samba - May 2013 - Access Denied when creating a GPO with any other domain admins than administrator

Hello,

I have a strange issue with Samba 4 as an AD DC regarding GPO creation.

I use the following packages on Debian wheezy:

dpkg -l | grep samba
ii  libsamba-credentials0:i386           4.0.0+dfsg1-1                i386      
Samba Credentials management library
ii  libsamba-hostconfig0:i386            4.0.0+dfsg1-1                i386      
Samba host configuration library
ii  libsamba-policy0:i386                4.0.0+dfsg1-1                i386      
Samba policy management
ii  libsamba-util0:i386                  4.0.0+dfsg1-1                i386      
Samba utility function library
ii  python-samba                         4.0.0+dfsg1-1                i386      
Python bindings for Samba
rc  samba                                2:3.6.6-3                    i386      
SMB/CIFS file, print, and login server for Unix
ii  samba-common                         2:3.6.10-1                   all       
common files used by both the Samba server and client
ii  samba-common-bin                     2:3.6.10-1                   i386      
common files used by both the Samba server and client
ii  samba-dsdb-modules                   4.0.0+dfsg1-1                i386      
Samba Directory Services Database
ii  samba4                               4.0.0+dfsg1-1                i386      
SMB/CIFS file, NT domain and active directory server (version 4)
ii  samba4-clients                       4.0.0+dfsg1-1                i386      
client utilities from Samba 4
ii  samba4-common-bin                    4.0.0+dfsg1-1                i386      
Samba 4 common files used by both the server and the client

I created an administrative account called "admin-domain" which is
member of the following groups:
- Administrators
- Domain Admins
- Domain Users
- Group Policy Creator Owners

If I logon with the "administrator" account, then there is no problem
to create a new GPO with the group policy management application from the
windows 8 client.
However, if I logon with the "admin-domain" account, is is not
possible to create a GPO. The error given is "Access Denied"

I checked and there is no problem for "admin-domain" to write in the
sysvol share.
For me being member of Domain Admins and writing to sysvol rights shall be
enough to write a GPO.

Apart from that, the GPO are correctly applied and I see no other issue.

I am sure missing something, but I can't figure out what... 

Thanks for your help.

Antoine

On 14/05/13 18:40, Antoine Vacher wrote:
> Hello,
>
> I have a strange issue with Samba 4 as an AD DC regarding GPO creation.
>
> I use the following packages on Debian wheezy:
>
> dpkg -l | grep samba
> ii  libsamba-credentials0:i386           4.0.0+dfsg1-1                i386 
Samba Credentials management library
> ii  libsamba-hostconfig0:i386            4.0.0+dfsg1-1                i386 
Samba host configuration library
> ii  libsamba-policy0:i386                4.0.0+dfsg1-1                i386 
Samba policy management
> ii  libsamba-util0:i386                  4.0.0+dfsg1-1                i386 
Samba utility function library
> ii  python-samba                         4.0.0+dfsg1-1                i386 
Python bindings for Samba
> rc  samba                                2:3.6.6-3                    i386 
SMB/CIFS file, print, and login server for Unix
> ii  samba-common                         2:3.6.10-1                   all  
common files used by both the Samba server and client
> ii  samba-common-bin                     2:3.6.10-1                   i386 
common files used by both the Samba server and client
> ii  samba-dsdb-modules                   4.0.0+dfsg1-1                i386 
Samba Directory Services Database
> ii  samba4                               4.0.0+dfsg1-1                i386 
SMB/CIFS file, NT domain and active directory server (version 4)
> ii  samba4-clients                       4.0.0+dfsg1-1                i386 
client utilities from Samba 4
> ii  samba4-common-bin                    4.0.0+dfsg1-1                i386 
Samba 4 common files used by both the server and the client
>
> I created an administrative account called "admin-domain" which
is member of the following groups:
> - Administrators
> - Domain Admins
> - Domain Users
> - Group Policy Creator Owners
>
> If I logon with the "administrator" account, then there is no
problem to create a new GPO with the group policy management application from
the windows 8 client.
> However, if I logon with the "admin-domain" account, is is not
possible to create a GPO. The error given is "Access Denied"
>
> I checked and there is no problem for "admin-domain" to write in
the sysvol share.
> For me being member of Domain Admins and writing to sysvol rights shall be
enough to write a GPO.
>
> Apart from that, the GPO are correctly applied and I see no other issue.
> :
> I am sure missing something, but I can't figure out what...
>
> Thanks for your help.
>
> Antoine
>
Hi
A quick check, try running:
samba-tool ntacl sysvolreset