[Samba] sysvolreset doesn't reset all ACLs
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 25 08:49:26 UTC 2017
Hai,
Can you post your smb.conf of the DC.
Lets have a checkup.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven
> Schwedas via samba
> Verzonden: vrijdag 25 augustus 2017 10:32
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
>
> > root at graz-dc-sem.ad.tao.at# wbinfo --sid-to-name=S-1-5-11 failed to
> > call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid
> > S-1-5-11
>
> So how fucked is my domain?
>
> On 2017-08-25 08:09, L.P.H. van Belle via samba wrote:
> > Ah, yes, oeps sorry, and i did run out of the office
> yesterday, so didnt see this..
> >
> > 3000002:rwx
> > 3000003:r-x
> >
> > wbinfo --uid-to-sid=3000003
> > S-1-5-11
> > wbinfo --uid-to-sid=3000002
> > S-1-5-18
> >
> > wbinfo --sid-to-name=S-1-5-11
> > NT AUTHORITY\Authenticated Users 5
> >
> > wbinfo --sid-to-name=S-1-5-18
> > NT AUTHORITY\SYSTEM 5
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven
> >> Schwedas via samba
> >> Verzonden: donderdag 24 augustus 2017 17:00
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
> >>
> >> On 2017-08-24 16:37, L.P.H. van Belle via samba wrote:
> >>> Ok, rechecked this, your correct. This did work fine.
> >>>
> >>> In now at samba 4.6.7, you?
> >>
> >> 4.5.8 still, but I guess updating won't help?
> >>
> >>> This worked untill ( last i checked ) 4.6.5 :-(( now
> >> sysvolreset is
> >>> totaly broken. :-(( New thing for my ToDo list..
> >>>
> >>>
> >>> Try this script, the rights are my defaults "after a
> sysvol reset"
> >>> Place the script somewhere within /var/lib/samba Preffered that
> >>> location .
> >>> Run it with : bash script.sh sysvol/ ! Check the group
> numbers and
> >>> make sure you match yours.
> >>
> >> Which groups are 3000002 and 3000003 supposed to be?
> >>
> >>> Then at least your rights are correct again.
> >>> After this, goto you gpo manager, klik ever gpo, you get a
> >> message, klik ok.
> >>>
> >>> Greetz,
> >>> Louis
> >>>
> >>>
> >>> ## SCRIPT
> >>> #!/bin/bash
> >>>
> >>> #
> >>> # backup rights. recursive
> >>> #getfacl -R /var/www > permissions.acl
> >>>
> >>> # restore rights
> >>> #setfacl --restore=permissions.acl
> >>>
> >>> # mkdir -m 700 Manager
> >>> # setfacl -m d:g:manager:rwx,g:manager:rwx Manager
> >>>
> >>> # copy the acl
> >>> #getfacl basefile | setfacl -b -M - targetfile
> >>>
> >>> # other examples:
> >>> # http://www.calculate-linux.org/main/en/setting_filesystem_acl
> >>>
> >>> RIGHTSFILE="default-rights-sysvol.acl"
> >>>
> >>> cat << EOF > ${RIGHTSFILE}
> >>> # file: sysvol
> >>> # owner: root
> >>> # group: BUILTIN\134administrators
> >>> user::rwx
> >>> user:root:rwx
> >>> user:BUILTIN\134administrators:rwx
> >>> user:BUILTIN\134server\040operators:r-x
> >>> user:3000002:rwx
> >>> user:3000003:r-x
> >>> group::rwx
> >>> group:BUILTIN\134administrators:rwx
> >>> group:BUILTIN\134server\040operators:r-x
> >>> group:3000002:rwx
> >>> group:3000003:r-x
> >>> mask::rwx
> >>> other::---
> >>> default:user::rwx
> >>> default:user:root:rwx
> >>> default:user:BUILTIN\134administrators:rwx
> >>> default:user:BUILTIN\134server\040operators:r-x
> >>> default:user:3000002:rwx
> >>> default:user:3000003:r-x
> >>> default:group::---
> >>> default:group:BUILTIN\134administrators:rwx
> >>> default:group:BUILTIN\134server\040operators:r-x
> >>> default:group:3000002:rwx
> >>> default:group:3000003:r-x
> >>> default:mask::rwx
> >>> default:other::---
> >>> EOF
> >>>
> >>> if [ -z $1 ]; then
> >>> echo "You need do assign the folder to set the default
> >> rights to"
> >>> echo "We dont set the rights recursive! that can mess
> >> up current websites.."
> >>> echo "exiting now .. "
> >>> fi
> >>>
> >>> if [ $(echo ${1} | egrep
> >> "/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc
> >> |/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var" | wc -l ) -gt 0 ]; then
> >>> echo "Warning, detected un safe change, exiting now. "
> >>> exit 1
> >>> fi
> >>>
> >>> if [ ! -d $1 ]; then
> >>> echo "Error, directory does not exist, exiting now."
> >>> exit 1
> >>> else
> >>> setfacl -R -b --modify-file $RIGHTSFILE $1
> >>> setfacl -R -m default:user:root:rwx $1
> >>> setfacl -R -m
> >> default:group:"BUILTIN\134administrators":rwx $1 fi
> >>>
> >>> ## SCRIPT END
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven
> >>>> Schwedas via samba
> >>>> Verzonden: donderdag 24 augustus 2017 15:53
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
> >>>>
> >>>> On 2017-08-24 15:13, L.P.H. van Belle via samba wrote:
> >>>>> Hai,
> >>>>>
> >>>>> To recover from that problem, read :
> >>>>> The "Why" i setup like this.
> >>>>>
> >>>>
> >>
> http://lists-archives.com/samba/106301-can-t-create-update-group-poli
> >>>> c
> >>>>> y-in-samba-4-6-5.html
> >>>>>
> >>>>> And howto fix.
> >>>>>
> >>>>
> >>
> http://lists-archives.com/samba/106333-can-t-create-update-group-poli
> >>>> c
> >>>>> y-in-samba-4-6-5.html
> >>>>> Note on this last link, the part.:
> >>>>
> >>>> Okay, I set up `acl_xattr:ignore system acls = yes` and
> >> restarted the
> >>>> DC.
> >>>>
> >>>>> A good tip to restore the defaults with samba-tool
> >> without errors.
> >>>>>
> >>>>> move you domain folder out of the /var/lib/samba/sysvol folder.
> >>>>> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
> >>>>> mkdir /var/lib/samba/sysvol/intern.domain.tld
> >>>> <<<<<<<<<< you must have an empty folder for the next command.
> >>>>> And run samba-tool ntacl sysvolreset
> >>>> ?and did that.
> >>>>
> >>>> Alas:
> >>>>
> >>>>> root at graz-dc-1b:/var/lib/samba# ls -l
> >>>> /var/lib/samba/sysvol/ad.tao.at/
> >>>>> total 0
> >>>>> root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset
> >>>>> open: error=2 (No such file or directory)
> >>>>> ERROR(runtime): uncaught exception - (-1073741823,
> >>>> 'Undetermined error')
> >>>>> File
> >>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> >>>> line 176, in _run
> >>>>> return self.run(*args, **kwargs)
> >>>>> File
> >>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
> >>>> line 239, in run
> >>>>> lp, use_ntvfs=use_ntvfs)
> >>>>> File
> >>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> >>>> , line 1609, in setsysvolacl
> >>>>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn,
> >>>> samdb, lp, use_ntvfs, passdb=s4_passdb)
> >>>>> File
> >>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> >>>> , line 1502, in set_gpos_acl
> >>>>> use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> >>>> passdb=passdb, service=SYSVOL_SERVICE)
> >>>>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
> >>>> line 162, in setntacl
> >>>>> smbd.set_nt_acl(file, security.SECINFO_OWNER |
> >>>> security.SECINFO_GROUP | security.SECINFO_DACL |
> >>>> security.SECINFO_SACL, sd, service=service)
> >>>>
> >>>> Would've been too easy, wouldn't it?
> >>>>
> >>>>> ----
> >>>>>
> >>>>>
> >>>>> Good luck, if you need more help, you know where to find
> >> us. ;-) (
> >>>>> ps, when its all done, DONT run samba-tool ntacl
> >>>> sysvolreset again, never ever )
> >>>>> Until this bug is fixed.
> >>>>>
> >>>>> ( more GPO tips, google:
> >>>> https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&sour
> >>> ce=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu->
> >>> O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 )
> >>>>>
> >>>>>
> >>>>>
> >>>>> Greetz,
> >>>>>
> >>>>> Louis
> >>>>>
> >>>>>> -----Oorspronkelijk bericht-----
> >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org]
> Namens Rowland
> >>>>>> Penny via samba
> >>>>>> Verzonden: donderdag 24 augustus 2017 14:42
> >>>>>> Aan: samba at lists.samba.org
> >>>>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
> >>>>>>
> >>>>>> On Thu, 24 Aug 2017 14:15:53 +0200 Sven Schwedas via samba
> >>>>>> <samba at lists.samba.org> wrote:
> >>>>>>
> >>>>>>> On 2017-08-24 13:00, Rowland Penny via samba wrote:
> >>>>>>>> On Thu, 24 Aug 2017 12:41:36 +0200 Sven Schwedas via samba
> >>>>>>>> <samba at lists.samba.org> wrote:
> >>>>>>>>
> >>>>>>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
> >>>>>>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba
> >>>>>>>>>> <samba at lists.samba.org> wrote:
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> Where does the error come from, and why doesn't
> >>>>>> sysvolreset fix
> >>>>>>>>>>> it?
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Mainly because (from my testing)
> sysvolcheck/sysvolreset is
> >>>>>>>>>> broken. I do not write 'C' code and the problem
> >> seems to be in
> >>>>>>>>>> set_nt_acl from source3/smbd/posix_acls.c It
> doesn't set the
> >>>>>>>>>> correct ACL.
> >>>>>>>>>>
> >>>>>>>>>> I have opened a bug for this:
> >>>>>>>>>>
> >>>>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924
> >>>>>>>>>
> >>>>>>>>> Ah, crap.
> >>>>>>>>
> >>>>>>>> I actually used worse words when I found out why I
> >>>>>> couldn't get my
> >>>>>>>> work on the python code to work. ;-)
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>>> Even when this gets fixed, the python code will need
> >>>>>> work, because
> >>>>>>>>>> it doesn't do what windows does, also anybody who
> has set a
> >>>>>>>>>> gidNumber on Domain Admins, will need to remove it,
> >> the group
> >>>>>>>>>> needs to own things in sysvol and with a gidNumber
> it cannot.
> >>>>>>>>>
> >>>>>>>>> Does this apply only to sysvolreset or also when fixing
> >>>>>> ACLs from
> >>>>>>>>> Windows?
> >>>>>>>>
> >>>>>>>> On a Samba AD DC, 'Domain Admins' is mapped to
> >> 'ID_TYPE_BOTH' in
> >>>>>>>> idmap.ldb, this makes it able to own files and dirs in
> >>>>>> sysvol. The
> >>>>>>>> moment you give 'Domain Admins' a gidNumber, you break
> >>>>>> this mapping
> >>>>>>>> and the group becomes just a group and cannot own
> >>>>>> anything on a Unix
> >>>>>>>> machine, so my recommendation is to not give the group a
> >>>>>> gidNumber,
> >>>>>>>> create another group 'Unix Admins' ? give this group a
> >>>>>> gidNumber and
> >>>>>>>> make this group a member of 'Domain Admins'
> >>>>>>>
> >>>>>>> Does removing the gidNumber retroactively allow it to work?
> >>>>>>>
> >>>>>>> (That is, once I figured out how to reset the ACLs from within
> >>>>>>> Windows.)
> >>>>>>>
> >>>>>>
> >>>>>> It should, idmap.ldb works on a first come basis, so the
> >> next time
> >>>>>> Domain Admins connects it should get issued with a
> >>>> new xidNumber.
> >>>>>>
> >>>>>> Rowland
> >>>>>>
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL
> >> and read the
> >>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>
> >>>>>
> >>>>>
> >>>>
> >>>> --
> >>>> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas,
> >>>> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype
> >>>> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz
> >>>> https://www.tao-digital.at | Tel +43 680 301 7167
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL
> and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>>
> >>>
> >>
> >> --
> >> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas,
> >> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype
> >> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz
> >> https://www.tao-digital.at | Tel +43 680 301 7167
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> >
>
> --
> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas,
> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype
> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz
> https://www.tao-digital.at | Tel +43 680 301 7167
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list