[Samba] sysvolreset doesn't reset all ACLs

Sven Schwedas sven.schwedas at tao.at
Thu Aug 24 14:59:39 UTC 2017


On 2017-08-24 16:37, L.P.H. van Belle via samba wrote:
> Ok, rechecked this, your correct. This did work fine. 
> 
> In now at samba 4.6.7, you? 

4.5.8 still, but I guess updating won't help?

> This worked untill ( last i checked ) 4.6.5  :-(( now sysvolreset is totaly broken.  :-(( 
> New thing for my ToDo list.. 
> 
> 
> Try this script, the rights are my defaults "after a sysvol reset" 
> Place the script somewhere within /var/lib/samba
> Preffered that location .
> Run it with : bash script.sh sysvol/
> ! Check the group numbers and make sure you match yours. 

Which groups are 3000002 and 3000003 supposed to be?

> Then at least your rights are correct again. 
> After this, goto you gpo manager, klik ever gpo, you get a message, klik ok. 
> 
> Greetz, 
> Louis
> 
> 
> ## SCRIPT 
> #!/bin/bash
> 
> #
> # backup rights. recursive
> #getfacl -R /var/www > permissions.acl
> 
> # restore rights
> #setfacl --restore=permissions.acl
> 
> # mkdir -m 700 Manager
> # setfacl -m d:g:manager:rwx,g:manager:rwx Manager
> 
> # copy the acl
> #getfacl basefile | setfacl -b -M - targetfile
> 
> # other examples:
> # http://www.calculate-linux.org/main/en/setting_filesystem_acl
> 
> RIGHTSFILE="default-rights-sysvol.acl"
> 
> cat << EOF > ${RIGHTSFILE}
> # file: sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:BUILTIN\134server\040operators:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:BUILTIN\134server\040operators:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> EOF
> 
> if [ -z $1 ]; then
>     echo "You need do assign the folder to set the default rights to"
>     echo "We dont set the rights recursive! that can mess up current websites.."
>     echo "exiting now .. "
> fi
> 
> if [ $(echo ${1} | egrep "/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc|/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var" | wc -l ) -gt 0 ]; then
>     echo "Warning, detected un safe change, exiting now. "
>     exit 1
> fi
> 
> if [ ! -d $1 ]; then
>     echo "Error, directory does not exist, exiting now."
>     exit 1
> else
>     setfacl -R -b --modify-file $RIGHTSFILE $1
>     setfacl -R -m default:user:root:rwx $1
>     setfacl -R -m default:group:"BUILTIN\134administrators":rwx $1
> fi
> 
> ## SCRIPT END
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
>> Schwedas via samba
>> Verzonden: donderdag 24 augustus 2017 15:53
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
>>
>> On 2017-08-24 15:13, L.P.H. van Belle via samba wrote:
>>> Hai,
>>>
>>> To recover from that problem, read : 
>>> The "Why" i setup like this. 
>>>
>> http://lists-archives.com/samba/106301-can-t-create-update-group-polic
>>> y-in-samba-4-6-5.html
>>>
>>> And howto fix.
>>>
>> http://lists-archives.com/samba/106333-can-t-create-update-group-polic
>>> y-in-samba-4-6-5.html
>>> Note on this last link, the part.: 
>>
>> Okay, I set up `acl_xattr:ignore system acls = yes` and 
>> restarted the DC.
>>
>>> A good tip to restore the defaults with samba-tool without errors. 
>>>  
>>> move you domain folder out of the /var/lib/samba/sysvol folder. 
>>> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
>>> mkdir /var/lib/samba/sysvol/intern.domain.tld 		
>> <<<<<<<<<<  you must have an empty folder for the next command. 
>>> And run samba-tool ntacl sysvolreset
>> ?and did that.
>>
>> Alas:
>>
>>> root at graz-dc-1b:/var/lib/samba# ls -l 
>> /var/lib/samba/sysvol/ad.tao.at/
>>> total 0
>>> root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset
>>> open: error=2 (No such file or directory)
>>> ERROR(runtime): uncaught exception - (-1073741823, 
>> 'Undetermined error')
>>>   File 
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
>> line 176, in _run
>>>     return self.run(*args, **kwargs)
>>>   File 
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", 
>> line 239, in run
>>>     lp, use_ntvfs=use_ntvfs)
>>>   File 
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
>> , line 1609, in setsysvolacl
>>>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, 
>> samdb, lp, use_ntvfs, passdb=s4_passdb)
>>>   File 
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
>> , line 1502, in set_gpos_acl
>>>     use_ntvfs=use_ntvfs, skip_invalid_chown=True, 
>> passdb=passdb, service=SYSVOL_SERVICE)
>>>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", 
>> line 162, in setntacl
>>>     smbd.set_nt_acl(file, security.SECINFO_OWNER | 
>> security.SECINFO_GROUP | security.SECINFO_DACL | 
>> security.SECINFO_SACL, sd, service=service)
>>
>> Would've been too easy, wouldn't it?
>>
>>> ----
>>>
>>>
>>> Good luck, if you need more help, you know where to find us. ;-) 
>>> ( ps, when its all done, DONT run samba-tool ntacl 
>> sysvolreset again, never ever ) 
>>> Until this bug is fixed. 
>>>
>>> ( more GPO tips, google: 
>> https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&sour
> ce=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-> O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 ) 
>>>
>>>
>>>
>>> Greetz,
>>>
>>> Louis 
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>>>> Rowland Penny via samba
>>>> Verzonden: donderdag 24 augustus 2017 14:42
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
>>>>
>>>> On Thu, 24 Aug 2017 14:15:53 +0200
>>>> Sven Schwedas via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> On 2017-08-24 13:00, Rowland Penny via samba wrote:
>>>>>> On Thu, 24 Aug 2017 12:41:36 +0200
>>>>>> Sven Schwedas via samba <samba at lists.samba.org> wrote:
>>>>>>
>>>>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
>>>>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba 
>>>>>>>> <samba at lists.samba.org> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Where does the error come from, and why doesn't 
>>>> sysvolreset fix 
>>>>>>>>> it?
>>>>>>>>>
>>>>>>>>
>>>>>>>> Mainly because (from my testing) sysvolcheck/sysvolreset is 
>>>>>>>> broken. I do not write 'C' code and the problem seems to be in 
>>>>>>>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the 
>>>>>>>> correct ACL.
>>>>>>>>
>>>>>>>> I have opened a bug for this:
>>>>>>>>
>>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924
>>>>>>>
>>>>>>> Ah, crap.
>>>>>>
>>>>>> I actually used worse words when I found out why I 
>>>> couldn't get my 
>>>>>> work on the python code to work. ;-)
>>>>>>
>>>>>>>
>>>>>>>> Even when this gets fixed, the python code will need 
>>>> work, because 
>>>>>>>> it doesn't do what windows does, also anybody who has set a 
>>>>>>>> gidNumber on Domain Admins, will need to remove it, the group 
>>>>>>>> needs to own things in sysvol and with a gidNumber it cannot.
>>>>>>>
>>>>>>> Does this apply only to sysvolreset or also when fixing 
>>>> ACLs from 
>>>>>>> Windows?
>>>>>>
>>>>>> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in 
>>>>>> idmap.ldb, this makes it able to own files and dirs in 
>>>> sysvol. The 
>>>>>> moment you give 'Domain Admins' a gidNumber, you break 
>>>> this mapping 
>>>>>> and the group becomes just a group and cannot own 
>>>> anything on a Unix 
>>>>>> machine, so my recommendation is to not give the group a 
>>>> gidNumber, 
>>>>>> create another group 'Unix Admins' ? give this group a 
>>>> gidNumber and 
>>>>>> make this group a member of 'Domain Admins'
>>>>>
>>>>> Does removing the gidNumber retroactively allow it to work?
>>>>>
>>>>> (That is, once I figured out how to reset the ACLs from within
>>>>> Windows.)
>>>>>
>>>>
>>>> It should, idmap.ldb works on a first come basis, so the next 
>>>> time Domain Admins connects it should get issued with a 
>> new xidNumber.
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>
>> -- 
>> Mit freundlichen Grüßen, / Best Regards,
>> Sven Schwedas, Systemadministrator
>> Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
>> TAO Digital | Lendplatz 45 | A8020 Graz
>> https://www.tao-digital.at | Tel +43 680 301 7167
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> 
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167



More information about the samba mailing list