[Samba] Strange GPO rights samba 4.2.1

L.P.H. van Belle belle at bazuin.nl
Fri Apr 24 02:52:53 MDT 2015

Im having a strange thing with sernet samba 4.2.1 on debian wheezy. 
I installed 2 dc.s with my scripts. 
i did setup the sysvol replication and now im seeing the following when i create new policies. 
The default GPO's 
drwxrwx---+ 4 root          BUILTIN\administrators 4096 Apr 24 10:17 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 root          BUILTIN\administrators 4096 Apr 24 10:17 {6AC1786C-016F-11D2-945F-00C04FB984F9}
The new policy i created. 
drwxrwx---+ 4 domain admins domain admins          4096 Apr 24 10:17 {B9C07E8F-54C3-4FA0-8C39-E357E068D393}

check these strange rights..
Because of the " domain admins domain admins "  rights, and why is user root here created as "domain admins" 
when i now run :
/usr/bin/rsync -XAavz --log-file /var/log/sysvol-sync.log --delete-after -f"+ */" -f"- *"  /home/samba/sysvol root at dc2:/home/samba  &&  /usr/bin/unison
im getting these errors:  
rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}, ACL_TYPE_ACCESS): Invalid argument (22)
rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/Machine, ACL_TYPE_ACCESS): Invalid argument (22)
rsync: set_acl: sys_acl_set_file(sysvol/internal.domain.tld/Policies/{B9C07E8F-54C3-4FA0-8C39-E357E068D393}/User, ACL_TYPE_ACCESS): Invalid argument (22)

I created the new policy with the user "Domain\Administrator" from within the windows tools from a windows 7 pc as normal..
Anyone else seen this behaivor? 
this is the conf im using atm.: 
        workgroup = INTERNAL
        realm = INTERNAL.DOMAIN.TLD
        netbios name = DC1
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, remote, winreg, srvsvc
        auth methods = sam, winbind, ntdomain, ntdomain:winbind
        ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
        sdb:schema update allowed = no
        ## Dont forget to set the idmap_ldb on ALL DC's if you use it
        idmap_ldb:use rfc2307 = yes
        ## map id's outside to domain to tdb files.
        idmap config * : backend = tdb
        idmap config * : range = 2000-9999
        ## map ids from the domain and (*) the range may not overlap !
        idmap config BAZRTD : backend = ad
        idmap config BAZRTD : schema_mode = rfc2307
        idmap config BAZRTD : range = 10000-3999999
        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind expand groups = 3
        ## When using idmap backend RID enable these
        ## ( or for users without UID/GID for example adminsitrator )
        #template shell = /bin/bash
        #template homedir = /home/users/%ACCOUNTNAME%
        interfaces =
        bind interfaces only = yes
        time server = yes
        wins support = yes
        ## Disable printing completely
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
        read only = No

        path = /home/samba/sysvol
        read only = No

        path = /home/samba/backups
        Browsable = No
        read only = No
        acl_xattr:ignore system acl = yes


More information about the samba mailing list