[Samba] Inconsistent SYSVOL ACLs
Anderson Sampaio Mello
anderson.sampaio.mello at gmail.com
Sun Apr 2 05:02:40 UTC 2023
I have two domain controller servers, with samba in version 4.18
On both DCs both the Sysvol share and the subdirectories (including GPOs)
have the same permission:
getfacl /usr/local/samba/var/lib/samba/sysvol
# file: usr/local/samba/var/lib/samba/sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
Checking with the wbinfo command these UIDs match:
wbinfo --uid-info=3000000
BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false
wbinfo --uid-info=3000001
BUILTIN\server operators:*:3000001:3000001::/home/BUILTIN/server
operators:/bin/false
wbinfo --uid-info=3000002
NT Authority\system:*:3000002:3000002::/home/NT Authority/system:/bin/false
wbinfo --uid-info=3000003
NT Authority\authenticated users:*:3000003:3000003::/home/NT
Authority/authenticated users:/bin/false
When running the command:
samba-tool ntacl sysvolcheck
ERROR(runtime): uncaught exception - (11, 'Buffer Size Error')
File
"/usr/local/samba/lib64/python3.9/site-packages/samba/netcmd/__init__.py",
line 230, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python3.9/site-packages/samba/netcmd/ntacl.py",
line 449, in run
provision.checksysvolacl(samdb, netlogon, sysvol,
File
"/usr/local/samba/lib64/python3.9/site-packages/samba/provision/__init__.py",
line 1868, in checksysvolacl
fsacl = getntacl(lp, dir_path, session_info,
direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
File "/usr/local/samba/lib64/python3.9/site-packages/samba/ntacls.py",
line 115, in getntacl
ntacl = ndr_unpack(xattr.NTACL, attribute)
File "/usr/local/samba/lib64/python3.9/site-packages/samba/ndr.py", line
48, in ndr_unpack
ndr_unpack(data, allow_remaining=allow_remaining)
I try to reset permissions with the command:
samba-tool ntacl sysvolreset
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL.
ERROR(runtime): uncaught exception - (3221225507, '{Buffer Too Small} The
buffer is too small to contain the entry. No information has been written
to the buffer.')
File
"/usr/local/samba/lib64/python3.9/site-packages/samba/netcmd/__init__.py",
line 230, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python3.9/site-packages/samba/netcmd/ntacl.py",
line 413, in run
provision.setsysvolacl(samdb, netlogon, sysvol,
File
"/usr/local/samba/lib64/python3.9/site-packages/samba/provision/__init__.py",
line 1751, in setsysvolacl
_setntacl(os.path.join(root, name))
File
"/usr/local/samba/lib64/python3.9/site-packages/samba/provision/__init__.py",
line 1736, in _setntacl
return setntacl(
File "/usr/local/samba/lib64/python3.9/site-packages/samba/ntacls.py",
line 229, in setntacl
smbd.set_nt_acl(
But it is not possible the permissions remain as they are in the getfacl
command.
Can someone tell me what it means:
ERROR(runtime): uncaught exception - (11, 'Buffer Size Error')
It is
fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL.
ERROR(runtime): uncaught exception - (3221225507, '{Buffer Too Small} The
buffer is too small to contain the entry. No information has been written
to the buffer.')
I need help to restore the permissions and get the GPOs working again, and
honestly I don't know what these BUFFER messages mean or how to proceed
since the samba-tool ntacl sysvolreset command doesn't reset the
permissions.
More information about the samba
mailing list