[Samba] Access denied on GPO after "ntacl sysvolreset"

Klaas TJEBBES klaas.tjebbes at region-academique-bourgogne-franche-comte.fr
Wed Apr 16 15:03:10 UTC 2025 

I don't understand how import parameters from a previously backuped GPO 
in RSAT can work on your setup as it clearly does not on ours.


To summarize :

root at addc:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=24.04
DISTRIB_CODENAME=noble
DISTRIB_DESCRIPTION="Ubuntu 24.04.2 LTS"

root at addc:~# cat /etc/samba/smb.conf
[global]
   realm = DOMSCRIBE.AC-TEST.FR
   workgroup = DOMSCRIBE
   netbios name = ADDC
   disable netbios = yes
   smb ports = 445
   map acl inherit = Yes
   store dos attributes = Yes
   winbind separator = /
   server role = active directory domain controller
   server services = -dns
   tls enabled = yes
   tls keyfile = /var/lib/samba/private/tls/key.pem
   tls certfile = /var/lib/samba/private/tls/cert.pem
   tls cafile =
   usershare max shares = 0
   restrict anonymous = 2
   interfaces = 192.168.0.30

[netlogon]
   comment = Network Logon Service
   path = /home/sysvol/domscribe.ac-test.fr/scripts
   read only = No
   guest ok = yes

[sysvol]
   comment = Sysvol Service
   path = /home/sysvol
   read only = No
   guest ok = yes



# Problem 1 #
* I create a GPO in RSAT
* I can then import parameters from a previously backuped GPO
* On Samba DC I run "samba-tool ntacl sysvolreset"
* I can no longer import parameters from a previously backuped GPO, I get :
"""
[Error] The task cannot be completed. An error occurred with the 
[Registry] extension. Unable to access the file 
[\dc.dom.lan\sysvol\dom.lan\Policies{846F43A0-9299-4791-A16A-7E4AFDE257DF}\MachineStaging\registry.pol].
The following error occurred:
Access denied.
"""

# Problem 2 #
* After using 'samba-tool gpo restore', On a Windows client, from RSAT, 
I try to modify this GPO : right clic on the GPO, "Edit..." and 
configure some settings. I get an error : "Access denied. HRESULT : 
0x80070005 (E_ACCESSDENIED)".

* But in this code, 'samba-tool ntacl sysvolreset' won't execute 
(samba-tool ntacl sysvolcheck returns/tells that sysvol ACLs are right) :
if ! samba-tool ntacl sysvolcheck 2>/dev/null
then
         echo "* Check sysvol ACL NOK, do sysvolreset, please wait ..."
         samba-tool ntacl sysvolreset
fi

* After running 'samba-tool ntacl sysvolreset' by hand, I can again 
modify the restored GPO without error. But at that moment I'm 
encountering the # Problem 1 #.



# Test done to define Problem 1 #
* Before 'samba-tool ntacl sysvolreset' :
find 
/home/sysvol/domscribe.ac-test.fr/Policies/\{407E6044-D8C0-46D6-AF67-0175A6638D6A\} 
|while read i; do echo -n "samba-tool ntacl set "; echo -n 
\'$(samba-tool ntacl get --as-sddl "${i}")\'; echo " $i"; done > set_acls.sh
* run 'samba-tool ntacl sysvolreset' and observe that import parameters 
in RSAT no longer works
* run :
find 
/home/sysvol/domscribe.ac-test.fr/Policies/\{407E6044-D8C0-46D6-AF67-0175A6638D6A\} 
|while read i; do echo -n "samba-tool ntacl set "; echo -n 
\'$(samba-tool ntacl get --as-sddl "${i}")\'; echo " $i"; done > 
set_BAD_acls.sh
* run './set_acls.sh' and observe that import parameters in RSAT works again
* run './set_BAD_acls.sh' and observe that import parameters in RSAT no 
longer works


# Content of set_acls.sh
samba-tool ntacl set 
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}
samba-tool ntacl set 
'O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/User
samba-tool ntacl set 
'O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine
samba-tool ntacl set 
'O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine/comment.cmtx
samba-tool ntacl set 
'O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine/Registry.pol
samba-tool ntacl set 
'O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/gpt.ini

# Content of set_BAD_acls.sh
samba-tool ntacl set 
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}
samba-tool ntacl set 
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/User
samba-tool ntacl set 
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine
samba-tool ntacl set 
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine/comment.cmtx
samba-tool ntacl set 
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine/Registry.pol
samba-tool ntacl set 
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)' 
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/gpt.ini


Le 15/04/2025 à 10:44, Rowland Penny via samba a écrit :
> On Tue, 15 Apr 2025 10:03:59 +0200
> Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
> 
>> Hi Rowland (and others)
>>
>> Here is what you were asking for.
>> As a sidenote, 'samba-tool ntacl get' is a bit buggy on some pathes.
>> I've left the tracebacks so you can understand what I'm talking about.
>>
>> But nevertheless, there are some differences between before and after
>> 'samba-tool ntacl sysvolreset'. This command does not set back the
>> access rights like Windows does.
>>
>>
>> # BEFORE samba-tool ntacl sysvolreset, just after creating a GPO in
>> RSAT
>>
>> root at addc:~# samba-tool ntacl get
>> /home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/
>> --as-sddl
> 
> Why is 'sysvol' in '/home' ??
> it should be in /var/lib/samba unless you have self compiled Samba into
> somewhere else (usually /usr/local/samba).
> 
>> ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No
>> such file or directory:
>> '/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}/'
>>     File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 279, in _run
>>       return self.run(*args, **kwargs)
>>              ^^^^^^^^^^^^^^^^^^^^^^^^^
>>     File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
>> 206, in run
>>       acl = getntacl(lp,
>>             ^^^^^^^^^^^^
>>     File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125,
>> in getntacl
>>       return smbd.get_nt_acl(file,
>>              ^^^^^^^^^^^^^^^^^^^^^
>>
> 
> I get the same sort of error if I have '/' on the end of the path, but
> it works if I remove it.
> 
>> root at addc:~# cd
>> /home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/
>>
>> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> ls -l
>> total 24
>> -rwxrwx---+ 1 BUILTIN/administrators users   68 avril 15 09:52 GPT.INI
>> drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:53 Machine
>> drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:52 User
>>
>> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get . --as-sddl
>> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)
>>
>> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get GPT.INI --as-sddl
>> O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)
>>
>> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get Machine/ --as-sddl
>> ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No
>> such file or directory: 'Machine/'
>>     File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 279, in _run
>>       return self.run(*args, **kwargs)
>>              ^^^^^^^^^^^^^^^^^^^^^^^^^
>>     File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
>> 206, in run
>>       acl = getntacl(lp,
>>             ^^^^^^^^^^^^
>>     File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125,
>> in getntacl
>>       return smbd.get_nt_acl(file,
>>              ^^^^^^^^^^^^^^^^^^^^^
>>
>>
>> # AFTER samba-tool ntacl sysvolreset
>>
>> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get . --as-sddl
>> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
>>
>> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get GPT.INI --as-sddl
>> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
>>
> 
> They are want I expected and identical to a GPO on one of my DCs.
> 
>> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get Machine/ --as-sddl
>> ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No
>> such file or directory: 'Machine/'
>>     File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 279, in _run
>>       return self.run(*args, **kwargs)
>>              ^^^^^^^^^^^^^^^^^^^^^^^^^
>>     File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
>> 206, in run
>>       acl = getntacl(lp,
>>             ^^^^^^^^^^^^
>>     File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125,
>> in getntacl
>>       return smbd.get_nt_acl(file,
>>              ^^^^^^^^^^^^^^^^^^^^^
> 
> Try that again but this time without the '/' on the end of 'Machine/'.
> 
> Rowland
> 
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Klaas TJEBBES
- Pôle Logiciel Libre (EOLE)
- DSI
- Dijon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the samba mailing list