[Samba] Access denied on GPO after "ntacl sysvolreset"

Rowland Penny rpenny at samba.org
Tue Apr 15 08:44:59 UTC 2025 

On Tue, 15 Apr 2025 10:03:59 +0200
Klaas TJEBBES via samba <samba at lists.samba.org> wrote:

> Hi Rowland (and others)
> 
> Here is what you were asking for.
> As a sidenote, 'samba-tool ntacl get' is a bit buggy on some pathes. 
> I've left the tracebacks so you can understand what I'm talking about.
> 
> But nevertheless, there are some differences between before and after 
> 'samba-tool ntacl sysvolreset'. This command does not set back the 
> access rights like Windows does.
> 
> 
> # BEFORE samba-tool ntacl sysvolreset, just after creating a GPO in
> RSAT
> 
> root at addc:~# samba-tool ntacl get 
> /home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/ 
> --as-sddl

Why is 'sysvol' in '/home' ??
it should be in /var/lib/samba unless you have self compiled Samba into
somewhere else (usually /usr/local/samba).

> ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No 
> such file or directory: 
> '/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}/'
>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 279, in _run
>      return self.run(*args, **kwargs)
>             ^^^^^^^^^^^^^^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
> 206, in run
>      acl = getntacl(lp,
>            ^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125,
> in getntacl
>      return smbd.get_nt_acl(file,
>             ^^^^^^^^^^^^^^^^^^^^^
> 

I get the same sort of error if I have '/' on the end of the path, but
it works if I remove it.

> root at addc:~# cd 
> /home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/
> 
> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# 
> ls -l
> total 24
> -rwxrwx---+ 1 BUILTIN/administrators users   68 avril 15 09:52 GPT.INI
> drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:53 Machine
> drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:52 User
> 
> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# 
> samba-tool ntacl get . --as-sddl
> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)
> 
> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# 
> samba-tool ntacl get GPT.INI --as-sddl
> O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)
> 
> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# 
> samba-tool ntacl get Machine/ --as-sddl
> ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No 
> such file or directory: 'Machine/'
>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 279, in _run
>      return self.run(*args, **kwargs)
>             ^^^^^^^^^^^^^^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
> 206, in run
>      acl = getntacl(lp,
>            ^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125,
> in getntacl
>      return smbd.get_nt_acl(file,
>             ^^^^^^^^^^^^^^^^^^^^^
> 
> 
> # AFTER samba-tool ntacl sysvolreset
> 
> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# 
> samba-tool ntacl get . --as-sddl
> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
> 
> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# 
> samba-tool ntacl get GPT.INI --as-sddl
> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
> 

They are want I expected and identical to a GPO on one of my DCs.

> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# 
> samba-tool ntacl get Machine/ --as-sddl
> ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No 
> such file or directory: 'Machine/'
>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 279, in _run
>      return self.run(*args, **kwargs)
>             ^^^^^^^^^^^^^^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
> 206, in run
>      acl = getntacl(lp,
>            ^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125,
> in getntacl
>      return smbd.get_nt_acl(file,
>             ^^^^^^^^^^^^^^^^^^^^^

Try that again but this time without the '/' on the end of 'Machine/'.

Rowland

More information about the samba mailing list