similar to: ERROR in samba-tool ntacls get

On two Samba 4.4.2/4.4.3 member servers, "samba-tool ntacl get --as-sddl" gives the following error: ERROR: Unable to read domain SID from configuration files Which configuration files is it referring to? Without "--as-sddl" the command gives a correct output. It would be nice to get the permissions in sddl format... The same command works as expected on two AC DCs.

I get this error when I run samba-tool ntacl sysvolcheck ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) There are two GPO directories. One is the Default Domain Controllers Policy and one is the Default Domain Policy It looks like it's the Default Domain Policy that's

This might be more inclusive if I said, Linux Permissions vs POSIX ACLs vs vfs_xattr. I have recently begun to discover the power and flexibility of using POSIX ACLs (by mounting my EXT3/4 filesystems with the acl option). This solved alot of security permissions issues between Samba and Linux groups of users. As I have delved into this deeper and begun using the VFS object, vfs_xattr, things

Hi, most file access rights sync between ACLs of linux and the security tab of windows file properties, but not all. Where are the other infos stored? I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither output changed when using windows to add individual right for a user that already has rights inherited from the parent directory. Windows remembers every

> On 29.09.2017 11:44 Rowland Penny wrote: > Have you set up the libnss_winbind links, PAM and /etc/nsswitch.conf ? Yes, I had modified two lines in /etc/nsswitch.conf: passwd: files winbind group: files winbind No, I had not seen a pointer to libnss, but now did ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/ ln -s

For completeness: The existing GPO: # samba-tool ntacl get --as-sddl \{07AF723D-5FFD-4807-B3C6-DFCE911B922A\}/ O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) The newly created GPO: # samba-tool ntacl get --as-sddl \{0C0B713E-EE65-4ACE-88AE-25125E2AAE00\}/

> Hi, this is because when you use '--as-sddl', the python code does this: > > if as_sddl: > try: > domain_sid = security.dom_sid(samdb.domain_sid) > except: > raise CommandError("Unable to read domain SID from > configuration files") >

Am 2019-08-26 um 16:35 schrieb Rowland penny via samba: > On 26/08/2019 15:20, ? Peter Rindfuss via samba wrote: >> Hi, >> >> I have a question regarding permissions at the top of a share as seen >> from a Windows 10 client. >> >> We are using Samba 4.10.6-Debian (van Belle) on Debian 10 (Buster) with >> one AD controller and one file server. >>

Mandi! Rowland Penny via samba In chel di` si favelave... >> acl_xattr:default acl style = windows >> acl_xattr:ignore system acls = yes > Why have you added those two last lines ? Ahem, really you need an answer?! ;-) I don't remember... ;-((( >> What i'm missing?! Thanks. > Well, because you have added this line: > acl_xattr:ignore system

> > However the acls via getfacl for the two GPO's are identical. Your sure? > I don't know if that will be problematic down the road or not. No, thats fine. But run on the 2 folders : samba-tool ntacl get --as-sddl FOLDERHERE Compair the 2 outputs. There must be a difference. Well, at least it works now for you.. Greetz, Louis

First of all thank you all for the answers and for trying to help me. I agree with you michael regarding the parameters passed in the ./configure command, the location is not part of the problem. The file system used is XFS. and the strace command logs are in the attached link https://drive.google.com/file/d/1R_b6TzeJVmNIpnlkPfRk0CtkpeU4dgcg/view?usp=share_link Rowland, the result of the

Hi, Is it normal that "chown $user $file" and "chown :$group $file" destroy the Windows-ACLs? Is it normal that changing the file owner in Windows does not change the file owner in Linux, but changing the file owner in Linux does change the file owner in Windows? This should be mentioned in >

Many first time users of Samba-4 seem to struggle with the same issues. I suggest the Wiki should have a Readme First similar like this: http://www.klaus-hartnegg.de/gpo/14-03-12-samba4.html It basicly says that Samba 4 can behave either like Samba 3, or as AD-DC, in which case it should do nothing else. Then it lists the main differences, limitations, and requirements. I would love to see a

On 02/04/2023 09:21, Michael Tokarev via samba wrote: > Neither of the 3 should be a problem. Especially the ones which > are already set by default.? --enable-fhs uses slightly different > layout within $prefix, that's all. The build-time configuration > looks entirely okay. You may be correct Michael, but I still wouldn't use '--enable-fhs' by itself. > >

On 11/28/2014 9:23 AM, Klaus Hartnegg wrote: > > Is there anything else that I could try, > or do I just have to stay on protocol NT1 > as long as we still use this old software? > > Klaus Try in [global] acl allow execute always=true -- Regards -------------------------------------- Gerald Drouillard Technology Architect Drouillard & Associates, Inc.

On 28/03/2023 19:47, Peter Carlson via samba wrote: > > On 3/28/23 11:22, Rowland Penny via samba wrote: >> >> >> On 28/03/2023 18:43, Peter Carlson via samba wrote: >>> bumping the log to 5, there are a few more lines right before >>> NT_STATUS_ACCESS_DENIED, could the EA error be a clue? >> >> I do not think so, that is what you are trying

On Wed, May 13, 2015 at 1:20 PM, Klaus Hartnegg <hartnegg at uni-freiburg.de> wrote: > Am 13.05.2015 um 17:30 schrieb S?bastien Le Ray: > >> No they aren't >>> >> >> Yes they are >> > > Not sure about this, but mostly irrelevant anyway, because of this effect > in the other direction: > > If you have set Windows ACLs, and then change

Hi, The group that is mapped to rid=512 cannot be used in "valid users", the users cannot map the share (error 5). Is this normal? Should I file a bug? Version 4.1.6-Ubuntu server role = classic primary domain controller smb.conf: valid users = +smbadmin command: net groupmap add ntgroup="Domain Admins" unixgroup=smbadmin rid=512 type=d As soon as I remove the group

On 25/10/2020 20:37, Sonic wrote: > The reset allowed the current GPO to take effect, but right after > adding a new GPO (just named it, no editing, or linking) the > sysvolcheck fails: > # samba-tool ntacl sysvolcheck > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception > - ProvisioningError: DB ACL on GPO directory >

On Tue, 28 Nov 2023 16:00:22 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > In a fresh samba AD domain i'm setting up the 'Profiles' share for > roaming profiles, following the wiki: > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > >