[Samba] sysvolreset and GPO permissions

Jake Black jblack at xes-inc.com
Thu Apr 1 17:08:39 UTC 2021 

We are trying to set up Microsoft's AGPM to control GPOs. When we push a GPO from the client, it sets some permissions on the GPO but only pushes the change to one DC. We have rsync-based replication configured to sync the sysvol across all DCs. However the permission changes of the GPO do not change on the other DCs until after running a sysvolreset. Additionally, sysvolreset does not completely set all the permissions that were on the other DCs. Let me explain. 

For example I push a GPO to DC1 via AGPM and it results in the following ACLs: 

# getfacl /var/lib/samba/sysvol/DOMAIN.com/Policies/\{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4\}/ 
getfacl: Removing leading '/' from absolute path names 
# file: var/lib/samba/sysvol/DOMAIN.com/Policies/{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4}/ 
# owner: 3000032 
# group: 3000000 
user::rwx 
user:3000000:rwx 
user:3000004:rwx 
user:3000016:rwx 
user:3000017:r-x 
user:3000022:r-x 
user:3000033:rwx 
user:3000049:r-x 
user:3000050:rwx 
group::rwx 
group:3000000:rwx 
group:3000004:rwx 
group:3000016:rwx 
group:3000017:r-x 
group:3000022:r-x 
group:3000032:rwx 
group:3000033:rwx 
group:3000049:r-x 
group:3000050:rwx 
mask::rwx 
other::--- 
default:user::rwx 
default:user:3000000:rwx 
default:user:3000004:rwx 
default:user:3000016:rwx 
default:user:3000017:r-x 
default:user:3000022:r-x 
default:user:3000032:rwx 
default:user:3000033:rwx 
default:user:3000049:r-x 
default:user:3000050:rwx 
default:group::--- 
default:group:3000000:rwx 
default:group:3000004:rwx 
default:group:3000016:rwx 
default:group:3000017:r-x 
default:group:3000022:r-x 
default:group:3000032:rwx 
default:group:3000033:rwx 
default:group:3000049:r-x 
default:group:3000050:rwx 
default:mask::rwx 
default:other::--- 

Interestingly, 3000050 doesn't have a uid or gid, but I can see it's sid: 

# wbinfo --uid-info 3000050 
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND 
Could not get info for uid 3000050 

# wbinfo --gid-info 3000050 
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND 
Could not get info for gid 3000050 

# wbinfo -G 3000050 
S-1-5-21-1040850661-3690500864-832160619-3106 

So now I force a sync of the sysvol directory to DC2. And see the following ACLs on DC2: 

# getfacl /var/lib/samba/sysvol/DOMAIN.com/Policies/\{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4\}/ 
getfacl: Removing leading '/' from absolute path names 
# file: var/lib/samba/sysvol/DOMAIN.com/Policies/{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4}/ 
# owner: 3000000 
# group: 3000000 
user::rwx 
user:3000004:rwx 
user:3000016:rwx 
user:3000017:r-x 
user:3000022:r-x 
group::rwx 
group:3000000:rwx 
group:3000004:rwx 
group:3000016:rwx 
group:3000017:r-x 
group:3000022:r-x 
mask::rwx 
other::--- 
default:user::rwx 
default:user:3000000:rwx 
default:user:3000004:rwx 
default:user:3000016:rwx 
default:user:3000017:r-x 
default:user:3000022:r-x 
default:group::--- 
default:group:3000000:rwx 
default:group:3000004:rwx 
default:group:3000016:rwx 
default:group:3000017:r-x 
default:group:3000022:r-x 
default:mask::rwx 
default:other::--- 

Group Policy editor tells me that the permissions on the GPO are inconsistent with what is in the SYSVOL folder. 

Running samba-tool ntacl sysvolreset on DC2 changes these ACLs to match what they should be: 

# getfacl /var/lib/samba/sysvol/DOMAIN.com/Policies/\{950CFB36-1BA3-4D67-8E12-F0790E938A76\}/ 
getfacl: Removing leading '/' from absolute path names 
# file: var/lib/samba/sysvol/DOMAIN.com/Policies/{950CFB36-1BA3-4D67-8E12-F0790E938A76}/ 
# owner: 3000032 
# group: 3000000 
user::rwx 
user:3000004:rwx 
user:3000016:rwx 
user:3000017:r-x 
user:3000022:r-x 
user:3000032:rwx 
user:3000033:rwx 
user:3000062:r-x 
user:3000063:rwx 
group::rwx 
group:3000000:rwx 
group:3000004:rwx 
group:3000016:rwx 
group:3000017:r-x 
group:3000022:r-x 
group:3000032:rwx 
group:3000033:rwx 
group:3000062:r-x 
group:3000063:rwx 
mask::rwx 
other::--- 
default:user::rwx 
default:user:3000000:rwx 
default:user:3000004:rwx 
default:user:3000016:rwx 
default:user:3000017:r-x 
default:user:3000022:r-x 
default:user:3000032:rwx 
default:user:3000033:rwx 
default:user:3000062:r-x 
default:user:3000063:rwx 
default:group::--- 
default:group:3000000:rwx 
default:group:3000004:rwx 
default:group:3000016:rwx 
default:group:3000017:r-x 
default:group:3000022:r-x 
default:group:3000032:rwx 
default:group:3000033:rwx 
default:group:3000062:r-x 
default:group:3000063:rwx 
default:mask::rwx 
default:other::--- 

I see here, that 3000062 and 3000063 were added, but 3000049 and 3000050 were not. But these ACLs are correct and what they should be and everything seems happy with the GPO permissions. 

If I run a sysvolreset on DC1 now, it removes 3000049 and 3000050 and adds 3000062 and 3000063 to match what is on DC2. 

Since sysvolreset didn't pull the permissions from what was on DC1, where is it gathering what permissions to set? This seems to be working correctly and a sysvolreset solves our issues so we don't really have any complaints, but is it really required everytime we change the permissions on a GPO? 

Thanks, 

Jake

More information about the samba mailing list