[Samba] sysvol maintenance/fix

Rowland Penny rpenny at samba.org
Tue May 23 13:15:48 UTC 2023 


On 23/05/2023 13:09, d tbsky via samba wrote:
> I read the page several times: https://wiki.samba.org/index.php/Sysvolreset
> I don't quite understand but it seems "sysvolreset" will do bad things
> under some conditions.

I will rewrite that page sometime today or tomorrow, it isn't that bad :-)

> so you mean under normal setup, "sysvolrest" is fine and it will set
> up the correct acl?

Yes, provided that all the GPO's are present.

The GPO's are stored on the DC under the 'sysvol' directory, which on 
Debian is /var/lib/samba/sysvol , under that directory is another 
directory named after your dns domain and in that directory there should 
be two other directories:
Policies
scripts

The Policies directories are where the GPO's are stored and are named 
like this:

{31B2F340-016D-11D2-945F-00C04FB984F9}

There should be a minimum of two GPO's, though there can and often is, 
more than this.

So how does 'sysvolreset' know how many GPO's there should be, well, it 
doesn't, it gets that information from AD, where the GPO's are also 
stored. Using the information it gets from AD, sysvolreset 'walks' the 
path of each GPO resetting the permissions on disk.
If a GPO exists in AD, but isn't on disk, you will get an error, if a 
GPO exists on disk but not in AD (unlikely) you will get an error.
This is why you must ensure that sysvol on one DC is kept in sync with 
all other DC's. The other thing to consider is idmap.ldb, this is where 
the DC user and group ID's are stored and these are allocated on a first 
come basis, this means that you can never be certain that a user or 
group will have the same ID on different DC's, that is unless you use 
the 'ad' idmap backend. This however has dangers on DC, because Domain 
Admins should never be given a gidNumber attribute with 'idmap_ldb:use 
rfc2307  = yes' set in a DC's smb.conf.

> I also want to ask if the "sysvol" folder is the only samba folder
> which need to take care of the extended attribute  and posix_acl?
> if I copy/backup the folder without extended attribute & posix_acl ,
> will "sysvolrest" restore the correct acl for me?

If you are using a DC as a fileserver (not recommended), you must set 
the permissions from a Windows computer. Running 'sysvolreset' will only 
affect the permissions on the sysvol directory and the directories and 
files under that.

Rowland

More information about the samba mailing list