[Samba] Sysvol permission issue - how to repair permanently?

Rowland penny rpenny at samba.org
Tue Apr 6 10:46:50 UTC 2021

On 06/04/2021 11:32, Stefan Bellon wrote:
> On Tue, 06 Apr, Rowland penny via samba wrote:
>> The reason why you get that error is because you have given Domain
>> Admins a gidNumber,
> But that is not my case. Domain Admins DOES NOT have a gidNumber
> attribute (neither does Domain Users).
>> this means that 'O:DA' can never happen. I have multiple GPO's in
>> sysvol and this happens:
>> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolreset
>> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolcheck
>> pi at rpidc1:~ $
>> Absolutely no errors, this is with Samba 4.14.2
> After a "sysvolreset" a subsequent "sysvolcheck" works without any
> issues for me as well. This is not my issue.
> My issue is that it throws the error as soon as I have edited a GPO
> from RSAT, because that somehow changed the permissions in an
> "unexpected" way.
> Greetings,
> Stefan
Hi Stefan, if I write a script to read all the permissions on Sysvol, 
(Unix, getfacl and 'samba-tool ntacl get'), are you prepared to run it 
on a DC before you add a GPO and then again after, then send me the 
resultant outputs ?

This may help to point to where the problem lies.


More information about the samba mailing list