[Samba] Access denied on GPO after "ntacl sysvolreset"

Havany havany at asalluhi.fr
Fri Apr 11 09:27:21 UTC 2025 

Hi Klaas,

Luis may have been referring to bug 14213 (Windows Explorer crashes on 
S-1-22-* Unix-SIDs when accessing the Security tab), fixed in version 
4.21.4. This bug also causes gpedit to crash.

You may have a mapping issue with your IDmap on domain controllers.

I wrote a script to display the mapping in a readable form (see the end 
of this post).

To reset the mapping on all DCs, here's what I do (note! You need to 
adapt it to your configuration; this is for FreeBSD with a ZFS dataset 
for Sysvol and NFS4ACL) (inspired by the migration of the RFC2703 schema 
to TDB of Tranquil IT: 
https://samba.tranquil.it/doc/en/samba_config_server/samba_rfc_to_tdb.html):

* On the DC that own FSMO  :

** Cleaning mapping :
for i in $(samba-ldbsearch  -H /var/db/samba4/private/idmap.ldb  dn  | 
grep ^dn | awk '{ print $2 }' | grep -v CONFIG) ; do samba-ldbdel -H 
/var/db/samba4/private/idmap.ldb $i ; done

** be sure that Administrator is mapped with uidNumber 0 (root) :
samba-ldbedit -H /var/db/samba4/private/idmap.ldb # and change uidNumber 
of Administrator if need

net cache flush

service samba_server restart

** At this step my script getmapping.sh can help to populate the 
idmap.ldb again or just wait a while

** Reseting sysvol ACL (it's an zfs dataset you need to adapt these 
commands too) :

setfacl -b /var/db/samba4/sysvol
chown -R 'root:BUILTIN\administrators' /var/db/samba4/sysvol
chmod 755 /var/db/samba4/sysvol
samba-tool ntacl sysvolreset

** send new idmap to all others DC :
tdbbackup -s .new$(date +%y%m%d) /var/db/samba4/private/idmap.ldb
scp /var/db/samba4/private/idmap.ldb.new$(date +%y%m%d) 
<Others_DC>:/var/db/samba4/private/idmap.ldb

* On others DC

** flush the cache

net cache flush

service samba_server restart

** wait for synchronization of sysvol for reset ACL (and/or xattr) and 
check ACL

** After that you maybe need to re-apply Delegations in "Group Policy 
Objets" on gpo editor. For me its enough and after that all my 
delegation and ACL in sysvol are okay


Regards,



===== getmapping.sh =====

#!/bin/sh
#
#

#PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /etc/os-release

[ $ID = 'freebsd' ] && ifbsd='samba-' || ifbsd=''

showhelp ()
{
	echo -e "Usage : $0 [-d sam|idmap] [-c 1|2|3|4] [-h] [-s {CN=XXX|OU=XXX}]
-d: database to use, sam or idmap for respectively sam.ldb or idmap.ldb
-c: column for sort :
	1: by sid
	2: by name
	3: by type
	4: by uid/gid
-s: scope for sam.ldb database ex: CN=Users"
}

while getopts d:c:s:h option; do
	case $option in
		d)
			if [ "$OPTARG" = "sam" ] || [ "$OPTARG" = "idmap" ]; then
				dbf=$OPTARG
			else
				echo "Bad argument for -d option"
				showhelp
				exit 1
			fi
			;;
		c)
			if  echo $OPTARG | grep -E '^([1-4])$' 1>/dev/null ; then
				c=$OPTARG
			else
				echo "Bad argument for -s option"
                                 showhelp
                                 exit 1
			fi
			;;
		s)
			s=$OPTARG
			;;
		h)
			showhelp
			exit 0
			;;
		\?)
			echo "wrong parameter"
			showhelp
			exit 1
			;;
	esac
done


if [ ! $dbf ]; then dbf=idmap; fi
if [ ! $c ]; then c=1; fi

rm -f /tmp/smbdynvar
samba -b |grep -E ": \/" | while read v; do
	echo $(echo $v |awk -F ':' '{print $1}')="$(echo $v |awk -F ' ' '{print 
$2}')" >> /tmp/smbdynvar
done

. /tmp/smbdynvar

bdn="$(grep -i realm $CONFIGFILE |awk -F' = ' '{print "DC="$2}' |sed 
's/\./,DC=/g')"

if [ $dbf = "sam" ]; then
	[ $s ] && scope="-b ${s},${bdn}" || scope="-b CN=Builtin,${bdn}"
fi	

echo "Maping from ${PRIVATE_DIR}/${dbf}.ldb ${scope}:"
for i in $(${ifbsd}ldbsearch -H ${PRIVATE_DIR}/${dbf}.ldb ${scope} 
objectsid  |grep objectSid |awk '{print $2}'); do
	t="${t}
$(echo "$i | $(
		n=$(wbinfo -s $i 2>/dev/null |sed 's/1$/\|\(Domain User\)/g ; 
s/2$/\|\(Domain Group\)/g ; s/3$/\|\(Domain\)/g ; s/4$/\|\(Service 
Group\)/g ; s/5$/\|\(NT Authority Group\)/g')
		[ ! -n "$n" ] && echo '-----|-----' || echo $n
		) | $(wbinfo -S $i 2>/dev/null|| wbinfo -Y $i 2>/dev/null)")"
done

case $c in
	4)
		echo "$t" | sort -t '|' -k $c | column -t -s'|'
		;;
	*)
		echo "$t" | sort -fn -t '|' -k $c | column -t -s'|'
		;;
esac

===============================================================================

Havany

Le 10/04/2025 à 15:16, Klaas TJEBBES via samba a écrit :
> Thank you for your answer.
> 
> Problem is :
> 
> root at smbserver:~# cat /etc/lsb-release
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=24.04
> DISTRIB_CODENAME=noble
> DISTRIB_DESCRIPTION="Ubuntu 24.04.2 LTS"
> 
> There is no most recent Ubuntu LTS. Also we can't afford to recompile 
> Samba and maintain it up-to-date, we have to rely on Ubuntu LTS system.
> 
> So could you find which recently solved bug you're talking about (I've 
> searched for it but could not find it even though I'm using a computer) ?
> This way we may be able to submit it to Ubuntu team who could perhaps 
> backport the correction.
> 
> 
> 
> Le 08/04/2025 à 18:51, Luis Peromarta via samba a écrit :
>> I think 4.19 is ageing now as we are on 4.22
>>
>> This looks very much like a recently solved bug (can’t find it now I’m 
>> on phone). You need at least 4.21.4
>>
>> Try updating and see it it fixes things
>> On 8 Apr 2025 at 17:28 +0100, Klaas TJEBBES via samba 
>> <samba at lists.samba.org>, wrote:
>>> Hello.
>>>
>>> samba --version
>>> Version 4.19.5-Ubuntu
>>>
>>> Samba as Active Directory controller.
>>>
>>> 2 scenarios.
>>>
>>>
>>> # First scenario :
>>>
>>> * On a Windows client, from RSAT, I create a new GPO named "firstgpo".
>>> * Still in RSAT, I then create a second GPO "scndgpo" with some
>>> parameters that I backup (right clic on the GPO => Backup...).
>>> * Then I right clic on "firstgpo" and select "Import parameters...". I
>>> select the backup previously made.
>>>
>>> Parameters are correctly imported from "scndgpo" to "firstgpo". So far
>>> so good.
>>>
>>> Here is the problem, after running :
>>> samba-tool ntacl sysvolreset
>>> I can no longer "Import parameters". I get "Access denied" :
>>>
>>> """
>>> [Error] The task cannot be completed. An error occurred with the
>>> [Registry] extension. Unable to access the file
>>> [\dc.dom.lan\sysvol\dom.lan\Policies{846F43A0-9299-4791- 
>>> A16A-7E4AFDE257DF}\MachineStaging\registry.pol].
>>> The following error occurred:
>>> Access denied.
>>> """
>>>
>>>
>>> # Second scenario :
>>>
>>> * I use :
>>> samba-tool gpo backup
>>> to backup an existing GPO.
>>>
>>> * From RSAT I delete this GPO.
>>> * I run :
>>> samba-tool gpo restore
>>> to restore from the backup I just made.
>>>
>>> * At that moments :
>>> samba-tool ntacl sysvolcheck
>>> returns nothing, says that ACLs on sysvol are correct.
>>>
>>> On a Windows client, from RSAT, I try to modify this GPO : right clic on
>>> the GPO, "Edit..." and configure some settings. I get an error : "Access
>>> denied. HRESULT : 0x80070005 (E_ACCESSDENIED)".
>>>
>>> But, after running :
>>> samba-tool ntacl sysvolreset
>>>
>>> I can again modify the restored GPO without error. But at that moment
>>> I'm encountering the problem of the first scenario.
>>>
>>>
>>> What is the problem ? Is this a bug ?
>>>
>>>
>>> Kind regards,
>>> Klaas
>>>
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list