ntacl sysvolreset does not create correct ACL's

Andrew Bartlett abartlet at samba.org
Thu Oct 25 17:24:05 MDT 2012 

On Fri, 2012-10-26 at 10:16 +1100, Andrew Bartlett wrote:
> On Sun, 2012-10-14 at 11:47 +0200, steve wrote:
> > Hi I posted this problem on the samba list but did not get a reply. Can 
> > anyone here help/comment to clarify the situation?
> > Thanks,
> > Steve
> > --------------------------
> > <message sent to samba list>
> > Hi
> > Version 4.1.0pre1-GIT-957f9fa
> > openSUSE 12.2
> > 
> > After running samba-tool ntaclreset These are the ACE's produced:
> > getfacl sysvol/
> > # file: sysvol/
> > # owner: root
> > # group: wheel
> > # flags: s--
> > user::rwx
> > user:root:rwx
> > group::r--
> > group:wheel:r--
> > group:3000000:r--
> > group:3000001:r--
> > group:3000002:r--
> > mask::rwx
> > other::---
> > 
> > I got the group names from wbinfo. The group numbers correspond to:
> > 3000000 BUILTIN\Server Operators 4
> > 3000001 NT AUTHORITY\SYSTEM 5
> > 3000002 NT AUTHORITY\Authenticated Users 5
> > 
> > Problem: GPO's do not work. I think this is due to the r-- only ACE. 
> > Users, authenticated or not do not have access to sysvol to be able to 
> > read the GPO's because of the r--
> > I changed the ACL by adding an r-x and rwx after comparing what a 
> > working installation on Ubuntu gave:
> > # file: usr/local/samba/var/locks/sysvol/
> > # owner: root
> > # group: wheel
> > # flags: s--
> > user::rwx
> > user:root:rwx
> > group::r-x
> > group:wheel:r-x
> > group:3000000:r-x
> > group:3000001:rwx
> > group:3000002:r-x
> > mask::rwx
> > other::r-x
> > default:user::rwx
> > default:group::r-x
> > default:group:3000000:r-x
> > default:group:3000001:rwx
> > default:group:3000002:r-x
> > default:mask::rwx
> > default:other::---
> > 
> > and now the GPO's work again. However, running sysvolreset returns the 
> > ACL to the r-- state.
> 
> To help me chase down other related issues, after the sysvolreset, does
> 'samba-tool ntacl sysvolcheck' pass for you?
> 
> That is, even if the ACL is wrong (not allowing clients to access it),
> what does sysvolcheck report?
> 
> > I tested this on Ubuntu where sysvolreset works fine, producing r-x and 
> > rwx ACE's in the correct place. I think the problem must be distro 
> > specific. Works for Ubuntu, not for openSUSE.
> > 
> > Is there something in the script which makes it distro dependent? I 
> > notice Ubuntu uses different owning groups (adm Ubuntu, wheel, openSUSE)?
> 
> Perhaps the running umask?
> 
> Try running 'umask 000' before running 'samba-tool ntacl sysvolreset',
> and see if it helps.  The code being run expects to run inside smbd,
> which has always set this umask, and I may have to add this to the
> script. 

I should note that the umask of your shell/terminal is a
security-sensitive paramter.  You probably want to run:

umask 022 

once you are done, as otherwise files you create in that session may be
world read or write, against your expectations.  See
https://en.wikipedia.org/wiki/Umask

Run 'umask' to see your current umask value. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list