> > > Yes, There are three places where permissions are stored on sysvol (4 if you count in AD), the standard Linux permissions 'ugo',POSIX> ACLs as shown by getfacl and an EA (this is where the ACLs are stored when set from Windows). > > Try running 'samba-tool ntacl get /var/lib/samba/sysvol --as-sddl', this should produce something similar to this: > > O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) > > Try checking using that, but you will have to do it file file etc. > > I personally would set the permissions from Windows and ignore sysvolcheck/reset. Also ensure that Domain Admins does not have a > gidNumber if you are using the RFC2307 attributes. > > RowlandYes, I get the similar output but it's not what sysvolcheck is expecting. Well I suppose sysvolcheck isn't happy with the permissions, but as GPOs are able to be edited, changed and are applied to both computers and users then I assume this can be ignored. I got the acl settings from Louis' script, but does the WiKi stipulate what they should be? If so setting them to what sysvolcheck expects - will that make this error go away? Is it a bug in sysvolcheck? Thanks, Roy
On Wed, 20 May 2020 at 14:48, Roy Eastwood via samba <samba at lists.samba.org> wrote:> Yes, I get the similar output but it's not what sysvolcheck is expecting. Well I suppose sysvolcheck isn't happy with the > permissions, but as GPOs are able to be edited, changed and are applied to both computers and users then I assume this can be > ignored. I got the acl settings from Louis' script, but does the WiKi stipulate what they should be? If so setting them to what > sysvolcheck expects - will that make this error go away? Is it a bug in sysvolcheck?For what it's worth, I've found sysvolcheck to be quite opaque and not always giving results that are understandable to me. Similarly to your experience, my setup is now working but sysvolcheck still complains.. I'm at the point where I daren't run sysvolcheck for fear that it might change my GPO permissions *away* from the working values I currently have. I did try and improve things a few years back, but found so many layers in the stack (just from memory - Python code, python libraries, C code, VFS code, and probably more) that enhancing the error reporting (for example to show *which file* an error related to) just required more tuits than I had available then. It's one of those "itch" things - I spent quite a few weeks on and off, trying to use this itch of mine to improve the error reporting, but ultimately gave up and I now avoid sysvolcheck.. sorry.. Cheers J -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
On 26/05/2020 15:43, Jonathan Hunter via samba wrote:> For what it's worth, I've found sysvolcheck to be quite opaque and not > always giving results that are understandable to me. Similarly to your > experience, my setup is now working but sysvolcheck still complains.. > I'm at the point where I daren't run sysvolcheck for fear that it > might change my GPO permissions *away* from the working values I > currently have.sysvolcheck will not change anything, but it will probably error out ;-)> > I did try and improve things a few years back, but found so many > layers in the stack (just from memory - Python code, python libraries, > C code, VFS code, and probably more) that enhancing the error > reporting (for example to show *which file* an error related to) just > required more tuits than I had available then. It's one of those > "itch" things - I spent quite a few weeks on and off, trying to use > this itch of mine to improve the error reporting, but ultimately gave > up and I now avoid sysvolcheck.. sorry..The problem starts from the moment you provision a Samba domain, Samba appears to use different ACL's to the Windows ACL's and then sysvolreset, again, uses different ACL's. I also attempted to fix sysvolreset, but failed because the underlying C code appeared to have problems, something I could not fix (I cannot write C) Rowland