On 23/05/2023 11:15, d tbsky via samba wrote:> Hi: > I am using samba 4.18.2 as domain controller. It is working fine > with no problems. > My samba data is 10 years old after many migrate/upgrade(both os and > samba) . normally I only run "samba-tool dbcheck" after samba upgrade. > today I want to spent some time to sysvol and found it failed > immediately: > > /usr/local/samba/bin/samba-tool ntacl sysvolcheck > ERROR(<class 'OSError'>): Could not access > /usr/local/samba/var/locks/sysvol/ad.example.com: No data available - > [Errno 61] No data available: > '/usr/local/samba/var/locks/sysvol/ad.example.com' > > searching the list I realized my problem is similar to the discussion below: > https://lists.samba.org/archive/samba/2023-April/244714.html > > I don't have ntacl extend attribute for directories below(getfattr -d > -m- return no ntacl): > "/usr/local/samba/var/locks/sysvol/ad.example.com" > "/usr/local/samba/var/locks/sysvol/ad.example.com/scripts" > "/usr/local/samba/var/locks/sysvol/ad.example.com/Policies" > > but sub-directories under "Policies" seem fine. They have ntacl > extended attributes and all my group policies work fine. > > I wonder how to fix the ntacl of the three directories? I don't know > what "samba-tool ntacl sysvolrest" do so I don't want to execute that > command blindly. >What sysvolreset does is basically what it says, it resets the permissions on the sysvol directories. It is the fix you require, provided the GPO's are there and that idmap.ldb is in sync on all DC's. If you still have doubts, just ask and I will go into it in much deeper. Rowland
Rowland Penny via samba <samba at lists.samba.org>> > I wonder how to fix the ntacl of the three directories? I don't know > > what "samba-tool ntacl sysvolrest" do so I don't want to execute that > > command blindly. > > > > What sysvolreset does is basically what it says, it resets the > permissions on the sysvol directories. It is the fix you require, > provided the GPO's are there and that idmap.ldb is in sync on all DC's. > > If you still have doubts, just ask and I will go into it in much deeper.I read the page several times: https://wiki.samba.org/index.php/Sysvolreset I don't quite understand but it seems "sysvolreset" will do bad things under some conditions. so you mean under normal setup, "sysvolrest" is fine and it will set up the correct acl? I also want to ask if the "sysvol" folder is the only samba folder which need to take care of the extended attribute and posix_acl? if I copy/backup the folder without extended attribute & posix_acl , will "sysvolrest" restore the correct acl for me? thanks again for your kindly help! Regards, tbskyd> Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba