[Samba] sysvolreset doesn't reset all ACLs

Sven Schwedas sven.schwedas at tao.at
Fri Aug 25 08:32:03 UTC 2017


> root at graz-dc-sem.ad.tao.at# wbinfo --sid-to-name=S-1-5-11
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-11

So how fucked is my domain?

On 2017-08-25 08:09, L.P.H. van Belle via samba wrote:
> Ah, yes, oeps sorry, and i did run out of the office yesterday, so didnt see this.. 
>  
> 3000002:rwx	
> 3000003:r-x	
> 
> wbinfo --uid-to-sid=3000003
> S-1-5-11
> wbinfo --uid-to-sid=3000002
> S-1-5-18
> 
> wbinfo --sid-to-name=S-1-5-11
> NT AUTHORITY\Authenticated Users 5
> 
> wbinfo --sid-to-name=S-1-5-18
> NT AUTHORITY\SYSTEM 5
> 
> Greetz, 
> 
> Louis
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
>> Schwedas via samba
>> Verzonden: donderdag 24 augustus 2017 17:00
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
>>
>> On 2017-08-24 16:37, L.P.H. van Belle via samba wrote:
>>> Ok, rechecked this, your correct. This did work fine. 
>>>
>>> In now at samba 4.6.7, you? 
>>
>> 4.5.8 still, but I guess updating won't help?
>>
>>> This worked untill ( last i checked ) 4.6.5  :-(( now 
>> sysvolreset is 
>>> totaly broken.  :-(( New thing for my ToDo list..
>>>
>>>
>>> Try this script, the rights are my defaults "after a sysvol reset" 
>>> Place the script somewhere within /var/lib/samba Preffered that 
>>> location .
>>> Run it with : bash script.sh sysvol/
>>> ! Check the group numbers and make sure you match yours. 
>>
>> Which groups are 3000002 and 3000003 supposed to be?
>>
>>> Then at least your rights are correct again. 
>>> After this, goto you gpo manager, klik ever gpo, you get a 
>> message, klik ok. 
>>>
>>> Greetz,
>>> Louis
>>>
>>>
>>> ## SCRIPT
>>> #!/bin/bash
>>>
>>> #
>>> # backup rights. recursive
>>> #getfacl -R /var/www > permissions.acl
>>>
>>> # restore rights
>>> #setfacl --restore=permissions.acl
>>>
>>> # mkdir -m 700 Manager
>>> # setfacl -m d:g:manager:rwx,g:manager:rwx Manager
>>>
>>> # copy the acl
>>> #getfacl basefile | setfacl -b -M - targetfile
>>>
>>> # other examples:
>>> # http://www.calculate-linux.org/main/en/setting_filesystem_acl
>>>
>>> RIGHTSFILE="default-rights-sysvol.acl"
>>>
>>> cat << EOF > ${RIGHTSFILE}
>>> # file: sysvol
>>> # owner: root
>>> # group: BUILTIN\134administrators
>>> user::rwx
>>> user:root:rwx
>>> user:BUILTIN\134administrators:rwx
>>> user:BUILTIN\134server\040operators:r-x
>>> user:3000002:rwx
>>> user:3000003:r-x
>>> group::rwx
>>> group:BUILTIN\134administrators:rwx
>>> group:BUILTIN\134server\040operators:r-x
>>> group:3000002:rwx
>>> group:3000003:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:BUILTIN\134administrators:rwx
>>> default:user:BUILTIN\134server\040operators:r-x
>>> default:user:3000002:rwx
>>> default:user:3000003:r-x
>>> default:group::---
>>> default:group:BUILTIN\134administrators:rwx
>>> default:group:BUILTIN\134server\040operators:r-x
>>> default:group:3000002:rwx
>>> default:group:3000003:r-x
>>> default:mask::rwx
>>> default:other::---
>>> EOF
>>>
>>> if [ -z $1 ]; then
>>>     echo "You need do assign the folder to set the default 
>> rights to"
>>>     echo "We dont set the rights recursive! that can mess 
>> up current websites.."
>>>     echo "exiting now .. "
>>> fi
>>>
>>> if [ $(echo ${1} | egrep 
>> "/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc
>> |/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var" | wc -l ) -gt 0 ]; then
>>>     echo "Warning, detected un safe change, exiting now. "
>>>     exit 1
>>> fi
>>>
>>> if [ ! -d $1 ]; then
>>>     echo "Error, directory does not exist, exiting now."
>>>     exit 1
>>> else
>>>     setfacl -R -b --modify-file $RIGHTSFILE $1
>>>     setfacl -R -m default:user:root:rwx $1
>>>     setfacl -R -m 
>> default:group:"BUILTIN\134administrators":rwx $1 fi
>>>
>>> ## SCRIPT END
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
>>>> Schwedas via samba
>>>> Verzonden: donderdag 24 augustus 2017 15:53
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
>>>>
>>>> On 2017-08-24 15:13, L.P.H. van Belle via samba wrote:
>>>>> Hai,
>>>>>
>>>>> To recover from that problem, read : 
>>>>> The "Why" i setup like this. 
>>>>>
>>>>
>> http://lists-archives.com/samba/106301-can-t-create-update-group-poli
>>>> c
>>>>> y-in-samba-4-6-5.html
>>>>>
>>>>> And howto fix.
>>>>>
>>>>
>> http://lists-archives.com/samba/106333-can-t-create-update-group-poli
>>>> c
>>>>> y-in-samba-4-6-5.html
>>>>> Note on this last link, the part.: 
>>>>
>>>> Okay, I set up `acl_xattr:ignore system acls = yes` and 
>> restarted the 
>>>> DC.
>>>>
>>>>> A good tip to restore the defaults with samba-tool 
>> without errors. 
>>>>>  
>>>>> move you domain folder out of the /var/lib/samba/sysvol folder. 
>>>>> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
>>>>> mkdir /var/lib/samba/sysvol/intern.domain.tld 		
>>>> <<<<<<<<<<  you must have an empty folder for the next command. 
>>>>> And run samba-tool ntacl sysvolreset
>>>> ?and did that.
>>>>
>>>> Alas:
>>>>
>>>>> root at graz-dc-1b:/var/lib/samba# ls -l
>>>> /var/lib/samba/sysvol/ad.tao.at/
>>>>> total 0
>>>>> root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset
>>>>> open: error=2 (No such file or directory)
>>>>> ERROR(runtime): uncaught exception - (-1073741823,
>>>> 'Undetermined error')
>>>>>   File
>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>>> line 176, in _run
>>>>>     return self.run(*args, **kwargs)
>>>>>   File
>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
>>>> line 239, in run
>>>>>     lp, use_ntvfs=use_ntvfs)
>>>>>   File
>>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
>>>> , line 1609, in setsysvolacl
>>>>>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn,
>>>> samdb, lp, use_ntvfs, passdb=s4_passdb)
>>>>>   File
>>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
>>>> , line 1502, in set_gpos_acl
>>>>>     use_ntvfs=use_ntvfs, skip_invalid_chown=True,
>>>> passdb=passdb, service=SYSVOL_SERVICE)
>>>>>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
>>>> line 162, in setntacl
>>>>>     smbd.set_nt_acl(file, security.SECINFO_OWNER |
>>>> security.SECINFO_GROUP | security.SECINFO_DACL | 
>>>> security.SECINFO_SACL, sd, service=service)
>>>>
>>>> Would've been too easy, wouldn't it?
>>>>
>>>>> ----
>>>>>
>>>>>
>>>>> Good luck, if you need more help, you know where to find 
>> us. ;-) ( 
>>>>> ps, when its all done, DONT run samba-tool ntacl
>>>> sysvolreset again, never ever )
>>>>> Until this bug is fixed. 
>>>>>
>>>>> ( more GPO tips, google: 
>>>> https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&sour
>>> ce=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-> 
>>> O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 )
>>>>>
>>>>>
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland 
>>>>>> Penny via samba
>>>>>> Verzonden: donderdag 24 augustus 2017 14:42
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
>>>>>>
>>>>>> On Thu, 24 Aug 2017 14:15:53 +0200
>>>>>> Sven Schwedas via samba <samba at lists.samba.org> wrote:
>>>>>>
>>>>>>> On 2017-08-24 13:00, Rowland Penny via samba wrote:
>>>>>>>> On Thu, 24 Aug 2017 12:41:36 +0200 Sven Schwedas via samba 
>>>>>>>> <samba at lists.samba.org> wrote:
>>>>>>>>
>>>>>>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
>>>>>>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba 
>>>>>>>>>> <samba at lists.samba.org> wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Where does the error come from, and why doesn't
>>>>>> sysvolreset fix
>>>>>>>>>>> it?
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Mainly because (from my testing) sysvolcheck/sysvolreset is 
>>>>>>>>>> broken. I do not write 'C' code and the problem 
>> seems to be in 
>>>>>>>>>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the 
>>>>>>>>>> correct ACL.
>>>>>>>>>>
>>>>>>>>>> I have opened a bug for this:
>>>>>>>>>>
>>>>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924
>>>>>>>>>
>>>>>>>>> Ah, crap.
>>>>>>>>
>>>>>>>> I actually used worse words when I found out why I
>>>>>> couldn't get my
>>>>>>>> work on the python code to work. ;-)
>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Even when this gets fixed, the python code will need
>>>>>> work, because
>>>>>>>>>> it doesn't do what windows does, also anybody who has set a 
>>>>>>>>>> gidNumber on Domain Admins, will need to remove it, 
>> the group 
>>>>>>>>>> needs to own things in sysvol and with a gidNumber it cannot.
>>>>>>>>>
>>>>>>>>> Does this apply only to sysvolreset or also when fixing
>>>>>> ACLs from
>>>>>>>>> Windows?
>>>>>>>>
>>>>>>>> On a Samba AD DC, 'Domain Admins' is mapped to 
>> 'ID_TYPE_BOTH' in 
>>>>>>>> idmap.ldb, this makes it able to own files and dirs in
>>>>>> sysvol. The
>>>>>>>> moment you give 'Domain Admins' a gidNumber, you break
>>>>>> this mapping
>>>>>>>> and the group becomes just a group and cannot own
>>>>>> anything on a Unix
>>>>>>>> machine, so my recommendation is to not give the group a
>>>>>> gidNumber,
>>>>>>>> create another group 'Unix Admins' ? give this group a
>>>>>> gidNumber and
>>>>>>>> make this group a member of 'Domain Admins'
>>>>>>>
>>>>>>> Does removing the gidNumber retroactively allow it to work?
>>>>>>>
>>>>>>> (That is, once I figured out how to reset the ACLs from within
>>>>>>> Windows.)
>>>>>>>
>>>>>>
>>>>>> It should, idmap.ldb works on a first come basis, so the 
>> next time 
>>>>>> Domain Admins connects it should get issued with a
>>>> new xidNumber.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL 
>> and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, 
>>>> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype 
>>>> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz 
>>>> https://www.tao-digital.at | Tel +43 680 301 7167
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>
>> --
>> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, 
>> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype 
>> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz 
>> https://www.tao-digital.at | Tel +43 680 301 7167
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> 
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167



More information about the samba mailing list