[Samba] GPO ACL after editing

Anders Östling anders.ostling at gmail.com
Wed May 26 08:15:45 UTC 2021 

Here are some findings (repeatable) for what editing of GPO's do.
Editing a GPO changes some bits in the ACL which breaks sysvolcheck,
at least on my setup. I don't know how significant this is, or if it
affects anything except annoying the beholder.
Anyway, I'd like to share this and get some opinion on it

Before GPO editing of policy

root at hp-ad1:/etc# samba-tool ntacl sysvolcheck
root at hp-ad1:/etc#
root at hp-ad1:/etc# /home/sysman/scripts/check-acl.sh hp-ad1
{025430EE-2775-4719-AE02-D8656FED70B0}
Enter HP\aostling's password:
REVISION:1
CONTROL:SR|PD|DR|DP
OWNER:HP\Domain Admins
GROUP:HP\Domain Admins
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:HP\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ
ACL:HP\HP_Roaming:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ

Doing a change to the user profile (policy
{025430EE-2775-4719-AE02-D8656FED70B0}) to set User Home drive ...

root at hp-ad1:/etc# /home/sysman/scripts/check-acl.sh hp-ad1
{025430EE-2775-4719-AE02-D8656FED70B0}
Enter HP\aostling's password:
REVISION:1
CONTROL:SR|PD|SI|DI|DP   <------------------- SI inserted into "CONTROL"
OWNER:HP\Domain Admins
GROUP:HP\Domain Admins
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:HP\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:HP\Domain Users:ALLOWED/OI|CI/READ

sysvolcheck does not like that

root at hp-ad1:/etc# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/hoganas-platslagaren.se/Policies/{025430EE-2775-4719-AE02-D8656FED70B0}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;DU)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;DU)
from GPO object
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 446, in run
    lp)
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1877, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1827, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1769, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))

so lets fix it

root at hp-ad1:/etc# samba-tool ntacl sysvolreset

root at hp-ad1:/etc# /home/sysman/scripts/check-acl.sh hp-ad1
{025430EE-2775-4719-AE02-D8656FED70B0}
Enter HP\aostling's password:
REVISION:1
CONTROL:SR|PD|DR|DP       <----------------------------------- SI gone
OWNER:HP\Domain Admins
GROUP:HP\Domain Admins
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:HP\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:HP\Domain Users:ALLOWED/OI|CI/READ

root at hp-ad1:/etc# samba-tool ntacl sysvolcheck
root at hp-ad1:/etc#

RSAT GPO editor on Windows 10 Pro 20H2
Debian 10 with Lois repo files for Samba
Samba 4.14.4

The script I wrote

#!/bin/bash

share="//$1/sysvol"
gpo=$2
smbcacls $share /hoganas-platslagaren.se/Policies/$gpo -U aostling
-- 
------ -------------------- 8 ------------------ ------
"A wise man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"

Anders Östling
+46 768 716 165 (Mobil)
+46 431 45 56 01  (Hem)

More information about the samba mailing list