[Samba] GPO fail and sysvol perm errors

Rowland penny rpenny at samba.org
Sun Oct 25 20:00:57 UTC 2020

On 25/10/2020 19:44, Sonic wrote:
> On Sun, Oct 25, 2020 at 3:31 PM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> OK, if you look at the end of the permissions, there is a '+' sign, this
>> shows that extended acls set, to see these:
>> getfacl /usr/local/samba/var/locks/sysvol
> The difference in acls is that the non-working domain includes:
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> and
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> Otherwise they are identical.
>> You can also see the extended ACL's with:
>> samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl
> Working domain:
> O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
> Non-working domain:
> O:LAG:DAD:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001200a9;;;SA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;SA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;;;;WD)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG)
> I tried adding the sgid bit and restarting samba but there was no
> change in the results.

What do you mean by 'working domain' and 'non-working domain' ?

Do you have two domains ?

I am also trying to understand why you have 

i do not normally advise this, but try running 'samba-tool ntacl 


More information about the samba mailing list