Environment
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3
Domain Services for Windows
Domain Services for Windows
Situation
- A DSfW domain hosted by one or more OES2 SP3 domain
controllers
- Non-default Group Policy Objects created
- Non-administrative domain user (member of Domain Users Group) logged in to OES2 SP3 DSfW domain from a Windows Vista/XP workstation OR non-Administrative domain user (member of Domain Users Group) logged in to OES2 SP3 DSfW domain controller directly via the console or via SSH
- User can browse to the Policies folder under Sysvol and can create new files or delete and edit existing ones under the respective GPO folders OR User can go to the sysvol directory on the domain controller and can create new files or delete and edit existing ones. For instance, with a domain name of 'rdm.nts.com' the GPO directories would be found under ' /var/opt/novell/xad/sysvol/sysvol/rdm.nts.com/Policies/ ' and identified by their respective RIDs
- No changes under the Default Domain Policy are allowed
- Same problem is not seen if users are logged into domain controllers running OES2 SP2
- Non-default Group Policy Objects created
- Non-administrative domain user (member of Domain Users Group) logged in to OES2 SP3 DSfW domain from a Windows Vista/XP workstation OR non-Administrative domain user (member of Domain Users Group) logged in to OES2 SP3 DSfW domain controller directly via the console or via SSH
- User can browse to the Policies folder under Sysvol and can create new files or delete and edit existing ones under the respective GPO folders OR User can go to the sysvol directory on the domain controller and can create new files or delete and edit existing ones. For instance, with a domain name of 'rdm.nts.com' the GPO directories would be found under ' /var/opt/novell/xad/sysvol/sysvol/rdm.nts.com/Policies/ ' and identified by their respective RIDs
- No changes under the Default Domain Policy are allowed
- Same problem is not seen if users are logged into domain controllers running OES2 SP2
Resolution
With OES2 SP3, the default directory mask for the sysvol was changed
to 770 allowing all rights to the group. Since the files under the
respective GPO directories are owned by the "Domain Users" group,
this change essentially allows all members of Domain Users group to
create new files as well as delete and edit existing ones.
To resolve this problem for existing GPO's, please remove the Write rights for the group using the 'setfacl' command. Please take a backup of the 'Policies' directory before making the changes below.
For instance, with a domain name of 'rdm.nts.com', the command is the following
setfacl -R -m g::r-x /var/opt/novell/xad/sysvol/sysvol/rdm.nts.com/Policies/
Note that this command needs to be run on the PDC as well as all the ADCs.
To prevent this problem from happening on any newly created GPO objects, please follow the steps listed below on the Primary Domain Controller. Please take a backup of the 'smb.conf' file before making the changes below.
- Edit the /etc/samba/smb.conf file and change the directory mask permissions to 750 in the section 'sysvol'. Also remove the line with the 'create mask'.
Original smb.conf
[sysvol]
.............................
create mask = 770
directory mask = 770
Fixed smb.conf
[sysvol]
.............................
directory mask = 750
- xadcntrl reload OR rcsmb restart
To prevent this problem from happening on any newly created GPO objects, please follow the steps listed below on all Additional Domain Controllers. Please take a backup of the 'smb.conf' file before making the changes below.
- Edit the /etc/samba/smb.conf file and change the directory mask permissions to 750 in the section 'sysvol'. Also remove the line with the 'create mask'.
Original smb.conf
[sysvol]
.............................
create mask = 770
directory mask = 770
[sysvol-msdfs]
.............................
create mask = 770
directory mask = 770
Fixed smb.conf
[sysvol]
.............................
directory mask = 750
[sysvol-msdfs]
.............................
directory mask = 750
- xadcntrl reload or rcsmb restart
To resolve this problem for existing GPO's, please remove the Write rights for the group using the 'setfacl' command. Please take a backup of the 'Policies' directory before making the changes below.
For instance, with a domain name of 'rdm.nts.com', the command is the following
setfacl -R -m g::r-x /var/opt/novell/xad/sysvol/sysvol/rdm.nts.com/Policies/
Note that this command needs to be run on the PDC as well as all the ADCs.
To prevent this problem from happening on any newly created GPO objects, please follow the steps listed below on the Primary Domain Controller. Please take a backup of the 'smb.conf' file before making the changes below.
- Edit the /etc/samba/smb.conf file and change the directory mask permissions to 750 in the section 'sysvol'. Also remove the line with the 'create mask'.
Original smb.conf
[sysvol]
.............................
create mask = 770
directory mask = 770
Fixed smb.conf
[sysvol]
.............................
directory mask = 750
- xadcntrl reload OR rcsmb restart
To prevent this problem from happening on any newly created GPO objects, please follow the steps listed below on all Additional Domain Controllers. Please take a backup of the 'smb.conf' file before making the changes below.
- Edit the /etc/samba/smb.conf file and change the directory mask permissions to 750 in the section 'sysvol'. Also remove the line with the 'create mask'.
Original smb.conf
[sysvol]
.............................
create mask = 770
directory mask = 770
[sysvol-msdfs]
.............................
create mask = 770
directory mask = 770
Fixed smb.conf
[sysvol]
.............................
directory mask = 750
[sysvol-msdfs]
.............................
directory mask = 750
- xadcntrl reload or rcsmb restart