[Samba] several offices: home dirs, local resources, ...

Rowland Penny rpenny at samba.org
Tue Nov 22 17:44:59 UTC 2022

On 22/11/2022 17:13, Michael Tokarev via samba wrote:
> 22.11.2022 19:46, Kees van Vloten via samba wrote:
>>> 2. why samba4 offers SYSVOL *file* share when using it as a file 
>>> server is not
>>>  a good idea, why not use reglar non-dc samba server for it?
>> SYSVOL is a special share which must be on the DC (and so is the 
>> netlogon share). You should take care of replications of the files 
>> yourself, the DC replication does not handle. The wiki describes 
>> multiple solutions to get it done (I am using the osync method with 
>> works well for my situation). Permissions on the SYSVOL share are very 
>> critical, if not exactly right Windows will not be able to pick up 
>> GPOs properly for example.
>> samba-tool can reset the permissions in case they got messed up.
> Sometimes I don't understand which language we're using.


> I do know full well that the sysvol replication is not implemented and 
> should
> be done externally (got that yesterday when, after adding a new DC, users
> complained their usual drive letters wern't mapped because I forgot to 
> replicate
> GPO in sysvol).  I know what wiki describes, I corrected quite some data 
> there
> already and have other corrections too.  I know about permissions of 
> and I know more: permissions of SYSVOL (actually ACLs) should match *local*
> idmap.db file, which should be replicated too but it is not mentioned in
> the wiki.

It is mentioned in the wiki.

   I know well about sysvolreset and sysvolcheck too, -- found it
> the hard way, used them many times.
> But how it all is related to my question?
> I asked why, if a source4 fileserver is not operational, why it is used for
> sysvol share instead of some other fileserver?  And if, despite all the 
> claims
> by you and Rowland in this thread (you both claimed using a fileserver in
> source4 is not a good idea), it is actually is good enough to serve SYSVOL
> share, why it is ALSO not good enough to serve single read-only MSDFS-root
> share with 2 files within?

The Sysvol share was created to do one thing, hold GPO's, which until 
fairly recently, were only used by Windows, so the ACLs are crafted to 
match what Windows expects. This means that normal Unix tools cannot set 
these 'permissions', so you have to use samba-tool. The 'samba' binary 
was created around being an AD DC, so again, it doesn't like the 
standard Unix tools.
What this means is, if you create a share on a DC, it has to look like this:

     path = /path/to/directory/holding/share
     read only = no

you shouldn't add anything else and you MUST set the ACLs from Windows, 
you cannot use chmod, setfacl, etc

You sound like myself 10 years ago, I wanted to do things very similar 
to yourself, but once I got my head the fact that an AD domain does not 
work anything like an NT4-stye domain, it all became obvious.

> How all the sysvol permission and replication stuff answers to this 
> question?
> And now I really wonder: am I asking something fantastically stupid, 
> illogical,
> random, or maybe I'm phrasing my question in somehow difficult to 
> understand
> form, - why my question can't be understood, how *else* can I rephrase it?
> And now, for fun side, once you mention sysvolcheck and sysvolreset stuff,
> here's another twist:
> svdcp:/# samba-tool ntacl sysvolcheck
> svdcp:/# samba-tool ntacl sysvolreset
> svdcp:/# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
> ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/tls.msk.ru/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object

If you look very carefully, you will see that there is only one letter 
different, the start is:


against the expected:


'LA' is local administrator (or root)
'DA' is Domain Admins

What does 'ls -lad 
return ?

Does Domain Admins have a gidNumber ?


More information about the samba mailing list