[Samba] GPO fail and sysvol perm errors
Rowland penny
rpenny at samba.org
Sun Oct 25 20:00:57 UTC 2020
On 25/10/2020 19:44, Sonic wrote:
> On Sun, Oct 25, 2020 at 3:31 PM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> OK, if you look at the end of the permissions, there is a '+' sign, this
>> shows that extended acls set, to see these:
>>
>> getfacl /usr/local/samba/var/locks/sysvol
> The difference in acls is that the non-working domain includes:
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> and
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
>
> Otherwise they are identical.
>
>> You can also see the extended ACL's with:
>> samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl
> Working domain:
> O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
>
> Non-working domain:
> O:LAG:DAD:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001200a9;;;SA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;SA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;;;;WD)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG)
>
> I tried adding the sgid bit and restarting samba but there was no
> change in the results.
What do you mean by 'working domain' and 'non-working domain' ?
Do you have two domains ?
I am also trying to understand why you have
'DENIED_RODC_PASSWORD_REPLICATION_GROUP' in your ACL ?
i do not normally advise this, but try running 'samba-tool ntacl
sysvolreset'
Rowland
More information about the samba
mailing list