On Fri Jul 28 03:41:45 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> On 27/07/2023 23:03, Mark Foley via samba wrote:
> > On Tue Jul 25 15:34:15 2023 Rowland Penny <rpenny at samba.org>
wrote:
> >
> >> On 25/07/2023 20:09, Mark Foley via samba wrote:
> >>
> >>> One of the recommended solutions was using rsync, similar to
what I theorized.
> >>> I'll try that and post back.
> >
> > [deleted]
> >
> > OK, I did the rsync method for SysVol replication. It appears to have
worked and
> > copied the ACLs as well.
> >
> > I then ran the sysvolreset. It tool longer, but still gave some
errors, though
> > not as many:
> >
> > # samba-tool ntacl sysvolreset
> > set_nt_acl_conn: init_files_struct failed:
NT_STATUS_OBJECT_NAME_NOT_FOUND
> > ERROR(runtime): uncaught exception - (3221225524, 'The object name
is not found.')
> > File
"/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line
186, in _run
> > return self.run(*args, **kwargs)
> > File
"/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py", line 412,
in run
> > provision.setsysvolacl(samdb, netlogon, sysvol,
> > File
"/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line
1754, in setsysvolacl
> > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
> > File
"/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line
1630, in set_gpos_acl
> > setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid),
session_info,
> > File
"/usr/lib64/python3.9/site-packages/samba/ntacls.py", line 228, in
setntacl
> > smbd.set_nt_acl(
> >
> > Is this ignorable? Fixable? It doesn't mean much to me.
> >
> > Note that samba is not yet running, nor is the DNS working yet.
> >
> > Thanks --Mark
> >
>
> Samba stores the GPOs in sysvol and in AD. The way that sysvolreset
> works is, it reads the GPOs in AD and then uses this information to set
> the permissions for the GPOs on disk. It looks to me that you have more
> GPO's in AD than you have on disk, it is trying to set the permissions
> for a GPO that isn't on disk. I would compare sysvol on both machines.
>
> Rowland
After checking with the previous run, these sysvolreset errors are the same as
before, so syncing the sysvol didn't make any different.
You wrote: "It looks to me that you have more GPO's in AD than you have
on
disk, ...". So, where are the "AD" versus "on disk"
GPOs located? Is one of
these locations /var/lib/samba/sysvol/hprs.local/policies/? I've
rsync'ed the
sysvol again. They are identical between the machines.
Is this error possibly ignorable? I've checked and the rsync did copy the
ACL
attributes to the sysvol files and folders, so maybe this "ntacl
sysvolreset"
isn't really making any changes?
Thanks --Mark