[Samba] Access denied on GPO after "ntacl sysvolreset"

Thu Apr 10 13:16:52 UTC 2025

Thank you for your answer.

Problem is :

root at smbserver:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=24.04
DISTRIB_CODENAME=noble
DISTRIB_DESCRIPTION="Ubuntu 24.04.2 LTS"

There is no most recent Ubuntu LTS. Also we can't afford to recompile 
Samba and maintain it up-to-date, we have to rely on Ubuntu LTS system.

So could you find which recently solved bug you're talking about (I've 
searched for it but could not find it even though I'm using a computer) ?
This way we may be able to submit it to Ubuntu team who could perhaps 
backport the correction.

Le 08/04/2025 à 18:51, Luis Peromarta via samba a écrit :
> I think 4.19 is ageing now as we are on 4.22
> 
> This looks very much like a recently solved bug (can’t find it now I’m on phone). You need at least 4.21.4
> 
> Try updating and see it it fixes things
> On 8 Apr 2025 at 17:28 +0100, Klaas TJEBBES via samba <samba at lists.samba.org>, wrote:
>> Hello.
>>
>> samba --version
>> Version 4.19.5-Ubuntu
>>
>> Samba as Active Directory controller.
>>
>> 2 scenarios.
>>
>>
>> # First scenario :
>>
>> * On a Windows client, from RSAT, I create a new GPO named "firstgpo".
>> * Still in RSAT, I then create a second GPO "scndgpo" with some
>> parameters that I backup (right clic on the GPO => Backup...).
>> * Then I right clic on "firstgpo" and select "Import parameters...". I
>> select the backup previously made.
>>
>> Parameters are correctly imported from "scndgpo" to "firstgpo". So far
>> so good.
>>
>> Here is the problem, after running :
>> samba-tool ntacl sysvolreset
>> I can no longer "Import parameters". I get "Access denied" :
>>
>> """
>> [Error] The task cannot be completed. An error occurred with the
>> [Registry] extension. Unable to access the file
>> [\dc.dom.lan\sysvol\dom.lan\Policies{846F43A0-9299-4791-A16A-7E4AFDE257DF}\MachineStaging\registry.pol].
>> The following error occurred:
>> Access denied.
>> """
>>
>>
>> # Second scenario :
>>
>> * I use :
>> samba-tool gpo backup
>> to backup an existing GPO.
>>
>> * From RSAT I delete this GPO.
>> * I run :
>> samba-tool gpo restore
>> to restore from the backup I just made.
>>
>> * At that moments :
>> samba-tool ntacl sysvolcheck
>> returns nothing, says that ACLs on sysvol are correct.
>>
>> On a Windows client, from RSAT, I try to modify this GPO : right clic on
>> the GPO, "Edit..." and configure some settings. I get an error : "Access
>> denied. HRESULT : 0x80070005 (E_ACCESSDENIED)".
>>
>> But, after running :
>> samba-tool ntacl sysvolreset
>>
>> I can again modify the restored GPO without error. But at that moment
>> I'm encountering the problem of the first scenario.
>>
>>
>> What is the problem ? Is this a bug ?
>>
>>
>> Kind regards,
>> Klaas
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Klaas TJEBBES
- Pôle Logiciel Libre (EOLE)
- DSI
- Dijon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~