DSfW sysvol acls are missing or incorrect

  • 7009748
  • 15-Nov-2011
  • 09-Mar-2020

Environment

Novell Open Enterprise Server 2018 SP1
Novell Open Enterprise Server 2018
Novell Open Enterprise Server 2015 SP1
Novell Open Enterprise Server 11.1 (oes11sp1)
Novell Open Enterprise Server 2sp3 (oes2sp3)
Domain Services for Windows
DSfW

Situation

Users can not successfully login to the domain, get permissions error

Can not manage Group Policy Object (GPO)

As Administrator, no rights to modify a GPO
 
/var/opt/novell/xad/sysvol acls are missing or incorrect.

Resolution

View the ACLs by using the getfacl utility.  The command to see the sysvol acls is getfacl <folder or file>
example:
getfacl /var/opt/novell/xad/sysvol

Common parameters for setting facls 
u: for user
g: for group
m: for mask
o: for other
d:u: for default user
d:g: for default group
d:m: for default mask
d:o: for default other

Switches to use:
-m to modify
-R for recursive
-x to remove 

example of recursively setting the user "administrator" and default group "domain admins" with rwx on the sysvol:
setfacl -Rm u:administrator:rwx,d:g:"domain admins":rwx /var/opt/novell/xad/sysvol

If the administrator can not create a GPO or users can not access a GPO, check that the acls are correct on the sysvol and sysvol/sysvol directories
 
The output of getfacl should look something like this for /var/opt/novell/xad/sysvol:
# file: sysvol/ 
# owner: administrator 
# group: domain\040admins 
user::rwx 
group::r-x 
group:domain\040admins:rwx 
group:domain\040users:r-x 
group:domain\040computers:r-x 
mask::rwx 
other::--- 
default:user::rwx 
default:group::r-x 
default:group:domain\040admins:rwx 
default:group:domain\040users:r-x 
default:group:domain\040computers:r-x 
default:group:group\040policy\040creator\040owners:rwx 
default:mask::rwx 
default:other::---
 
The output of getfacl for /var/opt/novell/xad/sysvol/sysvol and all child files and directories should look something like this:
# file: /var/opt/novell/xad/sysvol/sysvol/
# owner: administrator
# group: domain\040admins
user::rwx
group::r-x
group:domain\040admins:rwx
group:domain\040users:r-x
group:domain\040computers:r-x
group:group\040policy\040creator\040owners:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:domain\040admins:rwx
default:group:domain\040users:r-x
default:group:domain\040computers:r-x
default:group:group\040policy\040creator\040owners:rwx
default:mask::rwx
default:other::---

For configurations where the /var is on its own file system partition the /etc/fstab must have
acl, user_xattr listed for the mount options (4th column)
example:
/dev/sda4        /var                ext3        acl, user_xattr      1 1

Additional Information

note: in the output of "getfacl" spaces are represented with \040

Below is a script that will set the correct owner, group, and acls

#!/bin/sh
ausid=`wbinfo -n "administrator"`
auuid=`wbinfo -S $ausid`
dasid=`wbinfo -n "domain admins"`
dagid=`wbinfo -Y $dasid`
dusid=`wbinfo -n "domain users"`
dugid=`wbinfo -Y $dusid`
dcsid=`wbinfo -n "domain computers"`
dcgid=`wbinfo -Y $dcsid`
gpsid=`wbinfo -n "group policy creator owners"`
gpgid=`wbinfo -Y $gpsid`

localstatedir=`/opt/novell/xad/share/dcinit/printConfigKey.pl "LIVE_LOCALSTATEDIR"`

chown -R $auuid:$dagid $localstatedir/sysvol
 
setfacl -Rm u::rwx,g::r-x,g:$dagid:rwx,g:$dugid:r-x,g:$dcgid:r-x,g:$gpgid:rwx,m::rwx,d:u::rwx,d:g::r-x,d:g:$dagid:rwx,d:g:$dugid:r-x,d:g:$dcgid:r-x,d:g:$gpgid:rwx,d:m::rwx $localstatedir/sysvol/*
 
setfacl -m u::rwx,g::r-x,g:$dagid:rwx,g:$dugid:r-x,g:$dcgid:r-x,m::rwx,d:u::rwx,d:g::r-x,d:g:$dagid:rwx,d:g:$dugid:r-x,d:g:$dcgid:r-x,d:g:$gpgid:rwx,d:m::rwx $localstatedir/sysvol

#End of script

Feedback service temporarily unavailable. For content questions or problems, please contact Support.