[Samba] GPO Permissions _AGAIN_

Alex Matthews qoole.samba at lillimoth.com
Thu Oct 10 09:42:40 MDT 2013 

On 09/10/2013 16:41, Alex Matthews wrote:
> Hi all,
>
> I'm afraid I'm back to my old issue of GPO permissions.
>
> I have two ADDCs providing an AD Domain (internal.stmaryscollege.co.uk 
> (short-name 'SMC')). Servers are called 'ad-01' and 'tainan'. ad-01 is 
> 'Version 4.0.10' and tainan is 'Version 4.1.0rc4' (the latest version 
> in the package repos of the respective OSs (arch and gentoo))
> I have set up a script that synchronises the two sysvol shares (using 
> rsync) that I run manually when I make a change to a GPO.
> However I have found that even after running `samba-tool ntacl 
> sysvolreset` I still get 'Access Denied' or the more long winded: 
> 'Configuration information could not be read from the domain 
> controller, either because the machine is unavailable or access has 
> been denied.' when accessing some 'gpt.ini' files.
>
> For reference here is the getfacl output for the GPT.INI file in 
> question from the two servers:
>
> TAINAN:
> getfacl GPT.INI
> # file: GPT.INI
> # owner: SMC\134administrator
> # group: SMC\134Domain\040Admins
> user::rwx
> user:SMC\134administrator:rwx
> group::rwx
> group:SMC\134Domain\040Admins:rwx
> group:3000002:rwx
> group:3000003:r-x
> group:SMC\134Enterprise\040Admins:rwx
> group:3000011:r-x
> mask::rwx
> other::---
>
> AD-01:
> getfacl GPT.INI
> # file: GPT.INI
> # owner: SMC\134administrator
> # group: SMC\134Domain\040Admins
> user::rwx
> user:SMC\134administrator:rwx
> group::rwx
> group:SMC\134Domain\040Admins:rwx
> group:SMC\134Enterprise\040Admins:rwx
> group:3000008:r-x
> group:3000016:rwx
> group:3000018:r-x
> mask::rwx
> other::---
>
>
> I would assume the inconsisteny is due to idmap being different, I'm 
> not sure.
>
> The output of `samba-tool ntacl sysvolcheck` from the two servers is 
> as follows:
>
> tainan:
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception 
> - ProvisioningError: DB ACL on GPO directory 
> /vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} 
> O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> does not match expected value 
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> from GPO object
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", 
> line 249, in run
>     lp)
>   File 
> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
> 1695, in checksysvolacl
>     direct_db_access)
>   File 
> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
> 1646, in check_gpos_acl
>     domainsid, direct_db_access)
>   File 
> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
> 1593, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
> match expected value %s from GPO object' % 
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>
>
> ad-01:
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception 
> - ProvisioningError: DB ACL on GPO directory 
> /srv/samba/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} 
> O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> does not match expected value 
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> from GPO object
>   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 
> 245, in run
>     lp)
>   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1685, in checksysvolacl
>     direct_db_access)
>   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1636, in check_gpos_acl
>     domainsid, direct_db_access)
>   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1586, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
> match expected value %s from GPO object' % 
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>
> Would it also be possible, as an update to sysvolcheck, to not throw 
> an uncaught exception but more gracefully give the errors and continue 
> after the first one?
>
> Thanks,
>
> Alex
>


Hi all,

Just a quick follow up.
I found a GPO entitled 'sysvol share compatibility' which has the 
following blurb:

This setting controls whether or not the Sysvol share created by the Net 
Logon service on a domain controller (DC) should support compatibility 
in file sharing semantics with earlier applications.
When this setting is enabled, the Sysvol share will honor file sharing 
semantics that grant requests for exclusive read access to files on the 
share even when the caller has only read permission.
When this setting is disabled or not configured, the Sysvol share will 
grant shared read access to files on the share when exclusive access is 
requested and the caller has only read permission.
By default, the Sysvol share will grant shared read access to files on 
the share when exclusive access is requested.
Note: The Sysvol share is a share created by the Net Logon service for 
use by Group Policy clients in the domain. The default behavior of the 
Sysvol share ensures that no application with only read permission to 
files on the sysvol share can lock the files by requesting exclusive 
read access, which might prevent Group Policy settings from being 
updated on clients in the domain. When this setting is enabled, an 
application that relies on the ability to lock files on the Sysvol share 
with only read permission will be able to deny Group Policy clients from 
reading the files, and in general the availability of the Sysvol share 
on the domain will be decreased.

The last part is the most interesting (after 'Note:'). Is this how samba 
works too when it comes to providing the sysvol share?


Here's a snippet of level 10 logging:

[2013/10/10 16:31:15.371698, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../lib/util/util.c:512(dump_data)
   [0000] 00 00 00 EC 03 00 00 00   00 5C 00 69 00 6E 00 74 ...ì.... 
.\.i.n.t
   [0010] 00 65 00 72 00 6E 00 61   00 6C 00 2E 00 73 00 74 .e.r.n.a 
.l...s.t
   [0020] 00 6D 00 61 00 72 00 79   00 73 00 63 00 6F 00 6C .m.a.r.y 
.s.c.o.l
   [0030] 00 6C 00 65 00 67 00 65   00 2E 00 63 00 6F 00 2E .l.e.g.e 
...c.o..
   [0040] 00 75 00 6B 00 5C 00 50   00 6F 00 6C 00 69 00 63 .u.k.\.P 
.o.l.i.c
   [0050] 00 69 00 65 00 73 00 5C   00 7B 00 46 00 33 00 44 .i.e.s.\ 
.{.F.3.D
   [0060] 00 46 00 30 00 42 00 43   00 33 00 2D 00 41 00 44 .F.0.B.C 
.3.-.A.D
   [0070] 00 30 00 46 00 2D 00 34   00 38 00 36 00 32 00 2D .0.F.-.4 
.8.6.2.-
   [0080] 00 42 00 32 00 43 00 42   00 2D 00 37 00 41 00 33 .B.2.C.B 
.-.7.A.3
   [0090] 00 33 00 32 00 45 00 30   00 44 00 42 00 30 00 43 .3.2.E.0 
.D.B.0.C
   [00A0] 00 45 00 7D 00 5C 00 67   00 70 00 74 00 2E 00 69 .E.}.\.g 
.p.t...i
   [00B0] 00 6E 00 69 00 00 00                              .n.i...
[2013/10/10 16:31:15.372061,  3, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/process.c:1398(switch_message)
   switch message SMBtrans2 (pid 2507) conn 0x7f20cd1affc0
[2013/10/10 16:31:15.372099,  4, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/uid.c:384(change_to_user)
   Skipping user change - already user
[2013/10/10 16:31:15.372141,  3, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/trans2.c:5337(call_trans2qfilepathinfo)
   call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2013/10/10 16:31:15.372187,  5, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/filename.c:258(unix_convert)
   unix_convert called on file 
"internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini"
[2013/10/10 16:31:15.372237, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/statcache.c:244(stat_cache_lookup)
   stat_cache_lookup: lookup failed for name 
[INTERNAL.STMARYSCOLLEGE.CO.UK/POLICIES/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/GPT.INI]
[2013/10/10 16:31:15.372278, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/statcache.c:244(stat_cache_lookup)
   stat_cache_lookup: lookup failed for name 
[INTERNAL.STMARYSCOLLEGE.CO.UK/POLICIES/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}]
[2013/10/10 16:31:15.372315, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/statcache.c:244(stat_cache_lookup)
   stat_cache_lookup: lookup failed for name 
[INTERNAL.STMARYSCOLLEGE.CO.UK/POLICIES]
[2013/10/10 16:31:15.372351, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/statcache.c:244(stat_cache_lookup)
   stat_cache_lookup: lookup failed for name [INTERNAL.STMARYSCOLLEGE.CO.UK]
[2013/10/10 16:31:15.372390,  5, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/filename.c:421(unix_convert)
   unix_convert begin: name = 
internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini, 
dirpath = , start = 
internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini
[2013/10/10 16:31:15.372445, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled)
   is_mangled 
internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini 
?
[2013/10/10 16:31:15.372483, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
   is_mangled_component 
internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini 
(len 29) ?
[2013/10/10 16:31:15.372520, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
   is_mangled_component 
Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini (len 8) ?
[2013/10/10 16:31:15.372555, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
   is_mangled_component {F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini 
(len 38) ?
[2013/10/10 16:31:15.372591, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
   is_mangled_component gpt.ini (len 7) ?
[2013/10/10 16:31:15.372638,  5, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/statcache.c:143(stat_cache_add)
   stat_cache_add: Added entry (7f20cd6d0000:size 1d) 
INTERNAL.STMARYSCOLLEGE.CO.UK -> internal.stmaryscollege.co.uk
[2013/10/10 16:31:15.372685,  5, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/statcache.c:143(stat_cache_add)
   stat_cache_add: Added entry (7f20cd6d0080:size 26) 
INTERNAL.STMARYSCOLLEGE.CO.UK/POLICIES -> 
internal.stmaryscollege.co.uk/Policies
[2013/10/10 16:31:15.372732,  5, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/statcache.c:143(stat_cache_add)
   stat_cache_add: Added entry (7f20cd6d0110:size 4d) 
INTERNAL.STMARYSCOLLEGE.CO.UK/POLICIES/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE} 
-> 
internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}
[2013/10/10 16:31:15.372782, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled)
   is_mangled gpt.ini ?
[2013/10/10 16:31:15.372817, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
   is_mangled_component gpt.ini (len 7) ?
[2013/10/10 16:31:15.372870,  5, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/dir.c:1485(OpenDir)
   OpenDir: Can't open 
internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}. 
Permission denied
[2013/10/10 16:31:15.372922,  3, pid=2507, effective(3000447, 515), 
real(3000447, 0)] 
../source3/smbd/filename.c:1150(get_real_filename_full_scan)
   scan dir didn't open dir 
[internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}]
[2013/10/10 16:31:15.372959, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/filename.c:993(unix_convert)
   dirpath = 
[internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}] 
start = [gpt.ini]
[2013/10/10 16:31:15.372999, 10, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/filename.c:1385(filename_convert_internal)
   filename_convert_internal: unix_convert failed for name 
internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini 
with NT_STATUS_ACCESS_DENIED
[2013/10/10 16:31:15.373043,  3, pid=2507, effective(3000447, 515), 
real(3000447, 0)] ../source3/smbd/error.c:82(error_packet_set)
   NT error packet at ../source3/smbd/trans2.c(5373) cmd=50 (SMBtrans2) 
NT_STATUS_ACCESS_DENIED



It looks like it's being denied access as the machine acount (3000447 is 
the machine account's UID afaict).

# getfacl \{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE\}/
# file: {F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/
# owner: 512
# group: SMC\134Domain\040Admins
user::rwx
user:root:rwx
group::rwx
group:SMC\134Domain\040Admins:rwx
group:SMC\134Domain\040Admins:r-x
group:SMC\134Enterprise\040Admins:rwx
group:3000016:rwx
group:3000018:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:SMC\134Domain\040Admins:rwx
default:group:SMC\134Domain\040Admins:r-x
default:group:SMC\134Enterprise\040Admins:rwx
default:group:3000016:rwx
default:group:3000018:r-x
default:mask::rwx
default:other::---



# getfacl \{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE\}/GPT.INI
# file: {F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/GPT.INI
# owner: 512
# group: SMC\134Domain\040Admins
user::rwx
user:root:rwx
group::rwx
group:SMC\134Domain\040Admins:rwx
group:SMC\134Domain\040Admins:r-x
group:SMC\134Enterprise\040Admins:rwx
group:3000016:rwx
group:3000018:r-x
mask::rwx
other::---

(sysvol/internal.stmaryscollege.co.uk/Policies, I had manually CHMOD'd 
to 777 to test a theory, hence the ACLs)
# getfacl ./
# file: .
# owner: root
# group: 544
user::rwx
user:root:rwx
group::rwx
group:544:rwx
group:SMC\134Group\040Policy\040Creator\040Owners:rwx
group:SMC\134Domain\040Admins:r-x
group:3000015:r-x
group:3000016:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:group::---
default:group:544:rwx
default:group:SMC\134Group\040Policy\040Creator\040Owners:rwx
default:group:SMC\134Domain\040Admins:r-x
default:group:3000015:r-x
default:group:3000016:rwx
default:mask::rwx
default:other::---



Thanks,

Alex

More information about the samba mailing list