[Samba] GPO fail and sysvol perm errors

Sonic sonicsmith at gmail.com
Wed Oct 28 15:33:00 UTC 2020 

Hi Louis,
On Wed, Oct 28, 2020 at 10:04 AM L.P.H. van Belle via samba
<samba at lists.samba.org> wrote:
> Now, re-apply these.  ( long lines, make sure you didnt miss a part.
>
> samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" /var/lib/samba/sysvol/
> samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" /var/lib/samba/sysvol/$(hostname -d)
> samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
> /var/lib/samba/sysvol/$(hostname -d)/Policies/
>
> Now test, create a new policy and test it, if that works, which should, because this is coming from my production servers.
> Then compair it with the not working. run getfacl on both folders.

Re-applied those acl's and it appears to be working. There is a
difference in the unix perms for the newly created GPO vs one that
existed during the application of the acls.
Existing GPO (all of them actually):
root at srvr01:/usr/local/samba/var/locks/sysvol/my.addom.com/Policies#
ls -al \{07AF723D-5FFD-4807-B3C6-DFCE911B922A\}/
total 40
drwxrwx---+ 4 ADDOM\domain admins ADDOM\domain admins 4096 Oct 25 16:48 .
drwxrwx---+ 7 root                   BUILTIN\administrators 4096 Oct 25 16:48 ..
-rwxrwx---+ 1 ADDOM\domain admins ADDOM\domain admins   59 Oct 26 11:52 GPT.INI
drwxrwx---+ 2 ADDOM\domain admins ADDOM\domain admins 4096 Oct 26 11:52 Machine
drwxrwx---+ 2 ADDOM\domain admins ADDOM\domain admins 4096 Oct 25 16:48 User

New GPO:
root at srvr01:/usr/local/samba/var/locks/sysvol/my.addom.com/Policies#
ls -al \{0C0B713E-EE65-4ACE-88AE-25125E2AAE00\}/
total 40
drwxrwx---+ 4 ADDOM\domain admins ADDOM\domain admins 4096 Oct 28 10:50 .
drwxrwx---+ 8 root                   BUILTIN\administrators 4096 Oct 28 10:50 ..
-rwxrwx---+ 1 BUILTIN\administrators users                    59 Oct
28 11:00 GPT.INI
drwxrwx---+ 2 BUILTIN\administrators users                  4096 Oct
28 11:00 Machine
drwxrwx---+ 2 BUILTIN\administrators users                  4096 Oct
28 10:50 User

However the acls via getfacl for the two GPO's are identical.
I don't know if that will be problematic down the road or not.

Thanks,
Chris

More information about the samba mailing list