[Samba] sysvolreset doesn't reset all ACLs
L.P.H. van Belle
belle at bazuin.nl
Thu Aug 24 13:13:02 UTC 2017
Hai,
To recover from that problem, read :
The "Why" i setup like this.
http://lists-archives.com/samba/106301-can-t-create-update-group-policy-in-samba-4-6-5.html
And howto fix.
http://lists-archives.com/samba/106333-can-t-create-update-group-policy-in-samba-4-6-5.html
Note on this last link, the part.:
A good tip to restore the defaults with samba-tool without errors.
move you domain folder out of the /var/lib/samba/sysvol folder.
mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
mkdir /var/lib/samba/sysvol/intern.domain.tld <<<<<<<<<< you must have an empty folder for the next command.
And run samba-tool ntacl sysvolreset
----
Good luck, if you need more help, you know where to find us. ;-)
( ps, when its all done, DONT run samba-tool ntacl sysvolreset again, never ever )
Until this bug is fixed.
( more GPO tips, google: https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&source=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 )
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: donderdag 24 augustus 2017 14:42
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
>
> On Thu, 24 Aug 2017 14:15:53 +0200
> Sven Schwedas via samba <samba at lists.samba.org> wrote:
>
> > On 2017-08-24 13:00, Rowland Penny via samba wrote:
> > > On Thu, 24 Aug 2017 12:41:36 +0200
> > > Sven Schwedas via samba <samba at lists.samba.org> wrote:
> > >
> > >> On 2017-08-24 12:27, Rowland Penny via samba wrote:
> > >>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba
> > >>> <samba at lists.samba.org> wrote:
> > >>>
> > >>>>
> > >>>> Where does the error come from, and why doesn't
> sysvolreset fix
> > >>>> it?
> > >>>>
> > >>>
> > >>> Mainly because (from my testing) sysvolcheck/sysvolreset is
> > >>> broken. I do not write 'C' code and the problem seems to be in
> > >>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the
> > >>> correct ACL.
> > >>>
> > >>> I have opened a bug for this:
> > >>>
> > >>> https://bugzilla.samba.org/show_bug.cgi?id=12924
> > >>
> > >> Ah, crap.
> > >
> > > I actually used worse words when I found out why I
> couldn't get my
> > > work on the python code to work. ;-)
> > >
> > >>
> > >>> Even when this gets fixed, the python code will need
> work, because
> > >>> it doesn't do what windows does, also anybody who has set a
> > >>> gidNumber on Domain Admins, will need to remove it, the group
> > >>> needs to own things in sysvol and with a gidNumber it cannot.
> > >>
> > >> Does this apply only to sysvolreset or also when fixing
> ACLs from
> > >> Windows?
> > >
> > > On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
> > > idmap.ldb, this makes it able to own files and dirs in
> sysvol. The
> > > moment you give 'Domain Admins' a gidNumber, you break
> this mapping
> > > and the group becomes just a group and cannot own
> anything on a Unix
> > > machine, so my recommendation is to not give the group a
> gidNumber,
> > > create another group 'Unix Admins' ? give this group a
> gidNumber and
> > > make this group a member of 'Domain Admins'
> >
> > Does removing the gidNumber retroactively allow it to work?
> >
> > (That is, once I figured out how to reset the ACLs from within
> > Windows.)
> >
>
> It should, idmap.ldb works on a first come basis, so the next
> time Domain Admins connects it should get issued with a new xidNumber.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list