[Samba] ACL problem after sysvolreset (possible bug ?)

[denis bonnenfant@sambaedu.org]

Hello,

Summary :

New gpo are created from windows with  explicit rwx user and group acls 
for "Domain admins", which are inherited for every objects created, 
while sysvolreset is changing this to user:group ownership, which is not 
inheritable, and removes the acls for "Domain Admins".

Detail :

I'm facing a weird issue with sysvol acls on all my DC running samba 
4.21 : the problem appeared after upgrade from 4.17 to 4.19, and is also 
present with on new  servers provisonned directly with 4.21

the context :

First, I'm not running  Samba with rfc2307, and "Domain Admins" doesn't 
have a gidNumber.

My smb.conf on DC is  the default one from domain provision.


# wbinfo --uid-info=3000025
DIDEROT\domain admins:*:3000025:3000025::/home/DIDEROT/domain 
admins:/bin/false

# wbinfo --uid-to-sid=3000025
S-1-5-21-909356044-1599522197-445740120-512

This group is member of

# wbinfo --uid-info=3000000
BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false

# wbinfo --uid-to-sid=3000000
S-1-5-32-544

The problem  :

When creating a new gpo from windows GPO management tool with an user 
member of "Domain Admins" , everything works as expected, GPO can be 
modified, elements added in...

After running sysvolreset on DC, GPO is broken, as no new folders can be 
created inside.

ACL before sysvolreset :


# getfacl 
/var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/
getfacl : suppression du premier « / » des noms de chemins absolus
# file: 
var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/
# owner: 3000000
# group: users
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000009:r-x
user:3000025:rwx
group::---
group:users:---
group:3000000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000009:r-x
group:3000025:rwx
mask::rwx
other::---
default:user::rwx
default:user:3000000:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000009:r-x
default:user:3000025:rwx
default:group::---
default:group:users:---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000009:r-x
default:group:3000025:rwx
default:mask::rwx
default:other::---


Created folders or files inside GPO inherit these acls, and everything 
works.


Acls After sysvolreset :

# getfacl 
/var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon
getfacl : suppression du premier « / » des noms de chemins absolus
# file: 
var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon
# owner: 3000025
# group: 3000025
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

When creating a new folder inside :

# getfacl 
/var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/test
getfacl : suppression du premier « / » des noms de chemins absolus
# file: 
var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/test
# owner: 3000000
# group: users
user::rwx
user:root:rwx            #effective:r-x
user:3000000:rwx        #effective:r-x
user:3000001:r-x
user:3000002:rwx        #effective:r-x
user:3000003:r-x
group::---
group:3000000:rwx        #effective:r-x
group:3000001:r-x
group:3000002:rwx        #effective:r-x
group:3000003:r-x
mask::r-x
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---


So creating new folders is broken after sysvolreset.  Running 
sysvolreset allows creation of one level again.

Same problem using Administrator account from windows. So the only way 
to modify existing gpo is to create a new one and make all changes 
before sysvolreset.


but when using smbclient, it is OK with Administrator :

smb: 
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> 
mkdir test2

smb: 
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> 
mkdir test2\test2

but not with admin (member of "Domain Admins")

smb: 
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> 
mkdir test2
NT_STATUS_ACCESS_DENIED making remote directory 
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\test2