ntacl sysvolreset does not create correct ACL's
Andrew Bartlett
abartlet at samba.org
Thu Oct 25 17:24:05 MDT 2012
On Fri, 2012-10-26 at 10:16 +1100, Andrew Bartlett wrote:
> On Sun, 2012-10-14 at 11:47 +0200, steve wrote:
> > Hi I posted this problem on the samba list but did not get a reply. Can
> > anyone here help/comment to clarify the situation?
> > Thanks,
> > Steve
> > --------------------------
> > <message sent to samba list>
> > Hi
> > Version 4.1.0pre1-GIT-957f9fa
> > openSUSE 12.2
> >
> > After running samba-tool ntaclreset These are the ACE's produced:
> > getfacl sysvol/
> > # file: sysvol/
> > # owner: root
> > # group: wheel
> > # flags: s--
> > user::rwx
> > user:root:rwx
> > group::r--
> > group:wheel:r--
> > group:3000000:r--
> > group:3000001:r--
> > group:3000002:r--
> > mask::rwx
> > other::---
> >
> > I got the group names from wbinfo. The group numbers correspond to:
> > 3000000 BUILTIN\Server Operators 4
> > 3000001 NT AUTHORITY\SYSTEM 5
> > 3000002 NT AUTHORITY\Authenticated Users 5
> >
> > Problem: GPO's do not work. I think this is due to the r-- only ACE.
> > Users, authenticated or not do not have access to sysvol to be able to
> > read the GPO's because of the r--
> > I changed the ACL by adding an r-x and rwx after comparing what a
> > working installation on Ubuntu gave:
> > # file: usr/local/samba/var/locks/sysvol/
> > # owner: root
> > # group: wheel
> > # flags: s--
> > user::rwx
> > user:root:rwx
> > group::r-x
> > group:wheel:r-x
> > group:3000000:r-x
> > group:3000001:rwx
> > group:3000002:r-x
> > mask::rwx
> > other::r-x
> > default:user::rwx
> > default:group::r-x
> > default:group:3000000:r-x
> > default:group:3000001:rwx
> > default:group:3000002:r-x
> > default:mask::rwx
> > default:other::---
> >
> > and now the GPO's work again. However, running sysvolreset returns the
> > ACL to the r-- state.
>
> To help me chase down other related issues, after the sysvolreset, does
> 'samba-tool ntacl sysvolcheck' pass for you?
>
> That is, even if the ACL is wrong (not allowing clients to access it),
> what does sysvolcheck report?
>
> > I tested this on Ubuntu where sysvolreset works fine, producing r-x and
> > rwx ACE's in the correct place. I think the problem must be distro
> > specific. Works for Ubuntu, not for openSUSE.
> >
> > Is there something in the script which makes it distro dependent? I
> > notice Ubuntu uses different owning groups (adm Ubuntu, wheel, openSUSE)?
>
> Perhaps the running umask?
>
> Try running 'umask 000' before running 'samba-tool ntacl sysvolreset',
> and see if it helps. The code being run expects to run inside smbd,
> which has always set this umask, and I may have to add this to the
> script.
I should note that the umask of your shell/terminal is a
security-sensitive paramter. You probably want to run:
umask 022
once you are done, as otherwise files you create in that session may be
world read or write, against your expectations. See
https://en.wikipedia.org/wiki/Umask
Run 'umask' to see your current umask value.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list