Web lists-archives.com

Re: [Samba] sysvol files - 'The data area passed to a system call is too small'




On Sun, 29 Apr 2018 10:03:22 +0530
Anantha Raghava via samba <samba@xxxxxxxxxxxxxxx> wrote:

> HI,
> 
> We have done something similar using inotify. On the DC1. we watch
> the "/usr/local/samba/var/locks/sysvol" folder and if there is any
> change, (add, modify or delete), we run "samba-tool ntacl
> sysvolreset" and we push those changes to other DCs using rsync. We
> have created a shell script that is put in rc.local so that this
> starts even if the server reboots.
> 
> We chose to run "samba-tool ntacl sysvolreset" as we find that
> whenever there is a change in GPO, the acls change resulting GPO
> errors. We never had this problem in 4.6.x version but starting 4.7,
> (even in 4.8) this problem is persistent. Why actually this happens,
> is what we are wondering. We are still unable to figure it out. Also,
> we find that in a large network, many a times, we find that GPO
> (particularly Computer Policies) do not get applied on many Members.
> Each time, this happens, we find that sysvol acls are changed and
> there is an error. Surprising part is, without changing anything on
> the Domain Controllers or resetting acls on sysvols, for the same
> user, on a different workstation, the Policies gets applied.
> 
> Any pointers to get this working properly is welcome.
> 

The problem with sysvolreset is that once you get past the two default
GPOs, it trashes the correct ACLs set when you add them on Windows. It
is further compounded if you have given Domain Admins a gidNumber.
I should also point out that Samba has never used the same ACLs that
windows uses.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba