[Samba] GPO ACL after editing
Anders Östling
anders.ostling at gmail.com
Wed May 26 08:15:45 UTC 2021
Here are some findings (repeatable) for what editing of GPO's do.
Editing a GPO changes some bits in the ACL which breaks sysvolcheck,
at least on my setup. I don't know how significant this is, or if it
affects anything except annoying the beholder.
Anyway, I'd like to share this and get some opinion on it
Before GPO editing of policy
root at hp-ad1:/etc# samba-tool ntacl sysvolcheck
root at hp-ad1:/etc#
root at hp-ad1:/etc# /home/sysman/scripts/check-acl.sh hp-ad1
{025430EE-2775-4719-AE02-D8656FED70B0}
Enter HP\aostling's password:
REVISION:1
CONTROL:SR|PD|DR|DP
OWNER:HP\Domain Admins
GROUP:HP\Domain Admins
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:HP\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ
ACL:HP\HP_Roaming:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
Doing a change to the user profile (policy
{025430EE-2775-4719-AE02-D8656FED70B0}) to set User Home drive ...
root at hp-ad1:/etc# /home/sysman/scripts/check-acl.sh hp-ad1
{025430EE-2775-4719-AE02-D8656FED70B0}
Enter HP\aostling's password:
REVISION:1
CONTROL:SR|PD|SI|DI|DP <------------------- SI inserted into "CONTROL"
OWNER:HP\Domain Admins
GROUP:HP\Domain Admins
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:HP\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:HP\Domain Users:ALLOWED/OI|CI/READ
sysvolcheck does not like that
root at hp-ad1:/etc# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/hoganas-platslagaren.se/Policies/{025430EE-2775-4719-AE02-D8656FED70B0}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;DU)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;DU)
from GPO object
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 446, in run
lp)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1877, in checksysvolacl
direct_db_access)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1827, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1769, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))
so lets fix it
root at hp-ad1:/etc# samba-tool ntacl sysvolreset
root at hp-ad1:/etc# /home/sysman/scripts/check-acl.sh hp-ad1
{025430EE-2775-4719-AE02-D8656FED70B0}
Enter HP\aostling's password:
REVISION:1
CONTROL:SR|PD|DR|DP <----------------------------------- SI gone
OWNER:HP\Domain Admins
GROUP:HP\Domain Admins
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:HP\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:HP\Domain Admins:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:HP\Domain Users:ALLOWED/OI|CI/READ
root at hp-ad1:/etc# samba-tool ntacl sysvolcheck
root at hp-ad1:/etc#
RSAT GPO editor on Windows 10 Pro 20H2
Debian 10 with Lois repo files for Samba
Samba 4.14.4
The script I wrote
#!/bin/bash
share="//$1/sysvol"
gpo=$2
smbcacls $share /hoganas-platslagaren.se/Policies/$gpo -U aostling
--
------ -------------------- 8 ------------------ ------
"A wise man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"
Anders Östling
+46 768 716 165 (Mobil)
+46 431 45 56 01 (Hem)
More information about the samba
mailing list