[Samba] GPO fail and sysvol perm errors

L. van Belle belle at samba.org
Mon Oct 26 10:45:29 UTC 2020 

> It's needed after every GPO addition and edit. There must be a root
> cause to hunt down somewhere. Or is it a bug in 4.13.0 ?
Yes, and no. 

Yes, its a bug. 
No, in my opionion its an old setting thats just needs some updating. 


Try this. 
samba-tool ntacl set
"O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01
ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
/var/lib/samba/sysvol/$(hostname -d)/Policies/

Now create a new policy. Are the rights ok, yes. 
Then fix/verify the share and security rights on sysvol again. 

No,.. Uhh... Thats not what im expecting.. ;-) 

After you have corrected the share and security rights. 
DONT use sysvolreset anymore. 

These are my outputs. 
samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01f
f;;;SY)(A;OICI;0x001200a9;;;AU)

samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname -d)/
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01f
f;;;SY)(A;OICI;0x001200a9;;;AU)

samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname
-d)/Policies/
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01f
f;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)

getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/my.domain.tld/Policies/
# owner: root
# group: BUILTIN\\administrators
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:BUILTIN\\server\040operators:r-x
user:NT\040AUTHORITY\\system:rwx
user:NT\040AUTHORITY\\authenticated\040users:r-x
user:ADDOM\\group\040policy\040creator\040owners:rwx
group::rwx
group:BUILTIN\\administrators:rwx
group:BUILTIN\\server\040operators:r-x
group:NT\040AUTHORITY\\system:rwx
group:NT\040AUTHORITY\\authenticated\040users:r-x
group:ADDOM\\group\040policy\040creator\040owners:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040AUTHORITY\\system:rwx
default:user:NT\040AUTHORITY\\authenticated\040users:r-x
default:user:ADDOM\\group\040policy\040creator\040owners:rwx
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040AUTHORITY\\system:rwx
default:group:NT\040AUTHORITY\\authenticated\040users:r-x
default:group:ADDOM\\group\040policy\040creator\040owners:rwx
default:mask::rwx
default:other::---


Do you also have/see:
default:group:ADDOM\\group\040policy\040creator\040owners:rwx 
And are the needed users in there? 


Now my tip here is, 
1) before you reset any rights, run : 

mkdir ~/before && cd ~/before
samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/ > sysvol.sddl
samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname
-d)/Policies/ > sysvol.dom.Policies.sddl
getfacl /var/lib/samba/sysvol/ > sysvol.facl
getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/ >
sysvol.dom.Policies.facl


How does it look in windows, under Advanced right settings. 

2) after you reset the rigth, rerun above 
mkdir ~/after && cd ~/after
samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/ > sysvol.sddl
samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname
-d)/Policies/ > sysvol.dom.Policies.sddl
getfacl /var/lib/samba/sysvol/ > sysvol.facl
getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/ >
sysvol.dom.Policies.facl

And how does it look in windows, under Advanced right settings now. 


So few things to get passed you problems. 
Small sight note, you might need to remove all acl's en extended attributs
first and reapply it all. 

I saying this because, after my fileservers move, and restored some files
from backups. 
The old UID/GID where restored also. 

A part of a new script i have, how i reset all folder and files. 
It focues on a userhomedir here but it shows what i did. 
The might be a faster/better way for it, but this worked for me. 
You might want/need to transform that to the sysvol folders. 

FindUser is the username found by the script. 
SAMBA_SHARE_USERS is the path the the users share (in this case its
/srv/samba/users)


            # Remove old ACL's.
            echo "Removing old ACL's for: ${FindUser}"
            setfacl --recursive --remove-all
"${SAMBA_SHARE_USERS}/${FindUser}"

            # Make sure we removed Other (everyone) from all files and
folders.
            echo "Recursively removing access for other (everyone) for:
${FindUser}"
            chmod -R o-rwx "${SAMBA_SHARE_USERS}/${FindUser}/"

            # Set basic POSIX Rights
            # set all owner rights to root:root (= Administrator:Domain
Admins )
            # without it, migrated files might still have there old UID/GIDs
on them.
            echo "Re-apply root:root on the user homedir (recursivly) for:
${FindUser}"
            chown -R root:root "${SAMBA_SHARE_USERS}/${FindUser}"

            # We set the user files and subfolders like how that SDDL is
setup.
            echo "Re-apply ${FindUser}:domain users on CONTENT IN the user
homedir for: ${FindUser}"
            chown -R "${FindUser}":"domain users"
"${SAMBA_SHARE_USERS}/${FindUser}/"

            # restore owner:group defaults
            echo "Recursively re-apply-ing rights 770 access for:
${FindUser}"
            chmod -R 770 "${SAMBA_SHARE_USERS}/${FindUser}/"

            # Set the correct right on the folder.
            echo "Re-apply SDDL with samba-tool for user: ${FindUser}"
            samba-tool ntacl set
"O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;${NAME2SID})(A;ID;0x001200
a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OIC
IID;0x001f01ff;;;DA)" "${SAMBA_SHARE_USERS}/${FindUser}"

            # but we can not set recursive with samba-tool. (as far i
found), so we use setfacl.
            echo "Recursivly re-apply with setfacl enforceing user defaults
for user: ${FindUser}"
            setfacl --recursive --modify
user:"${FindUser}":rwX,default:user:"${FindUser}":rwX
"${SAMBA_SHARE_USERS}/${FindUser}/"

Small sidenote on above part. 
ls -al /srv/samba/users/*   will show for all users. 
drwxrwx---+ 14 root root  4096 Oct  9 10:03 anyuser
Which is : 

getfacl /home/users/anyuser
getfacl: Removing leading '/' from absolute path names
# file: home/users/anyuser
# owner: root
# group: root
user::rwx
user:root:rwx
user:anyuser:rwx
group::r-x
group:root:r-x
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:anyuser:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---

Resulting in, users see and can only access there own folder. 
Any new file/folder created IN the users folder gets rights :
username:"domain users" 
You need the users as owner on new folders if you use GPO's and folder
redirecting to the user homedir.

Enjoy, you have something todo today. ;-) 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Sonic via samba
> Verzonden: zondag 25 oktober 2020 21:59
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] GPO fail and sysvol perm errors
> 
> On Sun, Oct 25, 2020 at 4:41 PM Rowland penny via samba
> <samba at lists.samba.org> wrote:
> > its a bit like 'wack a mole', just keep running sysvolreset :-D
> 
> It's needed after every GPO addition and edit. There must be a root
> cause to hunt down somewhere. Or is it a bug in 4.13.0 ?
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list