The Samba-Bugzilla – Bug 5483
GPO: Inconsistant permissions for SYSVOL folder
Last modified: 2010-01-31 03:56:26 UTC
4.0.0alpha4-GIT-0c09d28 and at least 4.0.0alpha3
Group Policy Management MMC throws the following windows error:
"The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. Contact an administrator who has rights to modify security on this GPO.
For more information, see the Microsoft Knowledge Base article: http://go.microsoft.com/fwlink/?LinkId=20066"
Standard install and provisioning, just left click on:
GPM->Forest->Domains->###->Group Policy Objects->Default Domain Policy
[Wed May 21 23:46:10 2008 EDT, 0 lib/events/events.c:212:event_context_init()]
New event context requested. Parent: [NULL:(nil)]
but this appears often with 4.0.0alpha4-GIT-0c09d28, no other error reported in smbd.log
On what platform is this bug reproducible (is it Windows XP)?
Sorry for the delay, I was on vacation.
That was a winxpsp3 box (5.1.2600). It might well be an intermittent error that depends on the provisioning of the domain, as the machine has since joined without throwing the error. We've been provisioning test domains a LOT, and I reported it on the first error I saw.
So I'm going to close this now as "INVALID". If the problem happens again, please reopen this one!
So, the bugs doesn't seem to be resolved (http://lists.samba.org/archive/samba-technical/2008-August/060567.html), so reopen it.
The problem (taken from email):
"The permissions for this GPO in the SYSVOL folder are inconsistent with
those in Active Directory. It is recommended that these permissions be
consistent. Contact an administrator who has rights to modify security on
This happens because GPMC compares NT ACLS of the directories in
"sysvol/Policies" with the "NTSecurityDescriptor" stored in LDAP, in
I already tried to change the NT ACLS on directories in sysvol to make these
identical to those in LDAP, and then avoid this message but never succeeded.
I think more work should be done with NT ACLs handling in Samba4,
particularly, the default ACLs. I looked into the code some time ago and it
doesn't seem very easy.
To demonstrate this error under Windows 2003 server :
Create a GPO, then, change the NT ACLs on the GPO directory in SYSVOL, for
example, delete one entry.
When you will select the GPO object, the message will pop up, with an "Ok"
button, and a "Cancel" one (I think).
If you click "Ok", w2k3 changes the ACLs back to conform values on the
directory and the message don't show up again.
With Samba 4, you only get an "Ok" button but the ACLs are not modified on
the GPO directory.
This is the MS article about this :
I Also found the following glitches :
- The Unix root group is not correctly mapped. (S-1-22-2-0)
A workaround is to chown root:users and set the GID, then the group is
mapped to "Domain Users".
- Also, the ACL inheritance flag seems to be set for any directory and sub
directory of a shared, but inheritance doesn't "take effect". A w2k3 server
won't set the defaults ACLs this way, it uses inheritance, I think.
(not sure that I'm very clear. but, comparing default NT ACLs on a Samba
shared and those in a w2k3 show differences, virtual machines are helpful
In autumn we've worked a bit on ACL's (especially NULL DACL's). Maybe this has improved. Are you still able to reproduce this?
I tested today with both ADCU standard snap-in for group policy and with the gpmc snap-in.
Both do not report the problem anymore, but the difference of rights still exists.
I guess that provision script should be modified to add the correct NTACL, that's gonna be fun ...
I vote for letting this bug open
Has someone some interest to investigate this (to find the correct ACL) and to write a patch for the *.ldif files under "setup/"?.
Matias: according to me the problem do not lie in the LDIF files but on the acl of the folder that are not the same as the ACL because the provision script makes a simple mkdir for the policy folders.
The solution is to change the acl of the folder just after the mkdir.
I am currently working on setntacl program that would allow to do so ...
Matthieu did you some additional research on a "setntacl" tool?
Or maybe we should just use the "libcli" python bindings in the provision script. Maybe I'll also have a look on this.
Parts of the problems lies in bug 6756
This problem has been solved starting from changeset 3471d3677a781e6a03e1a8010946aa82ad7aad83, samba4 support correctly acl on GPO objects and files associated with GPO.
Can be closed.
Marking as "FIXED". Thanks for your cooperation, ekacnet!