[Samba] Access denied on GPO after "ntacl sysvolreset"

Klaas TJEBBES klaas.tjebbes at region-academique-bourgogne-franche-comte.fr
Mon Apr 14 14:05:53 UTC 2025 

This example I gave is from a test server. A simple setup with 1 DC, 1 
fileserver and 2 Windows clients.

Setting access rights with setfacl was just to try to understand what 
the problems was. I should have presented the problem otherwise, like this :

I create a GPO in RSAT. At that point, rights on GPO are OK, I can 
modify it no problems.
I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly.
I run 'samba-tool ntacl sysvolreset'. At that point, problem occurs, GPO 
can no longer be modified.
I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly again.

The diffs between ACLs and ATTRs before/after are :

############ ACLs ##################

# BEFORE samba-tool ntacl sysvolreset

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
# owner: BUILTIN/administrators
# group: users
user::rwx
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
user:DOM/domain\040admins:rwx
user:DOM/enterprise\040admins:rwx
user:NT\040Authority/enterprise\040domain\040controllers:r-x
group::---
group:users:---
group:BUILTIN/administrators:rwx
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
group:DOM/domain\040admins:rwx
group:DOM/enterprise\040admins:rwx
group:NT\040Authority/enterprise\040domain\040controllers:r-x
mask::rwx
other::---

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
# owner: BUILTIN/administrators
# group: users
user::rwx
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
user:DOM/domain\040admins:rwx
user:DOM/enterprise\040admins:rwx
user:NT\040Authority/enterprise\040domain\040controllers:r-x
group::---
group:users:---
group:BUILTIN/administrators:rwx
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
group:DOM/domain\040admins:rwx
group:DOM/enterprise\040admins:rwx
group:NT\040Authority/enterprise\040domain\040controllers:r-x
mask::rwx
other::---
default:user::rwx
default:user:BUILTIN/administrators:rwx
default:user:NT\040Authority/system:rwx
default:user:NT\040Authority/authenticated\040users:r-x
default:user:DOM/domain\040admins:rwx
default:user:DOM/enterprise\040admins:rwx
default:user:NT\040Authority/enterprise\040domain\040controllers:r-x
default:group::---
default:group:users:---
default:group:NT\040Authority/system:rwx
default:group:NT\040Authority/authenticated\040users:r-x
default:group:DOM/domain\040admins:rwx
default:group:DOM/enterprise\040admins:rwx
default:group:NT\040Authority/enterprise\040domain\040controllers:r-x
default:mask::rwx
default:other::---


# AFTER samba-tool ntacl sysvolreset

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
# owner: DOM/domain\040admins
# group: DOM/domain\040admins
user::rwx
user:root:rwx
user:BUILTIN/administrators:rwx
user:BUILTIN/server\040operators:r-x
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
group::rwx
group:BUILTIN/administrators:rwx
group:BUILTIN/server\040operators:r-x
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
mask::rwx
other::---

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
# owner: DOM/domain\040admins
# group: DOM/domain\040admins
user::rwx
user:root:rwx
user:BUILTIN/administrators:rwx
user:BUILTIN/server\040operators:r-x
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
group::rwx
group:BUILTIN/administrators:rwx
group:BUILTIN/server\040operators:r-x
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN/administrators:rwx
default:user:BUILTIN/server\040operators:r-x
default:user:NT\040Authority/system:rwx
default:user:NT\040Authority/authenticated\040users:r-x
default:group::---
default:group:BUILTIN/administrators:rwx
default:group:BUILTIN/server\040operators:r-x
default:group:NT\040Authority/system:rwx
default:group:NT\040Authority/authenticated\040users:r-x
default:mask::rwx
default:other::---

######### ATTRs ########

# BEFORE samba-tool ntacl sysvolreset

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
user.DOSATTRIB=0sAAAFAAUAAAARAAAAIAAAABGDjqdErdsB
user.SAMBA_PAI=0sAgSADwAAAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAA==

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
user.DOSATTRIB=0sAAAFAAUAAAARAAAAEAAAAHJtj6dErdsB
user.SAMBA_PAI=0sAgSADwAPAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAAABZAAAAAAAwMYtAAAC/////wABZAAAAAMAxMYtAAMBxMYtAAMAx8YtAAMBx8YtAAsAwMYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAAMA3MYtAAMB3MYtAA==


# AFTER samba-tool ntacl sysvolreset

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
user.SAMBA_PAI=0sAhSQDAAAAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA==

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
user.SAMBA_PAI=0sAhSQDAAMAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAAAwMYtAAABwMYtAAAAwcYtAAABwcYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAAAAAAAAAC/////wABwMYtAAAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA==



What do you think about this ?



Le 14/04/2025 à 15:14, Rowland Penny via samba a écrit :
> On Mon, 14 Apr 2025 14:37:29 +0200
> Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
> 
>> Hi.
>>
>> To give more context.
>>
>> I have only one DC.
> 
> It is recommended to run more than one DC, just in case one fails.
> 
>>
>> Appart from being member of Domain Admins, Administrator is not
>> mapped with UID=0 (unix root), it is not mapped with any unix UID at
>> all.
> 
> On a Samba AD DC it should be, on my DCs, 'id Administrator' returns:
> 
> uid=0(root) gid=100(users) groups=0(root),100(users),3000005(SAMDOM\group policy creator owners),3000001(SAMDOM\denied rodc password replication group),3000003(SAMDOM\schema admins),3000004(SAMDOM\enterprise admins),3000000(SAMDOM\domain admins),3000006(BUILTIN\users),3000002(BUILTIN\administrators)
> 
> I do not have 'idmap_ldb:use rfc2307  = yes' in smb.conf.
> 
>>
>> # smb.conf :
>>
>> [global]
>>     realm = DOM.LAN
>>     workgroup = DOM
>>     netbios name = ADDC
>>     disable netbios = yes
> 
> On a DC that isn't enough.
> 
>>     smb ports = 445
>>     map acl inherit = Yes
>>     store dos attributes = Yes
>>     winbind separator = /
>>     server role = active directory domain controller
>>     server services = -dns
> 
> To turn off the Netbios part of the samba deamon, you need:
> 
> server services = -dns -nbt
> 
>>     tls enabled = yes
>>     tls keyfile = /var/lib/samba/private/tls/key.pem
>>     tls certfile = /var/lib/samba/private/tls/cert.pem
>>     tls cafile =
>>     usershare max shares = 0
>>     restrict anonymous = 2
>>     interfaces = 192.168.0.30
>>
>> # Domain Admins has a GID
> 
> Sorry, but no it hasn't
> 
>> root at addc:~# id domain\ admins
>> uid=3000004(DOM/domain admins) gid=3000004(DOM/domain admins)
>> groupes=3000004(DOM/domain admins)
> 
> Those numbers in the '3000000' range are xidNumber attributes from
> idmap.ldb (only found on Samba AD DCs).
> 
>>
>> So after running 'samba-tool ntacl sysvolreset' I can no longer
>> modify GPO from RSAT.
> 
> You should be able to.
> 
>> After a bit of digging, I came with a solution
>> that partially works :
>>
>>
>> file=/home/sysvol/DOM.lan/Policies/
>> chown -R DOM/domain\ admins ${file}
>> chown -R DOM/domain\ admins ${file}
>> setfacl -Rbk ${file}
>> setfacl -Rm user::rwx ${file}
>> setfacl -Rm user:NT\ Authority/system:rwx ${file}
>> setfacl -Rm user:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rm user:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rm user:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rm group::rwx ${file}
>> setfacl -Rm group:NT\ Authority/system:rwx ${file}
>> setfacl -Rm group:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rm group:DOM/domain\ admins:rwx ${file}
>> setfacl -Rm group:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rm group:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rm mask::rwx ${file}
>> setfacl -Rm other::--- ${file}
>> setfacl -Rdm user::rwx ${file}
>> setfacl -Rdm user:NT\ Authority/system:rwx ${file}
>> setfacl -Rdm user:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rdm user:DOM/domain\ admins:rwx ${file}
>> setfacl -Rdm user:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rdm user:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rdm group::--- ${file}
>> setfacl -Rdm group:NT\ Authority/system:rwx ${file}
>> setfacl -Rdm group:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rdm group:DOM/domain\ admins:rwx ${file}
>> setfacl -Rdm group:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rdm group:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rdm mask::rwx ${file}
>> setfacl -Rdm other::--- ${file}
> 
> That is basically what sysvolreset does, but working on a different EA
> and Samba sets the rest.
> 
>>
>>
>> I say "partially" because after running those commands, Windows RSAT
>> tells me :
>> "The permissions for this GPO inthe SYSVOL foder are inconsistent
>> with those in Active Directory. It is recommended that those
>> permissions be consistent. To Change the SYSVOL permissions to those
>> in Active Directory, Click OK.".
> 
> And it then does what sysvolreset does.
> 
>>
>> After clicking OK and making a diff between before/after, I see no
>> differences on ACLs (getfacl -R),
> 
> Well you wouldn't, you are looking at the wrong place and with the
> wrong tool, try:
> 
> sudo samba-tool ntacl get
> /var/lib/samba/sysvol/samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> --as-sddl
> 
> It should return something like this:
> 
> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
> 
> Long and short of it, I cannot recommend running only one DC and
> setting permissions on sysvol in the way you are.
> 
> Rowland
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Klaas TJEBBES
- Pôle Logiciel Libre (EOLE)
- DSI
- Dijon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the samba mailing list