[Samba] Fwd: Cannot edit GPO's anymore via RSAT

George Itee george.itee at gmail.com
Sun May 25 04:13:21 MDT 2014


Another slight update, I have managed to restore the old DC from 2013, in a
controlled environment (only my computer has access to the domain, the rest
are blocked by the firewall). I can confirm the old DC is working and
clicking on the Group Policies does not give the error *"The permissions
for this GPO in the SYSVOL folder are inconsistent with those in Active
Directory"* anymore.

I have noticed that there are differences between the old and the new DC's,
in regards to the Sysvol permissions.

The old DC has *Authenticated Users* - Read&Execute, List, Read; *System* -
Full control; *Administrators Group* - Full Control; *Server Operators* -
Read&Execute, List, Read >>> this is working properly

The current DC has *Everyone* - none; *CREATOR OWNER* - Special; *CREATOR
GROUP* - none; *Administrator* - Full control;/// *Authenticated Users* -
Read&Execute, List, Read; *System* - Full control; *Administrators Group* -
Full Control; *Server Operators* - Read&Execute, List, Read  >>> this is
not working

As you can see, the current sysvol share has 4 new ACL's. On both the
current and the old, the Administrator is the Owner. But i cannot remove
these new ACL's, even logged in with the admin account. They just keep
popping back in the security tab.

How can I set them like the old DC via the linux command line?

Thank you,

George

---------- Forwarded message ----------
From: George Itee <george.itee at gmail.com>
Date: Sat, May 24, 2014 at 11:02 AM
Subject: Re: [Samba] Cannot edit GPO's anymore via RSAT
To: Marc Muehlfeld <mmuehlfeld at samba.org>
Cc: samba at lists.samba.org


Forgot to mention that the Group Policy Creator Owner,SYSTEM and
Administrators groups have full control on the Policies folder in SYSVOL :)




On Sat, May 24, 2014 at 10:00 AM, Marc Muehlfeld <mmuehlfeld at samba.org>wrote:

> Hello George,
>
> Am 23.05.2014 23:26, schrieb George Itee:
> >  Calling acl_set_file:
> > samdom/Policies/{5ABDC733-C7C3-4435-9B93-F896C36A508A}, 0
> > [2014/05/24 00:14:41.655671, 10, pid=2134, effective(3000200, 100),
> > real(3000200, 0)]
> > ../source3/modules/vfs_posixacl.c:111(posixacl_sys_acl_set_file)
> >   acl_set_file failed: Operation not permitted
> > [2014/05/24 00:14:41.655708,  2, pid=2134, effective(3000200, 100),
> > real(3000200, 0), class=acls]
> > ../source3/smbd/posix_acls.c:3014(set_canon_ace_list)
> >   set_canon_ace_list: sys_acl_set_file type file failed for
> > file samdom//Policies/{5ABDC733-C7C3-4435-9B93-F896C36A508A} (Operation
> > not permitted).
> > [2014/05/24 00:14:41.655740,  3, pid=2134, effective(3000200, 100),
> > real(3000200, 0), class=acls]
> ../source3/smbd/posix_acls.c:3831(set_nt_acl)
> >   set_nt_acl: failed to set file acl on file
> > samdom//Policies/{5ABDC733-C7C3-4435-9B93-F896C36A508A} (Operation not
> > permitted).
> > [2014/05/24 00:14:41.655778, 10, pid=2134, effective(3000200, 100),
> > real(3000200, 0)]
> > ../source3/smbd/smb2_server.c:2657(smbd_smb2_request_error_ex)
> >   smbd_smb2_request_error_ex: idx[1] status*[NT_STATUS_ACCESS_DENIED]* ||
> > at ../source3/smbd/smb2_setinfo.c:128
> > [2014/05/24 00:14:41.655807, 10, pid=2134, effective(3000200, 100),
> > real(3000200, 0)]
> > ../source3/smbd/smb2_server.c:2557(smbd_smb2_request_done_ex)
> >   smbd_smb2_request_done_ex: idx[1]
> > status*[NT_STATUS_ACCESS_DENIED]*body[8] dyn[yes:1] at
> > ../source3/smbd/smb2_server.c:2705
> > [2014/05/24 00:14:41.655835, 10, pid=2134, effective(3000200, 100),
> > real(3000200, 0)]
> > ../source3/smbd/smb2_server.c:893(smb2_set_operation_credit)
> >   smb2_set_operation_credit: requested 1, charge 1, granted 1, current
> > possible/max 482/512, total granted/max/low/range 31/8192/104/31
>
>
> Can you verify that the groups have the required access on the SysVol
> folder and it's content?
>
>
> Regards,
> Marc
>


More information about the samba mailing list