[Samba] sysvolreset doesn't reset all ACLs

Sven Schwedas sven.schwedas at tao.at
Thu Aug 24 13:53:15 UTC 2017 

On 2017-08-24 15:13, L.P.H. van Belle via samba wrote:
> Hai,
> 
> To recover from that problem, read : 
> The "Why" i setup like this. 
> http://lists-archives.com/samba/106301-can-t-create-update-group-policy-in-samba-4-6-5.html
> 
> And howto fix.
> http://lists-archives.com/samba/106333-can-t-create-update-group-policy-in-samba-4-6-5.html
> Note on this last link, the part.: 

Okay, I set up `acl_xattr:ignore system acls = yes` and restarted the DC.

> A good tip to restore the defaults with samba-tool without errors. 
>  
> move you domain folder out of the /var/lib/samba/sysvol folder. 
> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
> mkdir /var/lib/samba/sysvol/intern.domain.tld 		<<<<<<<<<<  you must have an empty folder for the next command. 
> And run samba-tool ntacl sysvolreset 
…and did that.

Alas:

> root at graz-dc-1b:/var/lib/samba# ls -l /var/lib/samba/sysvol/ad.tao.at/
> total 0
> root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run
>     lp, use_ntvfs=use_ntvfs)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl
>     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl
>     smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

Would've been too easy, wouldn't it?

> ----
> 
> 
> Good luck, if you need more help, you know where to find us. ;-) 
> ( ps, when its all done, DONT run samba-tool ntacl sysvolreset again, never ever ) 
> Until this bug is fixed. 
> 
> ( more GPO tips, google: https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&source=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 ) 
> 
> 
> 
> Greetz,
> 
> Louis 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Rowland Penny via samba
>> Verzonden: donderdag 24 augustus 2017 14:42
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
>>
>> On Thu, 24 Aug 2017 14:15:53 +0200
>> Sven Schwedas via samba <samba at lists.samba.org> wrote:
>>
>>> On 2017-08-24 13:00, Rowland Penny via samba wrote:
>>>> On Thu, 24 Aug 2017 12:41:36 +0200
>>>> Sven Schwedas via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
>>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba 
>>>>>> <samba at lists.samba.org> wrote:
>>>>>>
>>>>>>>
>>>>>>> Where does the error come from, and why doesn't 
>> sysvolreset fix 
>>>>>>> it?
>>>>>>>
>>>>>>
>>>>>> Mainly because (from my testing) sysvolcheck/sysvolreset is 
>>>>>> broken. I do not write 'C' code and the problem seems to be in 
>>>>>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the 
>>>>>> correct ACL.
>>>>>>
>>>>>> I have opened a bug for this:
>>>>>>
>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924
>>>>>
>>>>> Ah, crap.
>>>>
>>>> I actually used worse words when I found out why I 
>> couldn't get my 
>>>> work on the python code to work. ;-)
>>>>
>>>>>
>>>>>> Even when this gets fixed, the python code will need 
>> work, because 
>>>>>> it doesn't do what windows does, also anybody who has set a 
>>>>>> gidNumber on Domain Admins, will need to remove it, the group 
>>>>>> needs to own things in sysvol and with a gidNumber it cannot.
>>>>>
>>>>> Does this apply only to sysvolreset or also when fixing 
>> ACLs from 
>>>>> Windows?
>>>>
>>>> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in 
>>>> idmap.ldb, this makes it able to own files and dirs in 
>> sysvol. The 
>>>> moment you give 'Domain Admins' a gidNumber, you break 
>> this mapping 
>>>> and the group becomes just a group and cannot own 
>> anything on a Unix 
>>>> machine, so my recommendation is to not give the group a 
>> gidNumber, 
>>>> create another group 'Unix Admins' ? give this group a 
>> gidNumber and 
>>>> make this group a member of 'Domain Admins'
>>>
>>> Does removing the gidNumber retroactively allow it to work?
>>>
>>> (That is, once I figured out how to reset the ACLs from within
>>> Windows.)
>>>
>>
>> It should, idmap.ldb works on a first come basis, so the next 
>> time Domain Admins connects it should get issued with a new xidNumber.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> 
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

More information about the samba mailing list