[Samba] ACL problem after sysvolreset (possible bug ?)

Wed Feb 26 19:38:56 UTC 2025

On Wed, 26 Feb 2025 18:57:13 +0100
denis bonnenfant--- via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> Summary :
> 
> New gpo are created from windows with  explicit rwx user and group
> acls for "Domain admins", which are inherited for every objects
> created, while sysvolreset is changing this to user:group ownership,
> which is not inheritable, and removes the acls for "Domain Admins".
> 
> Detail :
> 
> I'm facing a weird issue with sysvol acls on all my DC running samba 
> 4.21 : the problem appeared after upgrade from 4.17 to 4.19, and is
> also present with on new  servers provisonned directly with 4.21
> 
> the context :
> 
> First, I'm not running  Samba with rfc2307, and "Domain Admins"
> doesn't have a gidNumber.
> 
> My smb.conf on DC is  the default one from domain provision.
> 
> 
> # wbinfo --uid-info=3000025
> DIDEROT\domain admins:*:3000025:3000025::/home/DIDEROT/domain 
> admins:/bin/false
> 
> # wbinfo --uid-to-sid=3000025
> S-1-5-21-909356044-1599522197-445740120-512
> 
> This group is member of
> 
> # wbinfo --uid-info=3000000
> BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false
> 
> # wbinfo --uid-to-sid=3000000
> S-1-5-32-544
> 
> The problem  :
> 
> When creating a new gpo from windows GPO management tool with an user 
> member of "Domain Admins" , everything works as expected, GPO can be 
> modified, elements added in...
> 
> After running sysvolreset on DC, GPO is broken, as no new folders can
> be created inside.
> 
> ACL before sysvolreset :
> 
> 
> # getfacl 
> /var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file: 
> var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/
> # owner: 3000000
> # group: users
> user::rwx
> user:3000002:rwx
> user:3000003:r-x
> user:3000006:rwx
> user:3000009:r-x
> user:3000025:rwx
> group::---
> group:users:---
> group:3000000:rwx
> group:3000002:rwx
> group:3000003:r-x
> group:3000006:rwx
> group:3000009:r-x
> group:3000025:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000000:rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000006:rwx
> default:user:3000009:r-x
> default:user:3000025:rwx
> default:group::---
> default:group:users:---
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000006:rwx
> default:group:3000009:r-x
> default:group:3000025:rwx
> default:mask::rwx
> default:other::---
> 
> 
> Created folders or files inside GPO inherit these acls, and
> everything works.
> 
> 
> Acls After sysvolreset :
> 
> # getfacl 
> /var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file: 
> var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon
> # owner: 3000025
> # group: 3000025
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> 
> When creating a new folder inside :
> 
> # getfacl 
> /var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/test
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file: 
> var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/test
> # owner: 3000000
> # group: users
> user::rwx
> user:root:rwx            #effective:r-x
> user:3000000:rwx        #effective:r-x
> user:3000001:r-x
> user:3000002:rwx        #effective:r-x
> user:3000003:r-x
> group::---
> group:3000000:rwx        #effective:r-x
> group:3000001:r-x
> group:3000002:rwx        #effective:r-x
> group:3000003:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> 
> 
> So creating new folders is broken after sysvolreset.  Running 
> sysvolreset allows creation of one level again.
> 
> Same problem using Administrator account from windows. So the only
> way to modify existing gpo is to create a new one and make all
> changes before sysvolreset.
> 
> 
> but when using smbclient, it is OK with Administrator :
> 
> smb: 
> \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> 
> mkdir test2
> 
> smb: 
> \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> 
> mkdir test2\test2
> 
> but not with admin (member of "Domain Admins")
> 
> smb: 
> \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> 
> mkdir test2
> NT_STATUS_ACCESS_DENIED making remote directory 
> \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\test2
> 

There are three permissions in play here, the normal Unix 'ugo', the EA
you are reading with setfacl and a further one that is set with the
Windows permissions. Can you try to read the latter with:

samba-tool ntacl get <file> --as-sddl

Where '<file>' is the directory or file

For example, on my DC, this:

sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl

Produces this:

O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)

Rowland