ntacl sysvolreset does not create correct ACL's

Andrew Bartlett abartlet at samba.org
Thu Oct 25 17:16:07 MDT 2012 

On Sun, 2012-10-14 at 11:47 +0200, steve wrote:
> Hi I posted this problem on the samba list but did not get a reply. Can 
> anyone here help/comment to clarify the situation?
> Thanks,
> Steve
> --------------------------
> <message sent to samba list>
> Hi
> Version 4.1.0pre1-GIT-957f9fa
> openSUSE 12.2
> 
> After running samba-tool ntaclreset These are the ACE's produced:
> getfacl sysvol/
> # file: sysvol/
> # owner: root
> # group: wheel
> # flags: s--
> user::rwx
> user:root:rwx
> group::r--
> group:wheel:r--
> group:3000000:r--
> group:3000001:r--
> group:3000002:r--
> mask::rwx
> other::---
> 
> I got the group names from wbinfo. The group numbers correspond to:
> 3000000 BUILTIN\Server Operators 4
> 3000001 NT AUTHORITY\SYSTEM 5
> 3000002 NT AUTHORITY\Authenticated Users 5
> 
> Problem: GPO's do not work. I think this is due to the r-- only ACE. 
> Users, authenticated or not do not have access to sysvol to be able to 
> read the GPO's because of the r--
> I changed the ACL by adding an r-x and rwx after comparing what a 
> working installation on Ubuntu gave:
> # file: usr/local/samba/var/locks/sysvol/
> # owner: root
> # group: wheel
> # flags: s--
> user::rwx
> user:root:rwx
> group::r-x
> group:wheel:r-x
> group:3000000:r-x
> group:3000001:rwx
> group:3000002:r-x
> mask::rwx
> other::r-x
> default:user::rwx
> default:group::r-x
> default:group:3000000:r-x
> default:group:3000001:rwx
> default:group:3000002:r-x
> default:mask::rwx
> default:other::---
> 
> and now the GPO's work again. However, running sysvolreset returns the 
> ACL to the r-- state.

To help me chase down other related issues, after the sysvolreset, does
'samba-tool ntacl sysvolcheck' pass for you?

That is, even if the ACL is wrong (not allowing clients to access it),
what does sysvolcheck report?

> I tested this on Ubuntu where sysvolreset works fine, producing r-x and 
> rwx ACE's in the correct place. I think the problem must be distro 
> specific. Works for Ubuntu, not for openSUSE.
> 
> Is there something in the script which makes it distro dependent? I 
> notice Ubuntu uses different owning groups (adm Ubuntu, wheel, openSUSE)?

Perhaps the running umask?

Try running 'umask 000' before running 'samba-tool ntacl sysvolreset',
and see if it helps.  The code being run expects to run inside smbd,
which has always set this umask, and I may have to add this to the
script. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list