[Samba] Access denied on GPO after "ntacl sysvolreset"
Rowland Penny
rpenny at samba.org
Mon Apr 14 14:38:41 UTC 2025
On Mon, 14 Apr 2025 16:05:53 +0200
Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
> This example I gave is from a test server. A simple setup with 1 DC,
> 1 fileserver and 2 Windows clients.
>
> Setting access rights with setfacl was just to try to understand what
> the problems was. I should have presented the problem otherwise, like
> this :
>
> I create a GPO in RSAT. At that point, rights on GPO are OK, I can
> modify it no problems.
> I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly.
> I run 'samba-tool ntacl sysvolreset'. At that point, problem occurs,
> GPO can no longer be modified.
> I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly again.
>
> The diffs between ACLs and ATTRs before/after are :
>
> ############ ACLs ##################
>
> # BEFORE samba-tool ntacl sysvolreset
>
> # file:
> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
> # owner: BUILTIN/administrators
> # group: users
> user::rwx
> user:NT\040Authority/system:rwx
> user:NT\040Authority/authenticated\040users:r-x
> user:DOM/domain\040admins:rwx
> user:DOM/enterprise\040admins:rwx
> user:NT\040Authority/enterprise\040domain\040controllers:r-x
> group::---
> group:users:---
> group:BUILTIN/administrators:rwx
> group:NT\040Authority/system:rwx
> group:NT\040Authority/authenticated\040users:r-x
> group:DOM/domain\040admins:rwx
> group:DOM/enterprise\040admins:rwx
> group:NT\040Authority/enterprise\040domain\040controllers:r-x
> mask::rwx
> other::---
>
> # file:
> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
> # owner: BUILTIN/administrators
> # group: users
> user::rwx
> user:NT\040Authority/system:rwx
> user:NT\040Authority/authenticated\040users:r-x
> user:DOM/domain\040admins:rwx
> user:DOM/enterprise\040admins:rwx
> user:NT\040Authority/enterprise\040domain\040controllers:r-x
> group::---
> group:users:---
> group:BUILTIN/administrators:rwx
> group:NT\040Authority/system:rwx
> group:NT\040Authority/authenticated\040users:r-x
> group:DOM/domain\040admins:rwx
> group:DOM/enterprise\040admins:rwx
> group:NT\040Authority/enterprise\040domain\040controllers:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:BUILTIN/administrators:rwx
> default:user:NT\040Authority/system:rwx
> default:user:NT\040Authority/authenticated\040users:r-x
> default:user:DOM/domain\040admins:rwx
> default:user:DOM/enterprise\040admins:rwx
> default:user:NT\040Authority/enterprise\040domain\040controllers:r-x
> default:group::---
> default:group:users:---
> default:group:NT\040Authority/system:rwx
> default:group:NT\040Authority/authenticated\040users:r-x
> default:group:DOM/domain\040admins:rwx
> default:group:DOM/enterprise\040admins:rwx
> default:group:NT\040Authority/enterprise\040domain\040controllers:r-x
> default:mask::rwx
> default:other::---
>
>
> # AFTER samba-tool ntacl sysvolreset
>
> # file:
> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
> # owner: DOM/domain\040admins
> # group: DOM/domain\040admins
> user::rwx
> user:root:rwx
> user:BUILTIN/administrators:rwx
> user:BUILTIN/server\040operators:r-x
> user:NT\040Authority/system:rwx
> user:NT\040Authority/authenticated\040users:r-x
> group::rwx
> group:BUILTIN/administrators:rwx
> group:BUILTIN/server\040operators:r-x
> group:NT\040Authority/system:rwx
> group:NT\040Authority/authenticated\040users:r-x
> mask::rwx
> other::---
>
> # file:
> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
> # owner: DOM/domain\040admins
> # group: DOM/domain\040admins
> user::rwx
> user:root:rwx
> user:BUILTIN/administrators:rwx
> user:BUILTIN/server\040operators:r-x
> user:NT\040Authority/system:rwx
> user:NT\040Authority/authenticated\040users:r-x
> group::rwx
> group:BUILTIN/administrators:rwx
> group:BUILTIN/server\040operators:r-x
> group:NT\040Authority/system:rwx
> group:NT\040Authority/authenticated\040users:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN/administrators:rwx
> default:user:BUILTIN/server\040operators:r-x
> default:user:NT\040Authority/system:rwx
> default:user:NT\040Authority/authenticated\040users:r-x
> default:group::---
> default:group:BUILTIN/administrators:rwx
> default:group:BUILTIN/server\040operators:r-x
> default:group:NT\040Authority/system:rwx
> default:group:NT\040Authority/authenticated\040users:r-x
> default:mask::rwx
> default:other::---
>
> ######### ATTRs ########
>
> # BEFORE samba-tool ntacl sysvolreset
>
> # file:
> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
> user.DOSATTRIB=0sAAAFAAUAAAARAAAAIAAAABGDjqdErdsB
> user.SAMBA_PAI=0sAgSADwAAAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAA==
>
> # file:
> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
> user.DOSATTRIB=0sAAAFAAUAAAARAAAAEAAAAHJtj6dErdsB
> user.SAMBA_PAI=0sAgSADwAPAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAAABZAAAAAAAwMYtAAAC/////wABZAAAAAMAxMYtAAMBxMYtAAMAx8YtAAMBx8YtAAsAwMYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAAMA3MYtAAMB3MYtAA==
>
>
> # AFTER samba-tool ntacl sysvolreset
>
> # file:
> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
> user.SAMBA_PAI=0sAhSQDAAAAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA==
>
> # file:
> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
> user.SAMBA_PAI=0sAhSQDAAMAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAAAwMYtAAABwMYtAAAAwcYtAAABwcYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAAAAAAAAAC/////wABwMYtAAAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA==
>
>
>
> What do you think about this ?
Sorry, but I am not going to wade through that.
Sysvol contains files and directories to be used by Windows GPOs and as
such your output is meaningless to me. I do not really understand the
output from 'SAMBA_PAI', whereas the output from 'samba-tool ntacl get
<FILE> --as-sddl' is easily understood.
From what I posted earlier:
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
That shows the permissions in a form that Windows expects, the start
'O:DAG:DA' shows that the owner is 'DA' and the group is 'DA', (DA
being Domain Admins) and everything inside each '(....)' is called an
ACE and you can easily work out what each ACE allows and to whom.
I repeat, I cannot recommend setting the permissions on sysvol in the
way you are doing it, use sysvolreset and samba-tool to read them.
Rowland
More information about the samba
mailing list