I'm getting an interesting problem. I can create/rename/delete/edit
policies,
but I can't change the security filtering or delegation settings.
When I first open any policy, I get the following:
"The permissions for this GPO in the SYSVOL folder are inconsistent with
those
in Active Directory. It is recommended that these permissions be consistent.
To change the SYSVOL permissions to those in Active Directory, click OK."
So I click OK and I get "Access is denied."
The error I get in samba.log follows:
[Wed Jan 5 18:34:18 2011 PWT, 0
../ntvfs/posix/pvfs_acl.c:567:pvfs_access_check_unix()]
../ntvfs/posix/pvfs_acl.c:567 denied access to
'/var/lib/samba/sysvol/pcd.example.com/Policies/
{3D1F2B0A-B0F7-44C1-BA1A-2C5D03DFC0ED}' -
wanted 0x00060000 but got 0xfef3ffff (missing 0x00040000)
How do I fix this?
cheers!
Leo
Hi samba-technical is a better place for this while samba 4 is still in Alpha. I have copied my reply there. On 5 January 2011 11:50, Leo Lutz <skeemer at gmail.com> wrote:> I'm getting an interesting problem. I can create/rename/delete/edit policies, > but I can't change the security filtering or delegation settings. > > When I first open any policy, I get the following: > > "The permissions for this GPO in the SYSVOL folder are inconsistent with those > in Active Directory. It is recommended that these permissions be consistent. > To change the SYSVOL permissions to those in Active Directory, click OK." > > So I click OK and I get "Access is denied." > > The error I get in samba.log follows: > > [Wed Jan ?5 18:34:18 2011 PWT, 0 > ../ntvfs/posix/pvfs_acl.c:567:pvfs_access_check_unix()] > ../ntvfs/posix/pvfs_acl.c:567 denied access to > '/var/lib/samba/sysvol/pcd.example.com/Policies/ > {3D1F2B0A-B0F7-44C1-BA1A-2C5D03DFC0ED}' - > wanted 0x00060000 but got 0xfef3ffff (missing 0x00040000) > > How do I fix this?What version of Samba 4 is that? Have you tried increasing the debug level to see if it gives you more information? What ACLs do you have on the Policies directory? -- Michael Wood <esiotrot at gmail.com>
You have to first find the folder that your gpo is in by going into Active
Directory Users and Computers and then clicking properties on your domain,
then click group policy, and then select your gpo you want to use or work,
and then click properties then read what the name(Unique Name) of the gpo
says: it will be something like:
"{31B2F340-016D-11D2-945F-00C04FB984F9}"
without the the quotes, but it may be different depending on what your gpo
is named, and then go into filezilla and login into your ftp server for your
samba4server and go into your sysvol folder for samba4, which on ubuntu
systems it will be under "/usr/local/samba/var/locks/sysvol" without
the
quotes and then right click on your polices folder and click file
permissions and then enter into the "Numeric value" textbox: 777 and
then
click recurse into subdirectories and click "Apply to all files and
directories" and then click ok, and if you don't get an access denied
message then you are done. and this should help you be able to open any
policy.