To fix the rights problem, these are the steps i always follow, since it works
for me.
I logged in as DOMAIN\Adminstrator on a windows pc.
Now backup sysvol, copy the "internal.domain.tld" folder in sysvol to
your pc.
2) Delete the "internal.domain.tld" folder in sysvol on the DC.
3) login into linux, run samba-tools ntacl sysvolreset
4) Goto the sysvol folder and run : getfacl sysvol > /tmp/sysvol.acl
5) copy the "internal.domain.tld" from the pc back to sysvol
6) restore the sysvol.acl over the complete setup, run :
setfacl -R -b --modify-file /tmp/sysvol.acl /Path_to/sysvol
7) run samba-tool ntacl sysvolcheck. You should be error free now.
8) Almost there, goto the windows GPO editor, klik once on every GPO object,
used or not. You mights get a message about incorrect rights, just klik ok to
fix and its done.
This works every time for me if i get GPO errors.
Also all the USER GPO settings are applied by the computer accounts.
you need always one of these: "authenticated users" "Domain
Computers"
! always !
Best regards,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Miguel Medalha
> via samba
> Verzonden: dinsdag 20 december 2016 0:36
> Aan: Alex Crow
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO Security Filtering "Access Denied"
>
> >> I think the ACL list on XFS (installed with Centos7) is too large
and
> it
> >> can't store the additional ACLs. Hopefully that is it, and
even if it
> >> isn't, thanks chaps for letting me think aloud, it often helps
to
> bounce
> >> ideas off others to eliminate other possible issues.
>
> >> Sadly this probably means a reformat... grrr.
>
> Isn't that a bit too drastic? I have two DCs here, both working on XFS,
> one with CentOS 6 and the other with CentOS 7. I have lots of GPOs and
> complex ACLs and never found a limit with ACLs.
>
> If I remember correctly, XFS can accommodate 64kB of Extended Attributes.
>
> Did you try "samba-tool ntacl sysvolreset" ?
>
> As I told you before, I once met the same problem you now have and I was
> able to solve it, I don't exactly remember how but I think it was
related
> to the issue I referred to in previous posts.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
