Rowland penny
2021-Apr-06 10:46 UTC
[Samba] Sysvol permission issue - how to repair permanently?
On 06/04/2021 11:32, Stefan Bellon wrote:> On Tue, 06 Apr, Rowland penny via samba wrote: > >> The reason why you get that error is because you have given Domain >> Admins a gidNumber, > But that is not my case. Domain Admins DOES NOT have a gidNumber > attribute (neither does Domain Users). > >> this means that 'O:DA' can never happen. I have multiple GPO's in >> sysvol and this happens: >> >> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolreset >> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolcheck >> pi at rpidc1:~ $ >> >> Absolutely no errors, this is with Samba 4.14.2 > After a "sysvolreset" a subsequent "sysvolcheck" works without any > issues for me as well. This is not my issue. > > My issue is that it throws the error as soon as I have edited a GPO > from RSAT, because that somehow changed the permissions in an > "unexpected" way. > > Greetings, > Stefan >Hi Stefan, if I write a script to read all the permissions on Sysvol, (Unix, getfacl and 'samba-tool ntacl get'), are you prepared to run it on a DC before you add a GPO and then again after, then send me the resultant outputs ? This may help to point to where the problem lies. Rowland
Stefan Bellon
2021-Apr-06 10:53 UTC
[Samba] Sysvol permission issue - how to repair permanently?
On Tue, 06 Apr, Rowland penny via samba wrote:> Hi Stefan, if I write a script to read all the permissions on Sysvol, > (Unix, getfacl and 'samba-tool ntacl get'), are you prepared to run > it on a DC before you add a GPO and then again after, then send me > the resultant outputs ?Yes, of course. I'm happy to provide this information. Greetings, Stefan -- Stefan Bellon