[Samba] Proper sysvol permissions

Michal Michal67M at seznam.cz
Fri Jun 22 14:07:39 UTC 2018 

Samba 4.8.2 as AD controller, installed from scratch (no upgrade).

I am getting "access denied" for GPO objects and netlogon or sysvol shares
both on Win7 and W10 clients.

[root at ad1 etc]# ll /usr/local/samba.ad/var/locks/
total 1384
-rw-------  1 root root 421888 May 17 08:30 account_policy.tdb
-rw-------  1 root root 528384 May 17 08:30 registry.tdb
-rw-------  1 root root 421888 May 17 08:29 share_info.tdb
drwxrwx---+ 6 root  544   4096 Jun  1 16:38 sysvol
-rw-------  1 root root  32768 Jun 22 15:40 winbindd_cache.tdb
drwxr-x---  2 root root   4096 Jun 22 15:40 winbindd_privileged

[root at ad1 etc]# ll /usr/local/samba.ad/var/locks/sysvol/
total 32
drwxrwx---+ 3 root 544 4096 May 17 08:21 ad.nemuh.cz
drwxrwx---+ 4 root 544 4096 Jun  1 16:22 nemuh.cz
drwxrwx---+ 4 root 544 4096 May 17 08:27 nspuh.cz
drwxrwx---+ 4 root 544 4096 Jun  1 16:33 uhn.cz

Ordinary user can not access these, but samba runs under root, so samba
itself can access these structures and can serve it to clients (if samba
wanted to do that).
Are these permissions correct? I did not find documentation for that.

#samba-tool ntacl sysvolcheck
returns something not very trustworthy

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory /usr/local/
samba.ad/var/locks/sysvol/nemuh.cz/Policies/{CD95731E-39C1-4B71-82D1-9CD25F210509}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/local/
samba.ad/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176,
in _run
    return self.run(*args, **kwargs)
  File "/usr/local/
samba.ad/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in
run
    lp)
  File "/usr/local/
samba.ad/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1800, in checksysvolacl
    direct_db_access)
  File "/usr/local/
samba.ad/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1751, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/local/
samba.ad/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1698, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

No idea what this means.

Thanks, Michal


[global]
<------>netbios name = AD1
<------>realm = NEMUH.CZ
<------>server role = active directory domain controller
<------>server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, k
<------>server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, k
<------>workgroup = UHN
<------>idmap_ldb:use rfc2307 = yes

[netlogon]
<------>path = /usr/local/samba.ad/var/locks/sysvol/nemuh.cz/scripts
<------>read only = No

[sysvol]
<------>path = /usr/local/samba.ad/var/locks/sysvol
<------>read only = No

More information about the samba mailing list