[Samba] [PATCH] Re: SYSVOL ACLs and GPOs

Alex Matthews qoole.samba at lillimoth.com
Tue Nov 6 13:41:08 MST 2012 

On 06/11/2012 11:43, Alex Matthews wrote:
> On 05/11/2012 02:10, Andrew Bartlett wrote:
>> It is certainly very helpful to have this happen with samba-tool.  Can
>> you remind me the history of this domain, is it the upgrade I was trying
>> to suggest you do, or a fresh provision?
>>
>> If you can tell me what provision command-line you run, if it was
>> provisioned with an older version, which branch and git revision that
>> was and what branch and git revision as you running now?
>>
>> I've tried to replicate this in 'make test' but failed (the tests pass).
>> The patch for that is attached for review.
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
>
> Ok, I think we've got a bit lost in issues here, so I'll start from 
> the very beginning (I've heard it's a very good place to start).
>
> I have set up two domains:
>
> home.lillimoth.com - a test domain set up on virtual machines at home. 
> This domain has been provisioned from scratch.
> internal.stmaryscollege.co.uk - a production domain at my work place. 
> This domain was migrated from a samba 3 domain.
>
>
> My issue is that when I run gpmc (the group policy management console) 
> on a windows machine (XP or 7) and selected a gpo to edit I get the 
> message:
>
> "The permissions for this GPO in the SYSVOL folder are inconsistent 
> with those in Active Directory.
> It is recommended that these permissions be consistent.
> To change the SYSVOL permissions to those in Active Directory, click 
> OK." - Please see: http://support.microsoft.com/kb/828760
>
> This occurs on both domains.
> Clicking 'ok' to the popup should correct the ACLs on the 
> files/folders it believes are incorrect.
> Please note that before clicking 'ok' sysvolcheck passes with no 
> errors however after clicking it would fail with the following error:
>
> "ERROR(<class 'samba.provision.ProvisioningError'>): uncaught 
> exception - ProvisioningError: VFS ACL on GPO directory 
> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) 
> does not match expected value 
> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) 
> from GPO object"
>
> This suggests that the gpmc did change the ACLs however when 
> reselecting the same GPO it pops up with the same message again!
> Both servers have the correct mount options (user_xattr,acl) and acls 
> work when set manually.
>
> I did some research into what the ACLs should be on the sysvol share 
> and came up with these: http://pastebin.com/sSURWrDf which were taken 
> from a WS2003 machine.
>
> I have not yet attempted to set these on my S4 server but will try 
> that tonight.
>
>
> The issue seems to revolve around:
>     Incorrect initial ACLs on the sysvol share and its subfolders.
>     The inability of the GPMC to correct the issue. Suggesting that 
> there is some issue setting ACLs on the sysvol share from a windows 
> client.
>
> There we a couple of issues with samba-tool creating GPOs but I will 
> run through those in an email later this evening when I have had 
> chance to test them on my test domain.
>
> Thanks,
>
> Alex
>
>

I have just attempted to set the ACL on the sysvol directory using 
samba-tool ntacl set and got the following message:

/usr/local/samba/var/locks# ../../bin/samba-tool ntacl set 
"D:AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)" 
sysvol -d 2
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Unknown flag - FA in FA
Badly formatted SDDL 
'AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)'
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to 
parse SDDL
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
line 90, in run
     setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file, 
use_ntvfs=use_ntvfs)
   File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", 
line 89, in setntacl
     sd = security.descriptor.from_sddl(sddl, sid)


FA is listed on the Microsoft ACE String page as FILE_ALL_ACCESS 
(http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928(v=vs.85).aspx 
<http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928%28v=vs.85%29.aspx>)

Is it correct that the sddl parser cannot parse FA?

Thanks,

Alex

More information about the samba mailing list