Stefan Bellon
2021-Apr-06 10:32 UTC
[Samba] Sysvol permission issue - how to repair permanently?
On Tue, 06 Apr, Rowland penny via samba wrote:> The reason why you get that error is because you have given Domain > Admins a gidNumber,But that is not my case. Domain Admins DOES NOT have a gidNumber attribute (neither does Domain Users).> this means that 'O:DA' can never happen. I have multiple GPO's in > sysvol and this happens: > > pi at rpidc1:~ $ sudo samba-tool ntacl sysvolreset > pi at rpidc1:~ $ sudo samba-tool ntacl sysvolcheck > pi at rpidc1:~ $ > > Absolutely no errors, this is with Samba 4.14.2After a "sysvolreset" a subsequent "sysvolcheck" works without any issues for me as well. This is not my issue. My issue is that it throws the error as soon as I have edited a GPO from RSAT, because that somehow changed the permissions in an "unexpected" way. Greetings, Stefan -- Stefan Bellon
Rowland penny
2021-Apr-06 10:46 UTC
[Samba] Sysvol permission issue - how to repair permanently?
On 06/04/2021 11:32, Stefan Bellon wrote:> On Tue, 06 Apr, Rowland penny via samba wrote: > >> The reason why you get that error is because you have given Domain >> Admins a gidNumber, > But that is not my case. Domain Admins DOES NOT have a gidNumber > attribute (neither does Domain Users). > >> this means that 'O:DA' can never happen. I have multiple GPO's in >> sysvol and this happens: >> >> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolreset >> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolcheck >> pi at rpidc1:~ $ >> >> Absolutely no errors, this is with Samba 4.14.2 > After a "sysvolreset" a subsequent "sysvolcheck" works without any > issues for me as well. This is not my issue. > > My issue is that it throws the error as soon as I have edited a GPO > from RSAT, because that somehow changed the permissions in an > "unexpected" way. > > Greetings, > Stefan >Hi Stefan, if I write a script to read all the permissions on Sysvol, (Unix, getfacl and 'samba-tool ntacl get'), are you prepared to run it on a DC before you add a GPO and then again after, then send me the resultant outputs ? This may help to point to where the problem lies. Rowland
cn at brain-biotech.de
2021-Apr-06 12:20 UTC
[Samba] Sysvol permission issue - how to repair permanently?
Am 06.04.21 um 12:32 schrieb Stefan Bellon via samba:> On Tue, 06 Apr, Rowland penny via samba wrote: > >> The reason why you get that error is because you have given Domain >> Admins a gidNumber, > > But that is not my case. Domain Admins DOES NOT have a gidNumber > attribute (neither does Domain Users).And I think there is you Problem! If you have UID/GID in AD then "Domain Users" needs one. Or am I wrong there Rowland? Regards Christian -- Dr. Christian Naumer Vice President Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen