[Samba] sysvolcheck and sysvolreset errors

[Roy Eastwood]

> You could try using a script Louis wrote, see here:
> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh
> 
> The 'idmap config' lines are nothing to worry about, you cannot set them on a DC, but, for some reason, testparm etc warns about
> them.
> 
> Rowland
> 
Sorry, I should have said - I ran louis' script and set the acl's according to the output.    The script also produced a file called
default-rights-sysvol-acl which contains:
# file: /var/lib/samba/sysvol  
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000000:rwx
user:3000027:r-x
user:3000023:rwx
user:3000009:r-x
group::rwx
group:3000000:rwx
group:3000027:r-x
group:3000023:rwx
group:3000009:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000027:r-x
default:user:3000023:rwx
default:user:3000009:r-x
default:group::---
default:group:3000000:rwx
default:group:3000027:r-x
default:group:3000023:rwx
default:group:3000009:r-x
default:mask::rwx
default:other::---

After I had set the acl's and run the Group Policy Management tool from Windows (which suggested that the acls were not correct and
offered to correct them by clicking OK),   getfacl /var/lib/samba/sysvol produces this:
# file: var/lib/samba/sysvol
# owner: root
# group: root
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:NT\040AUTHORITY\\authenticated\040users:r-x
user:NT\040AUTHORITY\\system:rwx
user:BUILTIN\\server\040operators:r-x
group::rwx
group:BUILTIN\\administrators:rwx
group:NT\040AUTHORITY\\authenticated\040users:r-x
group:NT\040AUTHORITY\\system:rwx
group:BUILTIN\\server\040operators:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:NT\040AUTHORITY\\authenticated\040users:r-x
default:user:NT\040AUTHORITY\\system:rwx
default:user:BUILTIN\\server\040operators:r-x
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:NT\040AUTHORITY\\authenticated\040users:r-x
default:group:NT\040AUTHORITY\\system:rwx
default:group:BUILTIN\\server\040operators:r-x
default:mask::rwx
default:other::---

If I run wbinfo to convert the gid's to names the two getfacl lists are essentially the same.

When I run samba-tool gpo aclcheck -Uadministrator, I get:
Password for [MICROLYNX\administrator]:
ERROR: Invalid GPO ACL
O:LAG:S-1-22-2-0D:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff
;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;BA)(A;OICI;;;;WD)(A;;0x001f01ff;;
;S-1-22-2-0)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) on path
(microlynx.org\Policies\{CA8E6F15-335B-4BA1-BDD3-7FE7B6780946}), should be
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;
SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

Any other ideas?

Thanks Rowland.

Roy