> You could try using a script Louis wrote, see here: > https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh > > The 'idmap config' lines are nothing to worry about, you cannot set them on a DC, but, for some reason, testparm etc warns about > them. > > Rowland >Sorry, I should have said - I ran louis' script and set the acl's according to the output. The script also produced a file called default-rights-sysvol-acl which contains: # file: /var/lib/samba/sysvol # owner: root # group: root user::rwx user:root:rwx user:3000000:rwx user:3000027:r-x user:3000023:rwx user:3000009:r-x group::rwx group:3000000:rwx group:3000027:r-x group:3000023:rwx group:3000009:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000027:r-x default:user:3000023:rwx default:user:3000009:r-x default:group::--- default:group:3000000:rwx default:group:3000027:r-x default:group:3000023:rwx default:group:3000009:r-x default:mask::rwx default:other::--- After I had set the acl's and run the Group Policy Management tool from Windows (which suggested that the acls were not correct and offered to correct them by clicking OK), getfacl /var/lib/samba/sysvol produces this: # file: var/lib/samba/sysvol # owner: root # group: root user::rwx user:root:rwx user:BUILTIN\\administrators:rwx user:NT\040AUTHORITY\\authenticated\040users:r-x user:NT\040AUTHORITY\\system:rwx user:BUILTIN\\server\040operators:r-x group::rwx group:BUILTIN\\administrators:rwx group:NT\040AUTHORITY\\authenticated\040users:r-x group:NT\040AUTHORITY\\system:rwx group:BUILTIN\\server\040operators:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\\administrators:rwx default:user:NT\040AUTHORITY\\authenticated\040users:r-x default:user:NT\040AUTHORITY\\system:rwx default:user:BUILTIN\\server\040operators:r-x default:group::--- default:group:BUILTIN\\administrators:rwx default:group:NT\040AUTHORITY\\authenticated\040users:r-x default:group:NT\040AUTHORITY\\system:rwx default:group:BUILTIN\\server\040operators:r-x default:mask::rwx default:other::--- If I run wbinfo to convert the gid's to names the two getfacl lists are essentially the same. When I run samba-tool gpo aclcheck -Uadministrator, I get: Password for [MICROLYNX\administrator]: ERROR: Invalid GPO ACL O:LAG:S-1-22-2-0D:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff ;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;BA)(A;OICI;;;;WD)(A;;0x001f01ff;; ;S-1-22-2-0)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) on path (microlynx.org\Policies\{CA8E6F15-335B-4BA1-BDD3-7FE7B6780946}), should be O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;; SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) Any other ideas? Thanks Rowland. Roy
On 19/05/2020 21:29, Roy Eastwood wrote:>> You could try using a script Louis wrote, see here: >> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh >> >> The 'idmap config' lines are nothing to worry about, you cannot set them on a DC, but, for some reason, testparm etc warns about >> them. >> >> Rowland >> > Sorry, I should have said - I ran louis' script and set the acl's according to the output. The script also produced a file called > default-rights-sysvol-acl which contains: > # file: /var/lib/samba/sysvol > # owner: root > # group: root > user::rwx > user:root:rwx > user:3000000:rwx > user:3000027:r-x > user:3000023:rwx > user:3000009:r-x > group::rwx > group:3000000:rwx > group:3000027:r-x > group:3000023:rwx > group:3000009:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000027:r-x > default:user:3000023:rwx > default:user:3000009:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000027:r-x > default:group:3000023:rwx > default:group:3000009:r-x > default:mask::rwx > default:other::--- > > After I had set the acl's and run the Group Policy Management tool from Windows (which suggested that the acls were not correct and > offered to correct them by clicking OK), getfacl /var/lib/samba/sysvol produces this: > # file: var/lib/samba/sysvol > # owner: root > # group: root > user::rwx > user:root:rwx > user:BUILTIN\\administrators:rwx > user:NT\040AUTHORITY\\authenticated\040users:r-x > user:NT\040AUTHORITY\\system:rwx > user:BUILTIN\\server\040operators:r-x > group::rwx > group:BUILTIN\\administrators:rwx > group:NT\040AUTHORITY\\authenticated\040users:r-x > group:NT\040AUTHORITY\\system:rwx > group:BUILTIN\\server\040operators:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\\administrators:rwx > default:user:NT\040AUTHORITY\\authenticated\040users:r-x > default:user:NT\040AUTHORITY\\system:rwx > default:user:BUILTIN\\server\040operators:r-x > default:group::--- > default:group:BUILTIN\\administrators:rwx > default:group:NT\040AUTHORITY\\authenticated\040users:r-x > default:group:NT\040AUTHORITY\\system:rwx > default:group:BUILTIN\\server\040operators:r-x > default:mask::rwx > default:other::--- > > If I run wbinfo to convert the gid's to names the two getfacl lists are essentially the same. > > When I run samba-tool gpo aclcheck -Uadministrator, I get: > Password for [MICROLYNX\administrator]: > ERROR: Invalid GPO ACL > O:LAG:S-1-22-2-0D:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff > ;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;BA)(A;OICI;;;;WD)(A;;0x001f01ff;; > ;S-1-22-2-0)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) on path > (microlynx.org\Policies\{CA8E6F15-335B-4BA1-BDD3-7FE7B6780946}), should be > O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;; > SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > > Any other ideas? > > Thanks Rowland. > > Roy >Yes, There are three places where permissions are stored on sysvol (4 if you count in AD), the standard Linux permissions 'ugo', POSIX ACLs as shown by getfacl and an EA (this is where the ACLs are stored when set from Windows). Try running 'samba-tool ntacl get /var/lib/samba/sysvol --as-sddl', this should produce something similar to this: O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) Try checking using that, but you will have to do it file file etc. I personally would set the permissions from Windows and ignore sysvolcheck/reset. Also ensure that Domain Admins does not have a gidNumber if you are using the RFC2307 attributes. Rowland
> > > Yes, There are three places where permissions are stored on sysvol (4 if you count in AD), the standard Linux permissions 'ugo',POSIX> ACLs as shown by getfacl and an EA (this is where the ACLs are stored when set from Windows). > > Try running 'samba-tool ntacl get /var/lib/samba/sysvol --as-sddl', this should produce something similar to this: > > O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) > > Try checking using that, but you will have to do it file file etc. > > I personally would set the permissions from Windows and ignore sysvolcheck/reset. Also ensure that Domain Admins does not have a > gidNumber if you are using the RFC2307 attributes. > > RowlandYes, I get the similar output but it's not what sysvolcheck is expecting. Well I suppose sysvolcheck isn't happy with the permissions, but as GPOs are able to be edited, changed and are applied to both computers and users then I assume this can be ignored. I got the acl settings from Louis' script, but does the WiKi stipulate what they should be? If so setting them to what sysvolcheck expects - will that make this error go away? Is it a bug in sysvolcheck? Thanks, Roy