[Samba] Access denied on GPO after "ntacl sysvolreset"
Klaas TJEBBES
klaas.tjebbes at region-academique-bourgogne-franche-comte.fr
Tue Apr 15 08:03:59 UTC 2025
Hi Rowland (and others)
Here is what you were asking for.
As a sidenote, 'samba-tool ntacl get' is a bit buggy on some pathes.
I've left the tracebacks so you can understand what I'm talking about.
But nevertheless, there are some differences between before and after
'samba-tool ntacl sysvolreset'. This command does not set back the
access rights like Windows does.
# BEFORE samba-tool ntacl sysvolreset, just after creating a GPO in RSAT
root at addc:~# samba-tool ntacl get
/home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/
--as-sddl
ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No
such file or directory:
'/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}/'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
279, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
206, in run
acl = getntacl(lp,
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, in
getntacl
return smbd.get_nt_acl(file,
^^^^^^^^^^^^^^^^^^^^^
root at addc:~# cd
/home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/
root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
ls -l
total 24
-rwxrwx---+ 1 BUILTIN/administrators users 68 avril 15 09:52 GPT.INI
drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:53 Machine
drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:52 User
root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get . --as-sddl
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)
root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get GPT.INI --as-sddl
O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)
root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get Machine/ --as-sddl
ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No
such file or directory: 'Machine/'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
279, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
206, in run
acl = getntacl(lp,
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, in
getntacl
return smbd.get_nt_acl(file,
^^^^^^^^^^^^^^^^^^^^^
# AFTER samba-tool ntacl sysvolreset
root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get . --as-sddl
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get GPT.INI --as-sddl
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get Machine/ --as-sddl
ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No
such file or directory: 'Machine/'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
279, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
206, in run
acl = getntacl(lp,
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, in
getntacl
return smbd.get_nt_acl(file,
^^^^^^^^^^^^^^^^^^^^^
Le 14/04/2025 à 16:38, Rowland Penny via samba a écrit :
> On Mon, 14 Apr 2025 16:05:53 +0200
> Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
>
>> This example I gave is from a test server. A simple setup with 1 DC,
>> 1 fileserver and 2 Windows clients.
>>
>> Setting access rights with setfacl was just to try to understand what
>> the problems was. I should have presented the problem otherwise, like
>> this :
>>
>> I create a GPO in RSAT. At that point, rights on GPO are OK, I can
>> modify it no problems.
>> I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly.
>> I run 'samba-tool ntacl sysvolreset'. At that point, problem occurs,
>> GPO can no longer be modified.
>> I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly again.
>>
>> The diffs between ACLs and ATTRs before/after are :
>>
>> ############ ACLs ##################
>>
>> # BEFORE samba-tool ntacl sysvolreset
>>
>> # file:
>> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>> # owner: BUILTIN/administrators
>> # group: users
>> user::rwx
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> user:DOM/domain\040admins:rwx
>> user:DOM/enterprise\040admins:rwx
>> user:NT\040Authority/enterprise\040domain\040controllers:r-x
>> group::---
>> group:users:---
>> group:BUILTIN/administrators:rwx
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> group:DOM/domain\040admins:rwx
>> group:DOM/enterprise\040admins:rwx
>> group:NT\040Authority/enterprise\040domain\040controllers:r-x
>> mask::rwx
>> other::---
>>
>> # file:
>> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>> # owner: BUILTIN/administrators
>> # group: users
>> user::rwx
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> user:DOM/domain\040admins:rwx
>> user:DOM/enterprise\040admins:rwx
>> user:NT\040Authority/enterprise\040domain\040controllers:r-x
>> group::---
>> group:users:---
>> group:BUILTIN/administrators:rwx
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> group:DOM/domain\040admins:rwx
>> group:DOM/enterprise\040admins:rwx
>> group:NT\040Authority/enterprise\040domain\040controllers:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:BUILTIN/administrators:rwx
>> default:user:NT\040Authority/system:rwx
>> default:user:NT\040Authority/authenticated\040users:r-x
>> default:user:DOM/domain\040admins:rwx
>> default:user:DOM/enterprise\040admins:rwx
>> default:user:NT\040Authority/enterprise\040domain\040controllers:r-x
>> default:group::---
>> default:group:users:---
>> default:group:NT\040Authority/system:rwx
>> default:group:NT\040Authority/authenticated\040users:r-x
>> default:group:DOM/domain\040admins:rwx
>> default:group:DOM/enterprise\040admins:rwx
>> default:group:NT\040Authority/enterprise\040domain\040controllers:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>> # AFTER samba-tool ntacl sysvolreset
>>
>> # file:
>> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>> # owner: DOM/domain\040admins
>> # group: DOM/domain\040admins
>> user::rwx
>> user:root:rwx
>> user:BUILTIN/administrators:rwx
>> user:BUILTIN/server\040operators:r-x
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> group::rwx
>> group:BUILTIN/administrators:rwx
>> group:BUILTIN/server\040operators:r-x
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> mask::rwx
>> other::---
>>
>> # file:
>> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>> # owner: DOM/domain\040admins
>> # group: DOM/domain\040admins
>> user::rwx
>> user:root:rwx
>> user:BUILTIN/administrators:rwx
>> user:BUILTIN/server\040operators:r-x
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> group::rwx
>> group:BUILTIN/administrators:rwx
>> group:BUILTIN/server\040operators:r-x
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN/administrators:rwx
>> default:user:BUILTIN/server\040operators:r-x
>> default:user:NT\040Authority/system:rwx
>> default:user:NT\040Authority/authenticated\040users:r-x
>> default:group::---
>> default:group:BUILTIN/administrators:rwx
>> default:group:BUILTIN/server\040operators:r-x
>> default:group:NT\040Authority/system:rwx
>> default:group:NT\040Authority/authenticated\040users:r-x
>> default:mask::rwx
>> default:other::---
>>
>> ######### ATTRs ########
>>
>> # BEFORE samba-tool ntacl sysvolreset
>>
>> # file:
>> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>> user.DOSATTRIB=0sAAAFAAUAAAARAAAAIAAAABGDjqdErdsB
>> user.SAMBA_PAI=0sAgSADwAAAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAA==
>>
>> # file:
>> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>> user.DOSATTRIB=0sAAAFAAUAAAARAAAAEAAAAHJtj6dErdsB
>> user.SAMBA_PAI=0sAgSADwAPAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAAABZAAAAAAAwMYtAAAC/////wABZAAAAAMAxMYtAAMBxMYtAAMAx8YtAAMBx8YtAAsAwMYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAAMA3MYtAAMB3MYtAA==
>>
>>
>> # AFTER samba-tool ntacl sysvolreset
>>
>> # file:
>> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>> user.SAMBA_PAI=0sAhSQDAAAAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA==
>>
>> # file:
>> home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>> user.SAMBA_PAI=0sAhSQDAAMAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAAAwMYtAAABwMYtAAAAwcYtAAABwcYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAAAAAAAAAC/////wABwMYtAAAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA==
>>
>>
>>
>> What do you think about this ?
>
> Sorry, but I am not going to wade through that.
> Sysvol contains files and directories to be used by Windows GPOs and as
> such your output is meaningless to me. I do not really understand the
> output from 'SAMBA_PAI', whereas the output from 'samba-tool ntacl get
> <FILE> --as-sddl' is easily understood.
>
>>From what I posted earlier:
>
> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
>
> That shows the permissions in a form that Windows expects, the start
> 'O:DAG:DA' shows that the owner is 'DA' and the group is 'DA', (DA
> being Domain Admins) and everything inside each '(....)' is called an
> ACE and you can easily work out what each ACE allows and to whom.
>
> I repeat, I cannot recommend setting the permissions on sysvol in the
> way you are doing it, use sysvolreset and samba-tool to read them.
>
> Rowland
>
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Klaas TJEBBES
- Pôle Logiciel Libre (EOLE)
- DSI
- Dijon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the samba
mailing list