[Samba] sysvolreset and GPO permissions

Rowland penny rpenny at samba.org
Thu Apr 1 17:17:51 UTC 2021 

On 01/04/2021 18:08, Jake Black via samba wrote:
> We are trying to set up Microsoft's AGPM to control GPOs. When we push a GPO from the client, it sets some permissions on the GPO but only pushes the change to one DC. We have rsync-based replication configured to sync the sysvol across all DCs. However the permission changes of the GPO do not change on the other DCs until after running a sysvolreset. Additionally, sysvolreset does not completely set all the permissions that were on the other DCs. Let me explain.
>
> For example I push a GPO to DC1 via AGPM and it results in the following ACLs:
>
> # getfacl /var/lib/samba/sysvol/DOMAIN.com/Policies/\{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4\}/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/DOMAIN.com/Policies/{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4}/
> # owner: 3000032
> # group: 3000000
> user::rwx
> user:3000000:rwx
> user:3000004:rwx
> user:3000016:rwx
> user:3000017:r-x
> user:3000022:r-x
> user:3000033:rwx
> user:3000049:r-x
> user:3000050:rwx
> group::rwx
> group:3000000:rwx
> group:3000004:rwx
> group:3000016:rwx
> group:3000017:r-x
> group:3000022:r-x
> group:3000032:rwx
> group:3000033:rwx
> group:3000049:r-x
> group:3000050:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000000:rwx
> default:user:3000004:rwx
> default:user:3000016:rwx
> default:user:3000017:r-x
> default:user:3000022:r-x
> default:user:3000032:rwx
> default:user:3000033:rwx
> default:user:3000049:r-x
> default:user:3000050:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000004:rwx
> default:group:3000016:rwx
> default:group:3000017:r-x
> default:group:3000022:r-x
> default:group:3000032:rwx
> default:group:3000033:rwx
> default:group:3000049:r-x
> default:group:3000050:rwx
> default:mask::rwx
> default:other::---
>
> Interestingly, 3000050 doesn't have a uid or gid, but I can see it's sid:
>
> # wbinfo --uid-info 3000050
> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for uid 3000050
>
> # wbinfo --gid-info 3000050
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000050
>
> # wbinfo -G 3000050
> S-1-5-21-1040850661-3690500864-832160619-3106
>
> So now I force a sync of the sysvol directory to DC2. And see the following ACLs on DC2:
>
> # getfacl /var/lib/samba/sysvol/DOMAIN.com/Policies/\{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4\}/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/DOMAIN.com/Policies/{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4}/
> # owner: 3000000
> # group: 3000000
> user::rwx
> user:3000004:rwx
> user:3000016:rwx
> user:3000017:r-x
> user:3000022:r-x
> group::rwx
> group:3000000:rwx
> group:3000004:rwx
> group:3000016:rwx
> group:3000017:r-x
> group:3000022:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000000:rwx
> default:user:3000004:rwx
> default:user:3000016:rwx
> default:user:3000017:r-x
> default:user:3000022:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000004:rwx
> default:group:3000016:rwx
> default:group:3000017:r-x
> default:group:3000022:r-x
> default:mask::rwx
> default:other::---
>
> Group Policy editor tells me that the permissions on the GPO are inconsistent with what is in the SYSVOL folder.
>
> Running samba-tool ntacl sysvolreset on DC2 changes these ACLs to match what they should be:
>
> # getfacl /var/lib/samba/sysvol/DOMAIN.com/Policies/\{950CFB36-1BA3-4D67-8E12-F0790E938A76\}/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/DOMAIN.com/Policies/{950CFB36-1BA3-4D67-8E12-F0790E938A76}/
> # owner: 3000032
> # group: 3000000
> user::rwx
> user:3000004:rwx
> user:3000016:rwx
> user:3000017:r-x
> user:3000022:r-x
> user:3000032:rwx
> user:3000033:rwx
> user:3000062:r-x
> user:3000063:rwx
> group::rwx
> group:3000000:rwx
> group:3000004:rwx
> group:3000016:rwx
> group:3000017:r-x
> group:3000022:r-x
> group:3000032:rwx
> group:3000033:rwx
> group:3000062:r-x
> group:3000063:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000000:rwx
> default:user:3000004:rwx
> default:user:3000016:rwx
> default:user:3000017:r-x
> default:user:3000022:r-x
> default:user:3000032:rwx
> default:user:3000033:rwx
> default:user:3000062:r-x
> default:user:3000063:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000004:rwx
> default:group:3000016:rwx
> default:group:3000017:r-x
> default:group:3000022:r-x
> default:group:3000032:rwx
> default:group:3000033:rwx
> default:group:3000062:r-x
> default:group:3000063:rwx
> default:mask::rwx
> default:other::---
>
> I see here, that 3000062 and 3000063 were added, but 3000049 and 3000050 were not. But these ACLs are correct and what they should be and everything seems happy with the GPO permissions.
>
> If I run a sysvolreset on DC1 now, it removes 3000049 and 3000050 and adds 3000062 and 3000063 to match what is on DC2.
>
> Since sysvolreset didn't pull the permissions from what was on DC1, where is it gathering what permissions to set? This seems to be working correctly and a sysvolreset solves our issues so we don't really have any complaints, but is it really required everytime we change the permissions on a GPO?
>
> Thanks,
>
> Jake


Have you synced idmap.ldb from the first DC to the other DC ?

If you haven't, then you can and will have different ID's on each DC.

Rowland

More information about the samba mailing list