Environment
Novell Open Enterprise Server 2018 SP1
Novell Open Enterprise Server 2018
Novell Open Enterprise Server 2015 SP1
Novell Open Enterprise Server 11.1 (oes11sp1)
Novell Open Enterprise Server 2sp3 (oes2sp3)
Domain Services for Windows
DSfW
Situation
Users can not successfully login to the domain, get permissions error
Can not manage Group Policy Object (GPO)
As Administrator, no rights to modify a GPO
/var/opt/novell/xad/sysvol acls are missing or incorrect.
Resolution
View the ACLs by using the getfacl utility. The command to see the sysvol acls is getfacl <folder or file>
example:
getfacl /var/opt/novell/xad/sysvol
Common parameters for setting facls
u: for user
g: for group
m: for mask
o: for other
d:u: for default user
d:g: for default group
d:m: for default mask
d:o: for default other
Switches to use:
-m to modify
-R for recursive
-x to remove
example of recursively setting the user "administrator" and default group "domain admins" with rwx on the sysvol:
setfacl -Rm u:administrator:rwx,d:g:"domain admins":rwx /var/opt/novell/xad/sysvol
If the administrator can not create a GPO or users can not access a GPO, check that the acls are correct on the sysvol and sysvol/sysvol directories
The output of getfacl should look something like this for /var/opt/novell/xad/sysvol:
# file: sysvol/
# owner: administrator
# group: domain\040admins
user::rwx
group::r-x
group:domain\040admins:rwx
group:domain\040users:r-x
group:domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:domain\040admins:rwx
default:group:domain\040users:r-x
default:group:domain\040computers:r-x
default:group:group\040policy\040creator\040owners:rwx
default:mask::rwx
default:other::---
The output of getfacl for /var/opt/novell/xad/sysvol/sysvol and all child files and directories should look something like this:
# file: /var/opt/novell/xad/sysvol/sysvol/
# owner: administrator
# group: domain\040admins
user::rwx
group::r-x
group:domain\040admins:rwx
group:domain\040users:r-x
group:domain\040computers:r-x
group:group\040policy\040creator\040owners:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:domain\040admins:rwx
default:group:domain\040users:r-x
default:group:domain\040computers:r-x
default:group:group\040policy\040creator\040owners:rwx
default:mask::rwx
default:other::---
For configurations where the /var is on its own file system partition the /etc/fstab must have
acl, user_xattr listed for the mount options (4th column)
example:
/dev/sda4 /var ext3 acl, user_xattr 1 1
Additional Information
note: in the output of "getfacl" spaces are represented with \040
Below is a script that will set the correct owner, group, and acls
#!/bin/sh
ausid=`wbinfo -n "administrator"`
auuid=`wbinfo -S $ausid`
dasid=`wbinfo -n "domain admins"`
dagid=`wbinfo -Y $dasid`
dusid=`wbinfo -n "domain users"`
dugid=`wbinfo -Y $dusid`
dcsid=`wbinfo -n "domain computers"`
dcgid=`wbinfo -Y $dcsid`
gpsid=`wbinfo -n "group policy creator owners"`
gpgid=`wbinfo -Y $gpsid`
localstatedir=`/opt/novell/xad/share/dcinit/printConfigKey.pl "LIVE_LOCALSTATEDIR"`
chown -R $auuid:$dagid $localstatedir/sysvol
setfacl -Rm u::rwx,g::r-x,g:$dagid:rwx,g:$dugid:r-x,g:$dcgid:r-x,g:$gpgid:rwx,m::rwx,d:u::rwx,d:g::r-x,d:g:$dagid:rwx,d:g:$dugid:r-x,d:g:$dcgid:r-x,d:g:$gpgid:rwx,d:m::rwx $localstatedir/sysvol/*
setfacl -m u::rwx,g::r-x,g:$dagid:rwx,g:$dugid:r-x,g:$dcgid:r-x,m::rwx,d:u::rwx,d:g::r-x,d:g:$dagid:rwx,d:g:$dugid:r-x,d:g:$dcgid:r-x,d:g:$gpgid:rwx,d:m::rwx $localstatedir/sysvol
#End of script
#End of script