[Samba] sysvolcheck and sysvolreset errors

Roy Eastwood spindles7 at gmail.com
Wed May 20 13:47:21 UTC 2020


> >
> Yes, There are three places where permissions are stored on sysvol (4 if you count in AD), the standard Linux permissions 'ugo',
POSIX
> ACLs as shown by getfacl and an EA (this is where the ACLs are stored when set from Windows).
> 
> Try running 'samba-tool ntacl get /var/lib/samba/sysvol --as-sddl', this should produce something similar to this:
> 
> O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
> 
> Try checking using that, but you will have to do it file file etc.
> 
> I personally would set the permissions from Windows and ignore sysvolcheck/reset. Also ensure that Domain Admins does not have a
> gidNumber if you are using the RFC2307 attributes.
> 
> Rowland

Yes, I get the similar output but it's not what sysvolcheck is expecting.       Well I suppose sysvolcheck isn't happy with the
permissions, but as GPOs are able to be edited, changed and are applied to both computers and users then I assume this can be
ignored.   I got the acl settings from Louis' script, but does the WiKi stipulate what they should be?   If so setting them to what
sysvolcheck expects - will that make this error go away?   Is it a bug in sysvolcheck?

Thanks,

Roy




More information about the samba mailing list