Re: [Samba] samba4, GPO and SYSVOL permissions errors
Michael Wood
samba-technical is a better place for this while samba 4 is still in
Alpha. I have copied my reply there.
On 5 January 2011 11:50, Leo Lutz <ske...@gmail.com> wrote:
> I'm getting an interesting problem. I can create/rename/delete/edit policies,
> but I can't change the security filtering or delegation settings.
>
> When I first open any policy, I get the following:
>
> "The permissions for this GPO in the SYSVOL folder are inconsistent with those
> in Active Directory. It is recommended that these permissions be consistent.
> To change the SYSVOL permissions to those in Active Directory, click OK."
>
> So I click OK and I get "Access is denied."
>
> The error I get in samba.log follows:
>
> [Wed Jan 5 18:34:18 2011 PWT, 0
> ../ntvfs/posix/pvfs_acl.c:567:pvfs_access_check_unix()]
> ../ntvfs/posix/pvfs_acl.c:567 denied access to
> '/var/lib/samba/sysvol/pcd.example.com/Policies/
> {3D1F2B0A-B0F7-44C1-BA1A-2C5D03DFC0ED}' -
> wanted 0x00060000 but got 0xfef3ffff (missing 0x00040000)
>
> How do I fix this?
What version of Samba 4 is that?
Have you tried increasing the debug level to see if it gives you more
information?
What ACLs do you have on the Policies directory?
--
Michael Wood <esio...@gmail.com>
Leo Lutz
> Hi
>
> samba-technical is a better place for this while samba 4 is still in
> Alpha. I have copied my reply there.
>
> On 5 January 2011 11:50, Leo Lutz <ske...@gmail.com> wrote:
>> I'm getting an interesting problem. I can create/rename/delete/edit policies,
>> but I can't change the security filtering or delegation settings.
>>
>> When I first open any policy, I get the following:
>>
>> "The permissions for this GPO in the SYSVOL folder are inconsistent with those
>> in Active Directory. It is recommended that these permissions be consistent.
>> To change the SYSVOL permissions to those in Active Directory, click OK."
>>
>> So I click OK and I get "Access is denied."
>>
>> The error I get in samba.log follows:
>>
>> [Wed Jan 5 18:34:18 2011 PWT, 0
>> ../ntvfs/posix/pvfs_acl.c:567:pvfs_access_check_unix()]
>> ../ntvfs/posix/pvfs_acl.c:567 denied access to
>> '/var/lib/samba/sysvol/pcd.example.com/Policies/
>> {3D1F2B0A-B0F7-44C1-BA1A-2C5D03DFC0ED}' -
>> wanted 0x00060000 but got 0xfef3ffff (missing 0x00040000)
>>
>> How do I fix this?
>
> What version of Samba 4 is that?
> Have you tried increasing the debug level to see if it gives you more
> information?
Nope, this is all new to me. What's the default level and what should
I up it too?
> What ACLs do you have on the Policies directory?
Everyone and Administrators groups have read access. Administrator has
full access, but even logged in as that account, I run into problems.
The permissions of each policy's directory are a jumbled mess. I would
have thought there would be some inheritance being used.
>
> --
> Michael Wood <esio...@gmail.com>
>
cheers!
Leo
Michael Wood
> On Thu, Jan 6, 2011 at 04:10, Michael Wood <esio...@gmail.com> wrote:
>> On 5 January 2011 11:50, Leo Lutz <ske...@gmail.com> wrote:
>>> I'm getting an interesting problem. I can create/rename/delete/edit policies,
>>> but I can't change the security filtering or delegation settings.
>>>
>>> When I first open any policy, I get the following:
>>>
>>> "The permissions for this GPO in the SYSVOL folder are inconsistent with those
>>> in Active Directory. It is recommended that these permissions be consistent.
>>> To change the SYSVOL permissions to those in Active Directory, click OK."
>>>
>>> So I click OK and I get "Access is denied."
>>>
>>> The error I get in samba.log follows:
>>>
>>> [Wed Jan 5 18:34:18 2011 PWT, 0
>>> ../ntvfs/posix/pvfs_acl.c:567:pvfs_access_check_unix()]
>>> ../ntvfs/posix/pvfs_acl.c:567 denied access to
>>> '/var/lib/samba/sysvol/pcd.example.com/Policies/
>>> {3D1F2B0A-B0F7-44C1-BA1A-2C5D03DFC0ED}' -
>>> wanted 0x00060000 but got 0xfef3ffff (missing 0x00040000)
>>>
>>> How do I fix this?
>>
>> What version of Samba 4 is that?
> 4.0.0alpha12-GIT-UNKNOWN
Did you use the "rsync" method mentioned in the Samba 4 HOWTO to get
the source code? It seems you did not have git installed when you
compiled Samba 4, so there's no revision specified.
>> Have you tried increasing the debug level to see if it gives you more
>> information?
> Nope, this is all new to me. What's the default level and what should
> I up it too?
testparm will tell you what it's currently set to, but 0 is the default.
$ testparm --suppress-prompt -v | grep "log level"
log level = 0
Perhaps try setting it to 10 while troubleshooting this issue.
>> What ACLs do you have on the Policies directory?
> Everyone and Administrators groups have read access. Administrator has
> full access, but even logged in as that account, I run into problems.
> The permissions of each policy's directory are a jumbled mess. I would
> have thought there would be some inheritance being used.
Well, I'm not using Samba 4 for file sharing, policies, etc. so I
can't really help you there. Perhaps someone else can comment.
--
Michael Wood <esio...@gmail.com>