
*other::---*
*default:user::rwx*
*default:user:root:rwx*
*default:group::---*
*default:group:3000000:rwx*
*default:group:3000001:r-x*
*default:group:3000002:rwx*
*default:group:3000003:r-x*
*default:mask::rwx*
*default:other::---*
>From a Windows perspective, the Sysvol share has the following permissions:
*Everyone:* nothing
*Creator Owner:* Special permissions
*Creator Group*: nothing
*Authenticated Users*: Read & Execute, List folder contents, Read
*System:* Full Control
*Administrator:* Full Control
*Administrators:* Full Control
*Server Operators:* Read&Execute, List folder contents, Read
One other thing I did, I implemented a Samba4 Member as a file server for
test...it was made with RID backend and wbinfo -u / -g was working
properly. I could not get the ADS backend to work though.
Not sure if this has anything to do with it, but just wanted you to know.
By all means, sysvolreset should have worked, but it does nothing.
I'm not sure how to go back to a previous verison, since i only I only have
2 full vmdk's images, both with Samba 4.1.7...and a very old backup from
December 2013.
Sysvol and etc were backed up everyday for the last 2 months, but I only
have several private folder backups, recent ones.
Anything else I can try?
Thank you,
George
On Sat, May 24, 2014 at 10:00 AM, Marc Muehlfeld <mmuehlfeld at samba.org>wrote:
> Hello George,
>
> Am 23.05.2014 23:26, schrieb George Itee:
> > Calling acl_set_file:
> > samdom/Policies/{5ABDC733-C7C3-4435-9B93-F896C36A508A}, 0
> > [2014/05/24 00:14:41.655671, 10, pid=2134, effective(3000200, 100),
> > real(3000200, 0)]
> > ../source3/modules/vfs_posixacl.c:111(posixacl_sys_acl_set_file)
> > acl_set_file failed: Operation not permitted
> > [2014/05/24 00:14:41.655708, 2, pid=2134, effective(3000200, 100),
> > real(3000200, 0), class=acls]
> > ../source3/smbd/posix_acls.c:3014(set_canon_ace_list)
> > set_canon_ace_list: sys_acl_set_file type file failed for
> > file samdom//Policies/{5ABDC733-C7C3-4435-9B93-F896C36A508A} (Operation
> > not permitted).
> > [2014/05/24 00:14:41.655740, 3, pid=2134, effective(3000200, 100),
> > real(3000200, 0), class=acls]
> ../source3/smbd/posix_acls.c:3831(set_nt_acl)
> > set_nt_acl: failed to set file acl on file
> > samdom//Policies/{5ABDC733-C7C3-4435-9B93-F896C36A508A} (Operation not
> > permitted).
> > [2014/05/24 00:14:41.655778, 10, pid=2134, effective(3000200, 100),
> > real(3000200, 0)]
> > ../source3/smbd/smb2_server.c:2657(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: idx[1] status*[NT_STATUS_ACCESS_DENIED]* ||
> > at ../source3/smbd/smb2_setinfo.c:128
> > [2014/05/24 00:14:41.655807, 10, pid=2134, effective(3000200, 100),
> > real(3000200, 0)]
> > ../source3/smbd/smb2_server.c:2557(smbd_smb2_request_done_ex)
> > smbd_smb2_request_done_ex: idx[1]
> > status*[NT_STATUS_ACCESS_DENIED]*body[8] dyn[yes:1] at
> > ../source3/smbd/smb2_server.c:2705
> > [2014/05/24 00:14:41.655835, 10, pid=2134, effective(3000200, 100),
> > real(3000200, 0)]
> > ../source3/smbd/smb2_server.c:893(smb2_set_operation_credit)
> > smb2_set_operation_credit: requested 1, charge 1, granted 1, current
> > possible/max 482/512, total granted/max/low/range 31/8192/104/31
>
>
> Can you verify that the groups have the required access on the SysVol
> folder and it's content?
>
>
> Regards,
> Marc
>
More information about the samba
mailing list