[Samba] sysvolcheck and sysvolreset errors
Rowland penny
rpenny at samba.org
Tue May 19 21:12:36 UTC 2020
On 19/05/2020 21:29, Roy Eastwood wrote:
>> You could try using a script Louis wrote, see here:
>> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh
>>
>> The 'idmap config' lines are nothing to worry about, you cannot set them on a DC, but, for some reason, testparm etc warns about
>> them.
>>
>> Rowland
>>
> Sorry, I should have said - I ran louis' script and set the acl's according to the output. The script also produced a file called
> default-rights-sysvol-acl which contains:
> # file: /var/lib/samba/sysvol
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000027:r-x
> user:3000023:rwx
> user:3000009:r-x
> group::rwx
> group:3000000:rwx
> group:3000027:r-x
> group:3000023:rwx
> group:3000009:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000027:r-x
> default:user:3000023:rwx
> default:user:3000009:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000027:r-x
> default:group:3000023:rwx
> default:group:3000009:r-x
> default:mask::rwx
> default:other::---
>
> After I had set the acl's and run the Group Policy Management tool from Windows (which suggested that the acls were not correct and
> offered to correct them by clicking OK), getfacl /var/lib/samba/sysvol produces this:
> # file: var/lib/samba/sysvol
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> user:BUILTIN\\administrators:rwx
> user:NT\040AUTHORITY\\authenticated\040users:r-x
> user:NT\040AUTHORITY\\system:rwx
> user:BUILTIN\\server\040operators:r-x
> group::rwx
> group:BUILTIN\\administrators:rwx
> group:NT\040AUTHORITY\\authenticated\040users:r-x
> group:NT\040AUTHORITY\\system:rwx
> group:BUILTIN\\server\040operators:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\\administrators:rwx
> default:user:NT\040AUTHORITY\\authenticated\040users:r-x
> default:user:NT\040AUTHORITY\\system:rwx
> default:user:BUILTIN\\server\040operators:r-x
> default:group::---
> default:group:BUILTIN\\administrators:rwx
> default:group:NT\040AUTHORITY\\authenticated\040users:r-x
> default:group:NT\040AUTHORITY\\system:rwx
> default:group:BUILTIN\\server\040operators:r-x
> default:mask::rwx
> default:other::---
>
> If I run wbinfo to convert the gid's to names the two getfacl lists are essentially the same.
>
> When I run samba-tool gpo aclcheck -Uadministrator, I get:
> Password for [MICROLYNX\administrator]:
> ERROR: Invalid GPO ACL
> O:LAG:S-1-22-2-0D:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff
> ;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;BA)(A;OICI;;;;WD)(A;;0x001f01ff;;
> ;S-1-22-2-0)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) on path
> (microlynx.org\Policies\{CA8E6F15-335B-4BA1-BDD3-7FE7B6780946}), should be
> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;
> SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> Any other ideas?
>
> Thanks Rowland.
>
> Roy
>
Yes, There are three places where permissions are stored on sysvol (4 if
you count in AD), the standard Linux permissions 'ugo', POSIX ACLs as
shown by getfacl and an EA (this is where the ACLs are stored when set
from Windows).
Try running 'samba-tool ntacl get /var/lib/samba/sysvol --as-sddl', this
should produce something similar to this:
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
Try checking using that, but you will have to do it file file etc.
I personally would set the permissions from Windows and ignore
sysvolcheck/reset. Also ensure that Domain Admins does not have a
gidNumber if you are using the RFC2307 attributes.
Rowland
More information about the samba
mailing list