[Samba] GPO fail and sysvol perm errors

L.P.H. van Belle belle at bazuin.nl
Tue Oct 27 08:01:08 UTC 2020 

Hai 

Good morning people around the world. 
More below. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Sonic via samba
> Verzonden: maandag 26 oktober 2020 18:00
> Aan: belle at samba.org
> CC: Samba Mailing List
> Onderwerp: Re: [Samba] GPO fail and sysvol perm errors
> 
> On Mon, Oct 26, 2020 at 6:46 AM L. van Belle via samba
> <samba at lists.samba.org> wrote:
> > getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/
> > getfacl: Removing leading '/' from absolute path names
> > # file: var/lib/samba/sysvol/my.domain.tld/Policies/
> > # owner: root
> > # group: BUILTIN\\administrators
> > user::rwx
> > user:root:rwx
> > user:BUILTIN\\administrators:rwx
> > user:BUILTIN\\server\040operators:r-x
> > user:NT\040AUTHORITY\\system:rwx
> > user:NT\040AUTHORITY\\authenticated\040users:r-x
> > user:ADDOM\\group\040policy\040creator\040owners:rwx
> > group::rwx
> > group:BUILTIN\\administrators:rwx
> > group:BUILTIN\\server\040operators:r-x
> > group:NT\040AUTHORITY\\system:rwx
> > group:NT\040AUTHORITY\\authenticated\040users:r-x
> > group:ADDOM\\group\040policy\040creator\040owners:rwx
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:BUILTIN\\administrators:rwx
> > default:user:BUILTIN\\server\040operators:r-x
> > default:user:NT\040AUTHORITY\\system:rwx
> > default:user:NT\040AUTHORITY\\authenticated\040users:r-x
> > default:user:ADDOM\\group\040policy\040creator\040owners:rwx
> > default:group::---
> > default:group:BUILTIN\\administrators:rwx
> > default:group:BUILTIN\\server\040operators:r-x
> > default:group:NT\040AUTHORITY\\system:rwx
> > default:group:NT\040AUTHORITY\\authenticated\040users:r-x
> > default:group:ADDOM\\group\040policy\040creator\040owners:rwx
> > default:mask::rwx
> > default:other::---
> 
> The above is also what I get after applying those rights.
Ok, so thats correct. 

> 
> > Do you also have/see:
> > default:group:ADDOM\\group\040policy\040creator\040owners:rwx
> > And are the needed users in there?
> 
> I see it, yes, not sure who the needed users are.

Administrator 
Any other extra admin or adminGroup. 

> 
> > How does it look in windows, under Advanced right settings.
> 
> Administrators          Full Control
> Server Operators        Read & Execute
> SYSTEM                  Full Control
> Authenticated Users     Read & Execute
> 
> Should there be something else?
No this looks good to me, that is sufficient. 

> However the sysvolcheck still fails and so does gpupdate, same errors
> in the log as well.

Can you tell the windows event id and description?
And which group is set on sysvol in general on the share tab. 

And run CMD: 
gpresult /H gpreport.html
gpreport.html  ( browser will open ) 

At Computer details, check the applied GroupPolicyObjects. 
There you can see the security filters, which groups are use in/for the gpo objects.
Repeat for User details. 

I dont need the computer/user details, but i do need the event id and description of the fails. 

Greetz, 

Louis

More information about the samba mailing list