similar to: Problem sysvolreset

No, I dont agree/believe you.. ... because of my setup. On the a samba member. ( 4.5/4.6) getent group "Domain Admins" domain admins:x:10001:admin,administrator I run more then a year like this. On the Samba DC ( 4.5.3) NTDOM\domain admins:x:3000008 All others are ok on the dc. BAZRTD\domain users:x:10000 BAZRTD\domain guests:x:10002: It works fine here, this is what i want.

On Tue, 21 Mar 2017 16:24:31 +0100 L.P.H. van Belle <belle at bazuin.nl> wrote: > Hai Rowland, > > Can post your exact command you used, so im sure i dont get different > outputs. > OK, on a windows 21012R2 DC: Get-Acl C:|Windows\SYSVOL\sysvol\domain.local\Policies\'{5FD30AA2-B678-422C-9C0E-4E270488EDE4}' | Format-List NOTE: The above is all one line. Which

On Tue, 7 Mar 2017 10:26:03 -0800 Kris Lou via samba <samba at lists.samba.org> wrote: > Hang on, can you explain this a little further? I thought that Domain > Admins was issued gidNumber 512 by default. In addition, sysvolreset > is not recommended to fix potential SysVol replication problems with > GPO perms? > No Domain Admins doesn't get gidNumber 512 by default,

On 1/31/24 11:19, Rowland Penny via samba wrote: > When I logged into Windows and connected to a share that has > 'acl_xattr:ignore system acls = yes' set and right clicked on its icon > in Explorer and selected 'Properties', I found that 'EVERYONE' was > listed. I removed 'EVERYONE', clicked 'Apply' then 'OK', which > completed

On Wed, 31 Jan 2024 10:09:53 +0100 Ralph Boehme via samba <samba at lists.samba.org> wrote: > On 1/31/24 09:50, Peter Milesson via samba wrote: > > The crucial problem here is, that Everyone (yes, really everyone) > > can write to the root share. > > why don't you just change it? That's how it's supposed to work. > > -slow > It might be

On Wed, 31 Jan 2024 11:53:44 +0100 Ralph Boehme <slow at samba.org> wrote: > On 1/31/24 11:19, Rowland Penny via samba wrote: > > When I logged into Windows and connected to a share that has > > 'acl_xattr:ignore system acls = yes' set and right clicked on its > > icon in Explorer and selected 'Properties', I found that 'EVERYONE' > > was

Well, we are getting somewere...;) >It is probably 'greyed' out because no Windows tools use it or will add it. You will probably need to use Unix tools (ldb or ldap) to remove>them, but you can if you so wish ignore them. What you should never do is to rely on them being there, because they may or may not be there.Ok, I'll let it be there> You need to remove the gidNumber

I am getting a permission denied when trying to ls as a domain user a samba mount with windows ACLs (sigh I thought I had this figured out).? I tried to include self descriptive server names and include them in the info below (fs1: file server, nc: addc, u2gui: ubuntu desktop) CARLSON\peter at u2gui:~$ ls -l /mnt ls: cannot access '/mnt/test': Permission denied total 0

Hi all, Some (then all) of our workstations were complaining about incorrect ACLs on GPOs and were unable to read the gpt.ini to apply the GPOs. So I did a sysvolcheck and sure enough I'd lost the ACLs when I moved our sysvol share to a new location on the server (whoops, mea culpa). I ran a sysvolreset which took a long time to return (some 5 minutes, please see my post on slow winbind

For completeness: The existing GPO: # samba-tool ntacl get --as-sddl \{07AF723D-5FFD-4807-B3C6-DFCE911B922A\}/ O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) The newly created GPO: # samba-tool ntacl get --as-sddl \{0C0B713E-EE65-4ACE-88AE-25125E2AAE00\}/

Hai, ? im running samba 4.2.2 sernet on debian. ? when i run : samba-tool gpo aclcheck -UAdministrator ? im getting : ERROR: Invalid GPO ACL O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) and it tells me it should be O:DAG:DAD:P?

On Sun, Oct 25, 2020 at 3:31 PM Rowland penny via samba <samba at lists.samba.org> wrote: > OK, if you look at the end of the permissions, there is a '+' sign, this > shows that extended acls set, to see these: > > getfacl /usr/local/samba/var/locks/sysvol The difference in acls is that the non-working domain includes: user:3000001:r-x user:3000002:rwx user:3000003:r-x

Samba 4.4.2 I was doing some maintenance work and I noticed that sysvolcheck gave some error. I ran "samba-tool ntacl sysvolreset". Running sysvolcheck again still gives errors. I tried with several sysvol backups and the result is always the same. The affected policies are always "Default Domain Policy" and "Default Domain Controllers Policy". These policies

> You could try using a script Louis wrote, see here: > https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh > > The 'idmap config' lines are nothing to worry about, you cannot set them on a DC, but, for some reason, testparm etc warns about > them. > > Rowland > Sorry, I should have said - I ran louis' script and set the acl's according

Hi guys! I´m experiencing a problem with samba 4 policies and acl and i don´t known how it starded to do. Some problems like copy Policies, edit them, etc. It seems like permissions, but i´ve checked the list and can´t find a solution. Here are some outputs that i hope can help to understand: # Sysvol permissions: drwxrwxrwx+ 3 root DOMAIN\domain admins 4096 Mar 7 12:17 sysvol #

Dear All, I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that GPO are having issue Specifically when I'm adding new using they *never *got the gpupdate success fully. When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset But don't seem to got it fix.. Any suggestion? Thank in advance. #samba-tool ntacl sysvolcheck Processing section

Hi! I executed the command "samba-tool ntacl sysvolcheck" on a DC and I got the following I pasted below. The first DC was provisioned migrating from a samba NT4 PDC with an LDAP backend using the classic upgrade procedure. I haven't detected any problem but I wanted to make sure there isn't any problem I might not be seeing yet. ERROR(<class

On Sun, Oct 25, 2020 at 4:02 PM Rowland penny via samba <samba at lists.samba.org> wrote: > What do you mean by 'working domain' and 'non-working domain' ? > Do you have two domains ? Different sites, different companies, not related. The working one was also a classic upgrade but earlier on, pre 4.6.x. Just using it to compare. > I am also trying to understand why

Hi everybody. One month ago me migrated from samba 3.6 classic domain to samba4. After solving some minor problems, we have found ourselves with a ACL corruption and we don't know how to deal with this. When accesing to our sysvol shared (for example, \\domain.local\sysvol) from both Samba or Windows clients, we are refused to connect. Domain=[VECTORSF] OS=[Unix] Server=[Samba 4.1.4]

Hi all, We'er running a classicupgraded samba4 AD 4.1.6 sernet for a month or two now, and all is very well. :-) It has been classicupgraded using the same 4.1.6. Today I wanted to try GPO's and they are not applied. GPUpdate /force tells me: "Windows attempted to read the file blahblah\gpt.ini from a domain controller and was not successful". Taken from the mailinglist, I