[Samba] Access denied on GPO after "ntacl sysvolreset"

Mon Apr 14 13:14:53 UTC 2025

On Mon, 14 Apr 2025 14:37:29 +0200
Klaas TJEBBES via samba <samba at lists.samba.org> wrote:

> Hi.
> 
> To give more context.
> 
> I have only one DC.

It is recommended to run more than one DC, just in case one fails.

> 
> Appart from being member of Domain Admins, Administrator is not
> mapped with UID=0 (unix root), it is not mapped with any unix UID at
> all.

On a Samba AD DC it should be, on my DCs, 'id Administrator' returns:

uid=0(root) gid=100(users) groups=0(root),100(users),3000005(SAMDOM\group policy creator owners),3000001(SAMDOM\denied rodc password replication group),3000003(SAMDOM\schema admins),3000004(SAMDOM\enterprise admins),3000000(SAMDOM\domain admins),3000006(BUILTIN\users),3000002(BUILTIN\administrators)

I do not have 'idmap_ldb:use rfc2307  = yes' in smb.conf.

> 
> # smb.conf :
> 
> [global]
>    realm = DOM.LAN
>    workgroup = DOM
>    netbios name = ADDC
>    disable netbios = yes

On a DC that isn't enough.

>    smb ports = 445
>    map acl inherit = Yes
>    store dos attributes = Yes
>    winbind separator = /
>    server role = active directory domain controller
>    server services = -dns

To turn off the Netbios part of the samba deamon, you need:

server services = -dns -nbt

>    tls enabled = yes
>    tls keyfile = /var/lib/samba/private/tls/key.pem
>    tls certfile = /var/lib/samba/private/tls/cert.pem
>    tls cafile =
>    usershare max shares = 0
>    restrict anonymous = 2
>    interfaces = 192.168.0.30
> 
> # Domain Admins has a GID

Sorry, but no it hasn't

> root at addc:~# id domain\ admins
> uid=3000004(DOM/domain admins) gid=3000004(DOM/domain admins) 
> groupes=3000004(DOM/domain admins)

Those numbers in the '3000000' range are xidNumber attributes from
idmap.ldb (only found on Samba AD DCs).

> 
> So after running 'samba-tool ntacl sysvolreset' I can no longer
> modify GPO from RSAT.

You should be able to.

> After a bit of digging, I came with a solution
> that partially works :
> 
> 
> file=/home/sysvol/DOM.lan/Policies/
> chown -R DOM/domain\ admins ${file}
> chown -R DOM/domain\ admins ${file}
> setfacl -Rbk ${file}
> setfacl -Rm user::rwx ${file}
> setfacl -Rm user:NT\ Authority/system:rwx ${file}
> setfacl -Rm user:NT\ Authority/authenticated\ users:r-x ${file}
> setfacl -Rm user:DOM/enterprise\ admins:rwx ${file}
> setfacl -Rm user:NT\ Authority/enterprise\ domain\ controllers:r-x
> ${file} setfacl -Rm group::rwx ${file}
> setfacl -Rm group:NT\ Authority/system:rwx ${file}
> setfacl -Rm group:NT\ Authority/authenticated\ users:r-x ${file}
> setfacl -Rm group:DOM/domain\ admins:rwx ${file}
> setfacl -Rm group:DOM/enterprise\ admins:rwx ${file}
> setfacl -Rm group:NT\ Authority/enterprise\ domain\ controllers:r-x
> ${file} setfacl -Rm mask::rwx ${file}
> setfacl -Rm other::--- ${file}
> setfacl -Rdm user::rwx ${file}
> setfacl -Rdm user:NT\ Authority/system:rwx ${file}
> setfacl -Rdm user:NT\ Authority/authenticated\ users:r-x ${file}
> setfacl -Rdm user:DOM/domain\ admins:rwx ${file}
> setfacl -Rdm user:DOM/enterprise\ admins:rwx ${file}
> setfacl -Rdm user:NT\ Authority/enterprise\ domain\ controllers:r-x
> ${file} setfacl -Rdm group::--- ${file}
> setfacl -Rdm group:NT\ Authority/system:rwx ${file}
> setfacl -Rdm group:NT\ Authority/authenticated\ users:r-x ${file}
> setfacl -Rdm group:DOM/domain\ admins:rwx ${file}
> setfacl -Rdm group:DOM/enterprise\ admins:rwx ${file}
> setfacl -Rdm group:NT\ Authority/enterprise\ domain\ controllers:r-x
> ${file} setfacl -Rdm mask::rwx ${file}
> setfacl -Rdm other::--- ${file}

That is basically what sysvolreset does, but working on a different EA
and Samba sets the rest.

> 
> 
> I say "partially" because after running those commands, Windows RSAT 
> tells me :
> "The permissions for this GPO inthe SYSVOL foder are inconsistent
> with those in Active Directory. It is recommended that those
> permissions be consistent. To Change the SYSVOL permissions to those
> in Active Directory, Click OK.".

And it then does what sysvolreset does.

> 
> After clicking OK and making a diff between before/after, I see no 
> differences on ACLs (getfacl -R),

Well you wouldn't, you are looking at the wrong place and with the
wrong tool, try:

sudo samba-tool ntacl get
/var/lib/samba/sysvol/samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
--as-sddl

It should return something like this:

O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)

Long and short of it, I cannot recommend running only one DC and
setting permissions on sysvol in the way you are.

Rowland