Klaas TJEBBES
2025-Apr-08 16:11 UTC
[Samba] Access denied on GPO after "ntacl sysvolreset"
Hello.
samba --version
Version 4.19.5-Ubuntu
Samba as Active Directory controller.
2 scenarios.
# First scenario :
* On a Windows client, from RSAT, I create a new GPO named "firstgpo".
* Still in RSAT, I then create a second GPO "scndgpo" with some
parameters that I backup (right clic on the GPO => Backup...).
* Then I right clic on "firstgpo" and select "Import
parameters...". I
select the backup previously made.
Parameters are correctly imported from "scndgpo" to
"firstgpo". So far
so good.
Here is the problem, after running :
samba-tool ntacl sysvolreset
I can no longer "Import parameters". I get "Access denied" :
"""
[Error] The task cannot be completed. An error occurred with the
[Registry] extension. Unable to access the file
[\dc.dom.lan\sysvol\dom.lan\Policies{846F43A0-9299-4791-A16A-7E4AFDE257DF}\MachineStaging\registry.pol].
The following error occurred:
Access denied.
"""
# Second scenario :
* I use :
samba-tool gpo backup
to backup an existing GPO.
* From RSAT I delete this GPO.
* I run :
samba-tool gpo restore
to restore from the backup I just made.
* At that moments :
samba-tool ntacl sysvolcheck
returns nothing, says that ACLs on sysvol are correct.
On a Windows client, from RSAT, I try to modify this GPO : right clic on
the GPO, "Edit..." and configure some settings. I get an error :
"Access
denied. HRESULT : 0x80070005 (E_ACCESSDENIED)".
But, after running :
samba-tool ntacl sysvolreset
I can again modify the restored GPO without error. But at that moment
I'm encountering the problem of the first scenario.
What is the problem ? Is this a bug ?
Kind regards,
Klaas
Luis Peromarta
2025-Apr-08 16:51 UTC
[Samba] Access denied on GPO after "ntacl sysvolreset"
I think 4.19 is ageing now as we are on 4.22 This looks very much like a recently solved bug (can?t find it now I?m on phone). You need at least 4.21.4 Try updating and see it it fixes things On 8 Apr 2025 at 17:28 +0100, Klaas TJEBBES via samba <samba at lists.samba.org>, wrote:> Hello. > > samba --version > Version 4.19.5-Ubuntu > > Samba as Active Directory controller. > > 2 scenarios. > > > # First scenario : > > * On a Windows client, from RSAT, I create a new GPO named "firstgpo". > * Still in RSAT, I then create a second GPO "scndgpo" with some > parameters that I backup (right clic on the GPO => Backup...). > * Then I right clic on "firstgpo" and select "Import parameters...". I > select the backup previously made. > > Parameters are correctly imported from "scndgpo" to "firstgpo". So far > so good. > > Here is the problem, after running : > samba-tool ntacl sysvolreset > I can no longer "Import parameters". I get "Access denied" : > > """ > [Error] The task cannot be completed. An error occurred with the > [Registry] extension. Unable to access the file > [\dc.dom.lan\sysvol\dom.lan\Policies{846F43A0-9299-4791-A16A-7E4AFDE257DF}\MachineStaging\registry.pol]. > The following error occurred: > Access denied. > """ > > > # Second scenario : > > * I use : > samba-tool gpo backup > to backup an existing GPO. > > * From RSAT I delete this GPO. > * I run : > samba-tool gpo restore > to restore from the backup I just made. > > * At that moments : > samba-tool ntacl sysvolcheck > returns nothing, says that ACLs on sysvol are correct. > > On a Windows client, from RSAT, I try to modify this GPO : right clic on > the GPO, "Edit..." and configure some settings. I get an error : "Access > denied. HRESULT : 0x80070005 (E_ACCESSDENIED)". > > But, after running : > samba-tool ntacl sysvolreset > > I can again modify the restored GPO without error. But at that moment > I'm encountering the problem of the first scenario. > > > What is the problem ? Is this a bug ? > > > Kind regards, > Klaas > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba