Solved Samba4 - sysvol is inaccessible; ACL at fault?


Well-Known Member

Reaction score: 33
Messages: 256

I've got a FreeBSD 11.2 system running Samba 4.8.4 as a DC. I recently noticed our group policy wasn't being pushed out, and with no major changes to the configuration file I assume this was due to an update to 4.8 I did a few weeks back. Ultimately I found out that sysvol (and anything below that) isn't accessible.

Looking around at several other posts, it appears that the first step to resolve this is to check that the ACLs are set correctly by running samba-tool ntacl sysvolreset. However, when I run this, I see this error:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: Your filesystem
or build does not support ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
What's strange is that the sysvol is mounted with the 'acl' option:
# mount | grep sysvol
/dev/zvol/zr/samba4sysvol on /var/db/samba4/sysvol (ufs, local, acls)

# zfs get aclmode,aclinherit zr
zr    aclmode     passthrough    local
zr    aclinherit  passthrough    local

# zfs get aclmode,aclinherit zr/var
zr/var  aclmode     passthrough    inherited from zr
zr/var  aclinherit  passthrough    inherited from zr
So, why does samba-tool not detect the ACL support? Is there something else I'm missing?

p.s. - Apologies if this should be in the storage section instead, I'm not sure where exactly the error lies.

Edit: I noticed that this only affects our Windows 10 PCs, and not Windows 7. I'll do some more verbose debugging over the weekend to try and figure out why it's just them.

Edit2: I'm not sure how it happened, but it turns out the unix permissions were incorrect. Ultimately ran chmod -R o+rx /var/db/samba4/sysvol to fix it.
Last edited: