[Samba] Fixing sysvol permissions

L.P.H. van Belle belle at bazuin.nl
Wed Jun 20 10:05:13 UTC 2018 

As said very busy, but i  can spare a few minutes now.


-rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18 17:33:55 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/User/Documents & Settings/fdeploy1.ini
-rwxrwx---+ 1 3000000 users 64 2018-06-18 17:34:22 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/GPT.INI
-rwxrwx--- 1 3000000 users 59 2015-05-15 14:22:44 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/GPT.INI
-rwxrwxrwx 1 root root 199 2015-05-21 14:42:59 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat
-rwxrwx--- 1 3000000 users 104 2015-05-15 14:22:16 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/scripts.ini
-rwxrwx--- 1 3000000 domusers 142 2016-01-19 17:04:23 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
-rwxrwx---+ 1 3000008 HPRS\domain admins 23 2016-01-23 16:03:46 /var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI


Now this is .. Not correct... 
 
There is only one i think is correct. base on what you show. 
-rwxrwx---+ 1 3000008 HPRS\domain admins  but for that you need to show the getfacl output. 

 
Ok, do the following.
1) reset the sysvol rights with my script and reapply to all folders recursive. 
start here:  /var/lib/samba/sysvol
 
Now, add to you sysvol :  acl_xattr:ignore system acls = yes
restart samba. 
 
Goto the share rights and check/reapply them. 
Goto Folder rights and reapply them Recursively 
Goto you GPO tools, and klik on every GPO one, you might see a warning about incorrect rights, that is correct. 
Let windows this is, that ok.
 
Review the linked policies and if needed correct GPO's if you use groups to apply specific settings. 
 
Whenever you change settings in the sysvol share, you might need to repied above steps. 
This will fix it, if not, then there is another problem i have not seen yet. 
 
but the currect rights layout from above is not ok and use getfacl of setfacl NOT chmod/chown.
using chmod/chown in sysvol, after settting ignore system acls = yes might open an problem again, 
then repeat above steps again. 



Greetz, 
 
Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark
> Foley via samba
> Verzonden: dinsdag 19 juni 2018 18:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Fixing sysvol permissions
>
> Given no responses on this question for a few days, I'm
> concluding that we're out of ideas on
> this problem.  Let me propose a couple of ideas.  Apparently,
> the basic Windows FOLDER and
> SHARE permissions are correct according to Louis'
> recommendations (see message below).  One
> thing I've noticed that is a bit puzzling is the group
> ownership of these policy files:
>
> -rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18 17:33:55
> /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-
> BC45-8B06353CAA7C}/User/Documents & Settings/fdeploy1.ini
> -rwxrwx---+ 1 3000000 users 64 2018-06-18 17:34:22
> /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-
> BC45-8B06353CAA7C}/GPT.INI
> -rwxrwx--- 1 3000000 users 59 2015-05-15 14:22:44
> /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-
> 9D32-28400BE61028}/GPT.INI
> -rwxrwxrwx 1 root root 199 2015-05-21 14:42:59
> /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-
> 9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat
> -rwxrwx--- 1 3000000 users 104 2015-05-15 14:22:16
> /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-
> 9D32-28400BE61028}/Machine/Scripts/scripts.ini
> -rwxrwx--- 1 3000000 domusers 142 2016-01-19 17:04:23
> /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-
> 9D32-28400BE61028}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
> -rwxrwx---+ 1 3000008 HPRS\domain admins 23 2016-01-23
> 16:03:46
> /var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-
> 945F-00C04FB984F9}/GPT.INI
>
> They are variously owned by groups "domusers" (10000),
> "users" (100), root (only the one
> shown), and "HPRS/domain admins" (3000008).  The vast
> majority of these files belong to group
> 'users' including the specific files that are giving me the
> 'Access denied' Windows event.
> 'users' is one of the ubiquitous default groups created when
> Linux is installed.  I believe
> it's also the default group when 'adduser' is run to add a
> user.  Almost all of these files
> belonging to group 'users' have rwxrwx--- permissions (no
> extended attributes).
>
> Could this be a problem? Should these files belong to some
> other group? The users themselves
> belong to 'domusers' (10000) which is the group assigned to
> all domain users.  Perhaps higher
> level extended attributes are supposed to handle access, but
> I don't see how a user belonging
> to group 'domusers' can read any of these files belonging to
> group 'users' (except possibly
> that first one listed having o+rx and extended attributes). 
> Should I change all these group
> 'users' to group 'domusers'?
>
> Thought 2: If I shouldn't do that, or that doesn't help
> should I try setting 'acl_xattr:ignore
> system acls = yes'?
>
> --Mark
>
> -----Original Message-----
> Date: Mon, 18 Jun 2018 12:34:12 -0400
> To: samba at lists.samba.org
> Subject: Re: [Samba] Fixing sysvol permissions
> From: Mark Foley via samba <samba at lists.samba.org>
>
> On Fri, 15 Jun 2018 12:32:52 +0200 L.P.H. van Belle wrote:
> >
> > > OK, Everyone is currently set to FULL CONTROL. I'll set
> that to READ.
> >
> > Ai, now... Nobody can write over the share, pc's wil complain.
> > Some GPO setting will stop working.
>
> But, when I ran your samba-check-set-sysvol.sh script it told
> me to set EVERYONE: READ. See
> below:
>
> > > $ ./samba-check-set-sysvol.sh
> > > Review the file : default-rights-sysvol.acl, these contains
> > > the defaults for sysvol.
> > > The sysvol ACLS info.....                                
>                                 
> > >
> > > Please check your share rights for sysvol from within windows.
> > > If these are incorrect, correct them and run this script again.
> > > Set your sysvol SHARE permissions as followed.
> > > EVERYONE: READ              <----------------------------------
> > > Authenticated Users: FULL CONTROL
> > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> > > User/Group system is added compaired to a win2008R2 sysvol,
> > > you need this for some GPO
> > > settings.
> > >
> > > Set your sysvol FOLDER permissions as followed.
> > > Authenticated Users: Read & Exec, Show folder content, Read
> > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
>
> Perhaps I'm confusing Folder permissions and Share permissions.
>
> > Look here, and setup like that.
> >
> https://support.microsoft.com/nl-nl/help/2838154/permissions-f
> or-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th
>
> Problem: On that link, step 2 "Check whether the Listobject
> permission is set for the
> Authenticated Users group and whether the Authenticated Users
> group is missing from the
> Delegation tab of the Group Policy Object."  When I edit
> 'Authenticated Users', I don't have
> that "Default Domain Controllers Policy" dialog. Or if I do,
> that link doesn't tell me how to
> get there.
>
> Let me list everything I've got:
>
> sysvol FOLDER Permissions:
>
> CREATOR OWNER
> special
> (Advanced) Subfolders and files only
> Full Control - everything is checked)
> (apply these permissions to objects and/or containers ... not checked)
>
> CREATOR GROUP Subfolders and files only
> special
> (Advanced) Subfolders and files only
> Traverse folder / execute file
> List folder / read data
> Read attributes
> Read extended attributes
> Read permissions
> (apply these permissions to objects and/or containers ... not checked)
>
> Authenticated Users
> Read & Execute
> List folder contents
> Read
> (Advanced) This folder, Subfolders and files
> Traverse folder / execute file
> List folder / read data
> Read attributes
> Read extended attributes
> Read permissions
> (apply these permissions to objects and/or containers ... not checked)
>
> SYSTEM
> Full control
> (advanced) This folder, subfolders and files
> full control - everything is checked
> (apply these permissions to objects and/or containers ... not checked)
>
> Administrators (HPRS\Administrators)
> Full control
> (advanced) This folder, subfolders and files
> full control - everything is checked
> (apply these permissions to objects and/or containers ... not checked)
>
> sysvol SHARE Permissions:
>
> EVERYONE: READ
> Authenticated Users: FULL CONTROL
> HPRS\Administrators: FULL CONTROL
> SYSTEM, FULL CONTROL
>
> Does this look correct? Is this what you have?
>
> Nevertheless, when I try to log into a workstation as a
> domain user I still do not get that
> user's desktop. In the Windows eventlog Windows Logs >
> System, I get Event 1906 error,
> GroupPolicy:
>
> Error Description: Access is denied.
> GPOCName:
> LDAP://CN=User,cn={178C3418-E432-414A-9185-DCD1AB359A3B},cn=po
> licies,cn=system,DC=hprs,DC=local
> FilePath:
> \\hprs.local\SysVol\hprs.local\Policies\{178C3418-E432-414A-91
> 85-DCD1AB359A3B}\User\registry.pol
>
> This is driving me crazy!
>
> --Mark
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list