[Samba] Access denied on GPO after "ntacl sysvolreset"

Klaas TJEBBES klaas.tjebbes at region-academique-bourgogne-franche-comte.fr
Thu Apr 17 13:54:43 UTC 2025 

We https://pcll.ac-dijon.fr/pcll/ are editor of servers from the French 
Ministry of Education. We provide Samba servers, Firewalls, VPN 
aggregators and monitoring servers since more that 20 years. These 
servers are for schools, administrations, etc. We have 18000 servers in 
production, that means approximately 6 million users.

Historically we have always stored users data in /home. Since the path 
of [sysvol] is configurable, we have put it in /home as well.

For example, on the file server, the one that hosts people homedirs, 
those dirs are stored in /home/adhomes/<username>, group dirs are stored 
in /home/workgroups/<groupname>, recycle bin in /home/recycle, etc.

This simplifies a lot server partitioning and backups. For example /home 
can be put on a faster device than /, or one can decide to put /home on 
a SAN with persistent data while / is a VM image, etc.


But I doubt putting [sysvol] in /home has something to do with the 
problem we are facing :
* 'samba-tool ntacl sysvolcheck' does not detect that ACLs are wrong
* 'samba-tool ntacl sysvolreset' does not place the same ACLs as Windows 
does and this leads to prevent importing GPO parameters in RSAT.

Also I don't understand your sentence "Why are sysvol and netlogon in 
/home instead of being in /var/lib/samba where it belongs ?".

Can you explain what the technical problem is to put [sysvol] elsewhere 
? I've taken a look to samba source code and could find any answer to 
this question.



Also can you confirm that on your setup, which you told has the same 
ACLs than the one that are problematic for me, you can import parameters 
from a previously backuped GPO in RSAT ? see image https://ibb.co/QvFkV8nW



Le 16/04/2025 à 18:07, Rowland Penny via samba a écrit :
> On Wed, 16 Apr 2025 17:03:10 +0200
> Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
> 
>>
>> I don't understand how import parameters from a previously backuped
>> GPO in RSAT can work on your setup as it clearly does not on ours.
>>
>>
>> To summarize :
>>
>> root at addc:~# cat /etc/lsb-release
>> DISTRIB_ID=Ubuntu
>> DISTRIB_RELEASE=24.04
>> DISTRIB_CODENAME=noble
>> DISTRIB_DESCRIPTION="Ubuntu 24.04.2 LTS"
>>
>> root at addc:~# cat /etc/samba/smb.conf
>> [global]
>>     realm = DOMSCRIBE.AC-TEST.FR
>>     workgroup = DOMSCRIBE
>>     netbios name = ADDC
>>     disable netbios = yes
>>     smb ports = 445
>>     map acl inherit = Yes
>>     store dos attributes = Yes
>>     winbind separator = /
>>     server role = active directory domain controller
>>     server services = -dns
>>     tls enabled = yes
>>     tls keyfile = /var/lib/samba/private/tls/key.pem
>>     tls certfile = /var/lib/samba/private/tls/cert.pem
>>     tls cafile =
>>     usershare max shares = 0
>>     restrict anonymous = 2
>>     interfaces = 192.168.0.30
>>
>> [netlogon]
>>     comment = Network Logon Service
>>     path = /home/sysvol/domscribe.ac-test.fr/scripts
>>     read only = No
>>     guest ok = yes
>>
>> [sysvol]
>>     comment = Sysvol Service
>>     path = /home/sysvol
>>     read only = No
>>     guest ok = yes
>>
> 
> I asked this once, but you didn't answer, lets try again:
> 
> Why are sysvol and netlogon in /home instead of being in
> /var/lib/samba where it belongs ?
> 
> Rowland
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Klaas TJEBBES
- Pôle Logiciel Libre (EOLE)
- DSI
- Dijon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the samba mailing list