[Samba] sysvolreset doesn't reset all ACLs

L.P.H. van Belle belle at bazuin.nl
Thu Aug 24 14:37:26 UTC 2017


Ok, rechecked this, your correct. This did work fine. 

In now at samba 4.6.7, you? 
This worked untill ( last i checked ) 4.6.5  :-(( now sysvolreset is totaly broken.  :-(( 
New thing for my ToDo list.. 


Try this script, the rights are my defaults "after a sysvol reset" 
Place the script somewhere within /var/lib/samba
Preffered that location .
Run it with : bash script.sh sysvol/
! Check the group numbers and make sure you match yours. 
Then at least your rights are correct again. 
After this, goto you gpo manager, klik ever gpo, you get a message, klik ok. 

Greetz, 
Louis


## SCRIPT 
#!/bin/bash

#
# backup rights. recursive
#getfacl -R /var/www > permissions.acl

# restore rights
#setfacl --restore=permissions.acl

# mkdir -m 700 Manager
# setfacl -m d:g:manager:rwx,g:manager:rwx Manager

# copy the acl
#getfacl basefile | setfacl -b -M - targetfile

# other examples:
# http://www.calculate-linux.org/main/en/setting_filesystem_acl

RIGHTSFILE="default-rights-sysvol.acl"

cat << EOF > ${RIGHTSFILE}
# file: sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
EOF

if [ -z $1 ]; then
    echo "You need do assign the folder to set the default rights to"
    echo "We dont set the rights recursive! that can mess up current websites.."
    echo "exiting now .. "
fi

if [ $(echo ${1} | egrep "/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc|/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var" | wc -l ) -gt 0 ]; then
    echo "Warning, detected un safe change, exiting now. "
    exit 1
fi

if [ ! -d $1 ]; then
    echo "Error, directory does not exist, exiting now."
    exit 1
else
    setfacl -R -b --modify-file $RIGHTSFILE $1
    setfacl -R -m default:user:root:rwx $1
    setfacl -R -m default:group:"BUILTIN\134administrators":rwx $1
fi

## SCRIPT END



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
> Schwedas via samba
> Verzonden: donderdag 24 augustus 2017 15:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
> 
> On 2017-08-24 15:13, L.P.H. van Belle via samba wrote:
> > Hai,
> > 
> > To recover from that problem, read : 
> > The "Why" i setup like this. 
> > 
> http://lists-archives.com/samba/106301-can-t-create-update-group-polic
> > y-in-samba-4-6-5.html
> > 
> > And howto fix.
> > 
> http://lists-archives.com/samba/106333-can-t-create-update-group-polic
> > y-in-samba-4-6-5.html
> > Note on this last link, the part.: 
> 
> Okay, I set up `acl_xattr:ignore system acls = yes` and 
> restarted the DC.
> 
> > A good tip to restore the defaults with samba-tool without errors. 
> >  
> > move you domain folder out of the /var/lib/samba/sysvol folder. 
> > mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
> > mkdir /var/lib/samba/sysvol/intern.domain.tld 		
> <<<<<<<<<<  you must have an empty folder for the next command. 
> > And run samba-tool ntacl sysvolreset
> ?and did that.
> 
> Alas:
> 
> > root at graz-dc-1b:/var/lib/samba# ls -l 
> /var/lib/samba/sysvol/ad.tao.at/
> > total 0
> > root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset
> > open: error=2 (No such file or directory)
> > ERROR(runtime): uncaught exception - (-1073741823, 
> 'Undetermined error')
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", 
> line 239, in run
> >     lp, use_ntvfs=use_ntvfs)
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1609, in setsysvolacl
> >     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, 
> samdb, lp, use_ntvfs, passdb=s4_passdb)
> >   File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1502, in set_gpos_acl
> >     use_ntvfs=use_ntvfs, skip_invalid_chown=True, 
> passdb=passdb, service=SYSVOL_SERVICE)
> >   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
> line 162, in setntacl
> >     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL | 
> security.SECINFO_SACL, sd, service=service)
> 
> Would've been too easy, wouldn't it?
> 
> > ----
> > 
> > 
> > Good luck, if you need more help, you know where to find us. ;-) 
> > ( ps, when its all done, DONT run samba-tool ntacl 
> sysvolreset again, never ever ) 
> > Until this bug is fixed. 
> > 
> > ( more GPO tips, google: 
> https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&sour
ce=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-> O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 ) 
> > 
> > 
> > 
> > Greetz,
> > 
> > Louis 
> > 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> >> Rowland Penny via samba
> >> Verzonden: donderdag 24 augustus 2017 14:42
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
> >>
> >> On Thu, 24 Aug 2017 14:15:53 +0200
> >> Sven Schwedas via samba <samba at lists.samba.org> wrote:
> >>
> >>> On 2017-08-24 13:00, Rowland Penny via samba wrote:
> >>>> On Thu, 24 Aug 2017 12:41:36 +0200
> >>>> Sven Schwedas via samba <samba at lists.samba.org> wrote:
> >>>>
> >>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
> >>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba 
> >>>>>> <samba at lists.samba.org> wrote:
> >>>>>>
> >>>>>>>
> >>>>>>> Where does the error come from, and why doesn't 
> >> sysvolreset fix 
> >>>>>>> it?
> >>>>>>>
> >>>>>>
> >>>>>> Mainly because (from my testing) sysvolcheck/sysvolreset is 
> >>>>>> broken. I do not write 'C' code and the problem seems to be in 
> >>>>>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the 
> >>>>>> correct ACL.
> >>>>>>
> >>>>>> I have opened a bug for this:
> >>>>>>
> >>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924
> >>>>>
> >>>>> Ah, crap.
> >>>>
> >>>> I actually used worse words when I found out why I 
> >> couldn't get my 
> >>>> work on the python code to work. ;-)
> >>>>
> >>>>>
> >>>>>> Even when this gets fixed, the python code will need 
> >> work, because 
> >>>>>> it doesn't do what windows does, also anybody who has set a 
> >>>>>> gidNumber on Domain Admins, will need to remove it, the group 
> >>>>>> needs to own things in sysvol and with a gidNumber it cannot.
> >>>>>
> >>>>> Does this apply only to sysvolreset or also when fixing 
> >> ACLs from 
> >>>>> Windows?
> >>>>
> >>>> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in 
> >>>> idmap.ldb, this makes it able to own files and dirs in 
> >> sysvol. The 
> >>>> moment you give 'Domain Admins' a gidNumber, you break 
> >> this mapping 
> >>>> and the group becomes just a group and cannot own 
> >> anything on a Unix 
> >>>> machine, so my recommendation is to not give the group a 
> >> gidNumber, 
> >>>> create another group 'Unix Admins' ? give this group a 
> >> gidNumber and 
> >>>> make this group a member of 'Domain Admins'
> >>>
> >>> Does removing the gidNumber retroactively allow it to work?
> >>>
> >>> (That is, once I figured out how to reset the ACLs from within
> >>> Windows.)
> >>>
> >>
> >> It should, idmap.ldb works on a first come basis, so the next 
> >> time Domain Admins connects it should get issued with a 
> new xidNumber.
> >>
> >> Rowland
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> > 
> > 
> 
> -- 
> Mit freundlichen Grüßen, / Best Regards,
> Sven Schwedas, Systemadministrator
> Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
> TAO Digital | Lendplatz 45 | A8020 Graz
> https://www.tao-digital.at | Tel +43 680 301 7167
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list