Bug 5483 - GPO: Inconsistant permissions for SYSVOL folder
Summary: GPO: Inconsistant permissions for SYSVOL folder
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: x86 Windows XP
: P3 minor (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
Depends on:
Blocks: 6600
  Show dependency treegraph
Reported: 2008-05-21 22:48 UTC by mike wilkinson
Modified: 2010-01-31 03:56 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description mike wilkinson 2008-05-21 22:48:31 UTC
4.0.0alpha4-GIT-0c09d28 and at least 4.0.0alpha3

Group Policy Management MMC throws the following windows error:

"The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. Contact an administrator who has rights to modify security on this GPO.

For more information, see the Microsoft Knowledge Base article: http://go.microsoft.com/fwlink/?LinkId=20066"

Standard install and provisioning, just left click on:

GPM->Forest->Domains->###->Group Policy Objects->Default Domain Policy

smbd.log shows:
[Wed May 21 23:46:10 2008 EDT, 0 lib/events/events.c:212:event_context_init()]
New event context requested. Parent: [NULL:(nil)]

but this appears often with 4.0.0alpha4-GIT-0c09d28, no other error reported in smbd.log
Comment 1 Matthias Dieter Wallnöfer 2008-07-03 03:08:45 UTC
On what platform is this bug reproducible (is it Windows XP)?
Comment 2 mike wilkinson 2008-07-07 08:38:49 UTC
Sorry for the delay, I was on vacation.

That was a winxpsp3 box (5.1.2600). It might well be an intermittent error that depends on the provisioning of the domain, as the machine has since joined without throwing the error. We've been provisioning test domains a LOT, and I reported it on the first error I saw. 

Comment 3 Matthias Dieter Wallnöfer 2008-08-02 08:41:07 UTC
So I'm going to close this now as "INVALID". If the problem happens again, please reopen this one!
Comment 4 Matthias Dieter Wallnöfer 2008-08-07 11:12:55 UTC
So, the bugs doesn't seem to be resolved (http://lists.samba.org/archive/samba-technical/2008-August/060567.html), so reopen it.
Comment 5 Matthias Dieter Wallnöfer 2008-08-07 11:15:51 UTC
The problem (taken from email):

"The permissions for this GPO in the SYSVOL folder are inconsistent with
those in Active Directory. It is recommended that these permissions be
consistent. Contact an administrator who has rights to modify security on
this GPO."

This happens because GPMC compares NT ACLS of the directories in
"sysvol/Policies" with the "NTSecurityDescriptor" stored in LDAP, in

I already tried to change the NT ACLS on directories in sysvol to make these
identical to those in LDAP, and then avoid this message but never succeeded.
I think more work should be done with NT ACLs handling in Samba4,
particularly, the default ACLs. I looked into the code some time ago and it
doesn't seem very easy.

To demonstrate this error under Windows 2003 server :
Create a GPO, then, change the NT ACLs on the GPO directory in SYSVOL, for
example, delete one entry.
When you will select the GPO object, the message will pop up, with an "Ok"
button, and a "Cancel" one (I think).
If you click "Ok", w2k3 changes the ACLs back to conform values on the
directory and the message don't show up again.

With Samba 4, you only get an "Ok" button but the ACLs are not modified on
the GPO directory.

This is the MS article about this :

I Also found the following glitches :
- The Unix root group is not correctly mapped. (S-1-22-2-0)
A workaround is to chown root:users and set the GID, then the group is
mapped to "Domain Users".
- Also, the ACL inheritance flag seems to be set for any directory and sub
directory of a shared, but inheritance doesn't "take effect". A w2k3 server
won't set the defaults ACLs this way, it uses inheritance, I think.
(not sure that I'm very clear. but, comparing default NT ACLs on a Samba
shared and those in a w2k3 show differences, virtual machines are helpful
for this)
Comment 6 Matthias Dieter Wallnöfer 2008-12-29 12:20:33 UTC
In autumn we've worked a bit on ACL's (especially NULL DACL's). Maybe this has improved. Are you still able to reproduce this?
Comment 7 Matthieu Patou 2009-06-21 04:36:32 UTC
I tested today with both ADCU standard snap-in for group policy and with the gpmc snap-in.

Both do not report the problem anymore, but the difference of rights still exists.
I guess that provision script should be modified to add the correct NTACL, that's gonna be fun ... 

I vote for letting this bug open
Comment 8 Matthias Dieter Wallnöfer 2009-06-27 09:28:07 UTC
Has someone some interest to investigate this (to find the correct ACL) and to write a patch for the *.ldif files under "setup/"?.
Comment 9 Matthieu Patou 2009-06-27 11:37:29 UTC
Matias: according to me the problem do not lie in the LDIF files but on the acl of the folder that are not the same as the ACL because the provision script makes a simple mkdir for the policy folders.
The solution is to change the acl of the folder just after the mkdir.
I am currently working on setntacl program that would allow to do so ...
Comment 10 Matthias Dieter Wallnöfer 2009-08-07 11:03:12 UTC
Matthieu did you some additional research on a "setntacl" tool?
Or maybe we should just use the "libcli" python bindings in the provision script. Maybe I'll also have a look on this.
Comment 11 Matthieu Patou 2009-10-11 10:45:52 UTC
Parts of the problems lies in bug 6756 
Comment 12 Matthieu Patou 2010-01-30 08:38:51 UTC
This problem has been solved starting from changeset 3471d3677a781e6a03e1a8010946aa82ad7aad83, samba4 support correctly acl on GPO objects and files associated with GPO.

Can be closed.
Comment 13 Matthias Dieter Wallnöfer 2010-01-31 03:56:26 UTC
Marking as "FIXED". Thanks for your cooperation, ekacnet!