[Samba] sysvol permissions

L.P.H. van Belle belle at bazuin.nl
Thu Sep 17 09:46:33 UTC 2015 

Hai Mourik Jan, 


Try with : 
samba-tool ntacl sysvolcheck -U Administrator 
samba-tool gpo aclcheck -U Administrator 

Set : acl_xattr:ignore system acls = yes 
On sysvol and netlogon share since only windows computers use these. 
It gives better NT ACL compatibility. 

and if you Group policies work, ignore these errors.


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mourik jan
> heupink
> Verzonden: donderdag 17 september 2015 11:34
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] sysvol permissions
> 
> Hi,
> 
> We're running samba 4.1.17-SerNet-Debian-10.wheezy, AD mode, and we seem
> to have permission problems on our sysvol:
> 
> > root at DC2:/var/lib/samba# samba-tool ntacl sysvolcheck
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/samba.domain.com/Policies/{A577A789-8C39-447A-8555-
> 42B247B9943C}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> 0a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> 0a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
> >     return self.run(*args, **kwargs)
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
> 249, in run
> >     lp)
> >   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1726, in checksysvolacl
> >     direct_db_access)
> >   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1677, in check_gpos_acl
> >     domainsid, direct_db_access)
> >   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1624, in check_dir_acl
> >     raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' % (acl_type(direct_db_access),
> path, fsacl_sddl, acl))
> 
> Running
>  > root at DC2:/var/lib/samba# samba-tool ntacl sysvolreset
> finishes without any output, so I'm guessing that means: success.... but
> afterwards sysvolcheck still reports the same error.
> 
> Is this some bug in 4.1.17..? We could of course try upgrading...?
> 
> MJ
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list