[Samba] Can't create/update Group Policy in Samba 4.6.5

L.P.H. van Belle belle at bazuin.nl
Mon Jul 3 07:29:51 UTC 2017 

Hai, 

In reponse to the why i recommend that. 

Since this is a "windows" only share, i recomment to set it up for that usage, with results in better matching for windows rights.
Resulting in better working policies. 
The current POSIX rights did not match to my needs and resulted in inconsistant policies.
This is why i use these for profiles and sysvol. 

And this is my setup order:

setup the sysvol share with : acl_xattr:ignore system acls = yes

Setup SeDiskOperatorPrivilege. For sysvol, setup 2 ! Groups. 
net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
net rpc rights grant "SAMDOM\Group Policy Creator Owners" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
  And use the default windows group for extra users: "Group Policy Creator Owners"

Setup Share rights, (you must re-apply them if you use "ignore system acls" ) 

Setup Security rights, but since your using, "ignore system acls" the default sysvol rights are now ok.
But check if creator group also on the security rights. 

Check from with GPO manament tools, you wil get some messages about rights to fix, do that. 
And dont run samba-tools sysvolreset, if you do, then you wil have to repeat above again. 

Now you GPO should work as normal. 

Try it out and report your result. 


Greetz, 

Louis 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: zondag 2 juli 2017 20:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5
> 
> Am 2017-07-02 um 17:26 schrieb Rowland Penny via samba:
> 
> >> [sysvol]
> >>   path = /usr/local/samba/var/locks/sysvol
> >>   read only = No
> >>   acl_xattr:ignore system acls = yes
> > 
> > You should remove the above line, it isn't required.
> 
> Louis recommended that one to me a few weeks ago.
> Could you explain?
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list