[Samba] sysvolreset doesn't reset all ACLs
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 25 06:09:30 UTC 2017
Ah, yes, oeps sorry, and i did run out of the office yesterday, so didnt see this..
3000002:rwx
3000003:r-x
wbinfo --uid-to-sid=3000003
S-1-5-11
wbinfo --uid-to-sid=3000002
S-1-5-18
wbinfo --sid-to-name=S-1-5-11
NT AUTHORITY\Authenticated Users 5
wbinfo --sid-to-name=S-1-5-18
NT AUTHORITY\SYSTEM 5
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven
> Schwedas via samba
> Verzonden: donderdag 24 augustus 2017 17:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
>
> On 2017-08-24 16:37, L.P.H. van Belle via samba wrote:
> > Ok, rechecked this, your correct. This did work fine.
> >
> > In now at samba 4.6.7, you?
>
> 4.5.8 still, but I guess updating won't help?
>
> > This worked untill ( last i checked ) 4.6.5 :-(( now
> sysvolreset is
> > totaly broken. :-(( New thing for my ToDo list..
> >
> >
> > Try this script, the rights are my defaults "after a sysvol reset"
> > Place the script somewhere within /var/lib/samba Preffered that
> > location .
> > Run it with : bash script.sh sysvol/
> > ! Check the group numbers and make sure you match yours.
>
> Which groups are 3000002 and 3000003 supposed to be?
>
> > Then at least your rights are correct again.
> > After this, goto you gpo manager, klik ever gpo, you get a
> message, klik ok.
> >
> > Greetz,
> > Louis
> >
> >
> > ## SCRIPT
> > #!/bin/bash
> >
> > #
> > # backup rights. recursive
> > #getfacl -R /var/www > permissions.acl
> >
> > # restore rights
> > #setfacl --restore=permissions.acl
> >
> > # mkdir -m 700 Manager
> > # setfacl -m d:g:manager:rwx,g:manager:rwx Manager
> >
> > # copy the acl
> > #getfacl basefile | setfacl -b -M - targetfile
> >
> > # other examples:
> > # http://www.calculate-linux.org/main/en/setting_filesystem_acl
> >
> > RIGHTSFILE="default-rights-sysvol.acl"
> >
> > cat << EOF > ${RIGHTSFILE}
> > # file: sysvol
> > # owner: root
> > # group: BUILTIN\134administrators
> > user::rwx
> > user:root:rwx
> > user:BUILTIN\134administrators:rwx
> > user:BUILTIN\134server\040operators:r-x
> > user:3000002:rwx
> > user:3000003:r-x
> > group::rwx
> > group:BUILTIN\134administrators:rwx
> > group:BUILTIN\134server\040operators:r-x
> > group:3000002:rwx
> > group:3000003:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:BUILTIN\134administrators:rwx
> > default:user:BUILTIN\134server\040operators:r-x
> > default:user:3000002:rwx
> > default:user:3000003:r-x
> > default:group::---
> > default:group:BUILTIN\134administrators:rwx
> > default:group:BUILTIN\134server\040operators:r-x
> > default:group:3000002:rwx
> > default:group:3000003:r-x
> > default:mask::rwx
> > default:other::---
> > EOF
> >
> > if [ -z $1 ]; then
> > echo "You need do assign the folder to set the default
> rights to"
> > echo "We dont set the rights recursive! that can mess
> up current websites.."
> > echo "exiting now .. "
> > fi
> >
> > if [ $(echo ${1} | egrep
> "/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc
> |/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var" | wc -l ) -gt 0 ]; then
> > echo "Warning, detected un safe change, exiting now. "
> > exit 1
> > fi
> >
> > if [ ! -d $1 ]; then
> > echo "Error, directory does not exist, exiting now."
> > exit 1
> > else
> > setfacl -R -b --modify-file $RIGHTSFILE $1
> > setfacl -R -m default:user:root:rwx $1
> > setfacl -R -m
> default:group:"BUILTIN\134administrators":rwx $1 fi
> >
> > ## SCRIPT END
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven
> >> Schwedas via samba
> >> Verzonden: donderdag 24 augustus 2017 15:53
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
> >>
> >> On 2017-08-24 15:13, L.P.H. van Belle via samba wrote:
> >>> Hai,
> >>>
> >>> To recover from that problem, read :
> >>> The "Why" i setup like this.
> >>>
> >>
> http://lists-archives.com/samba/106301-can-t-create-update-group-poli
> >> c
> >>> y-in-samba-4-6-5.html
> >>>
> >>> And howto fix.
> >>>
> >>
> http://lists-archives.com/samba/106333-can-t-create-update-group-poli
> >> c
> >>> y-in-samba-4-6-5.html
> >>> Note on this last link, the part.:
> >>
> >> Okay, I set up `acl_xattr:ignore system acls = yes` and
> restarted the
> >> DC.
> >>
> >>> A good tip to restore the defaults with samba-tool
> without errors.
> >>>
> >>> move you domain folder out of the /var/lib/samba/sysvol folder.
> >>> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
> >>> mkdir /var/lib/samba/sysvol/intern.domain.tld
> >> <<<<<<<<<< you must have an empty folder for the next command.
> >>> And run samba-tool ntacl sysvolreset
> >> ?and did that.
> >>
> >> Alas:
> >>
> >>> root at graz-dc-1b:/var/lib/samba# ls -l
> >> /var/lib/samba/sysvol/ad.tao.at/
> >>> total 0
> >>> root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset
> >>> open: error=2 (No such file or directory)
> >>> ERROR(runtime): uncaught exception - (-1073741823,
> >> 'Undetermined error')
> >>> File
> >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> >> line 176, in _run
> >>> return self.run(*args, **kwargs)
> >>> File
> >> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
> >> line 239, in run
> >>> lp, use_ntvfs=use_ntvfs)
> >>> File
> >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> >> , line 1609, in setsysvolacl
> >>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn,
> >> samdb, lp, use_ntvfs, passdb=s4_passdb)
> >>> File
> >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> >> , line 1502, in set_gpos_acl
> >>> use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> >> passdb=passdb, service=SYSVOL_SERVICE)
> >>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
> >> line 162, in setntacl
> >>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
> >> security.SECINFO_GROUP | security.SECINFO_DACL |
> >> security.SECINFO_SACL, sd, service=service)
> >>
> >> Would've been too easy, wouldn't it?
> >>
> >>> ----
> >>>
> >>>
> >>> Good luck, if you need more help, you know where to find
> us. ;-) (
> >>> ps, when its all done, DONT run samba-tool ntacl
> >> sysvolreset again, never ever )
> >>> Until this bug is fixed.
> >>>
> >>> ( more GPO tips, google:
> >> https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&sour
> > ce=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu->
> > O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 )
> >>>
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
> >>>> Penny via samba
> >>>> Verzonden: donderdag 24 augustus 2017 14:42
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
> >>>>
> >>>> On Thu, 24 Aug 2017 14:15:53 +0200
> >>>> Sven Schwedas via samba <samba at lists.samba.org> wrote:
> >>>>
> >>>>> On 2017-08-24 13:00, Rowland Penny via samba wrote:
> >>>>>> On Thu, 24 Aug 2017 12:41:36 +0200 Sven Schwedas via samba
> >>>>>> <samba at lists.samba.org> wrote:
> >>>>>>
> >>>>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
> >>>>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba
> >>>>>>>> <samba at lists.samba.org> wrote:
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Where does the error come from, and why doesn't
> >>>> sysvolreset fix
> >>>>>>>>> it?
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> Mainly because (from my testing) sysvolcheck/sysvolreset is
> >>>>>>>> broken. I do not write 'C' code and the problem
> seems to be in
> >>>>>>>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the
> >>>>>>>> correct ACL.
> >>>>>>>>
> >>>>>>>> I have opened a bug for this:
> >>>>>>>>
> >>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924
> >>>>>>>
> >>>>>>> Ah, crap.
> >>>>>>
> >>>>>> I actually used worse words when I found out why I
> >>>> couldn't get my
> >>>>>> work on the python code to work. ;-)
> >>>>>>
> >>>>>>>
> >>>>>>>> Even when this gets fixed, the python code will need
> >>>> work, because
> >>>>>>>> it doesn't do what windows does, also anybody who has set a
> >>>>>>>> gidNumber on Domain Admins, will need to remove it,
> the group
> >>>>>>>> needs to own things in sysvol and with a gidNumber it cannot.
> >>>>>>>
> >>>>>>> Does this apply only to sysvolreset or also when fixing
> >>>> ACLs from
> >>>>>>> Windows?
> >>>>>>
> >>>>>> On a Samba AD DC, 'Domain Admins' is mapped to
> 'ID_TYPE_BOTH' in
> >>>>>> idmap.ldb, this makes it able to own files and dirs in
> >>>> sysvol. The
> >>>>>> moment you give 'Domain Admins' a gidNumber, you break
> >>>> this mapping
> >>>>>> and the group becomes just a group and cannot own
> >>>> anything on a Unix
> >>>>>> machine, so my recommendation is to not give the group a
> >>>> gidNumber,
> >>>>>> create another group 'Unix Admins' ? give this group a
> >>>> gidNumber and
> >>>>>> make this group a member of 'Domain Admins'
> >>>>>
> >>>>> Does removing the gidNumber retroactively allow it to work?
> >>>>>
> >>>>> (That is, once I figured out how to reset the ACLs from within
> >>>>> Windows.)
> >>>>>
> >>>>
> >>>> It should, idmap.ldb works on a first come basis, so the
> next time
> >>>> Domain Admins connects it should get issued with a
> >> new xidNumber.
> >>>>
> >>>> Rowland
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL
> and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>>
> >>>
> >>
> >> --
> >> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas,
> >> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype
> >> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz
> >> https://www.tao-digital.at | Tel +43 680 301 7167
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> >
>
> --
> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas,
> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype
> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz
> https://www.tao-digital.at | Tel +43 680 301 7167
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list